Azure AD authentication workflow

This article is a technical reference for the Configuration Manager client installation and registration process on a Windows 10 device that is joined to Azure Active Directory (Azure AD). It details the workflow process for the device authentication.

Note Windows 10 clients get a workplace join (WPJ) certificate when they join an Azure AD tenant. If the certificate isn't found, the Configuration Manager client can't request Azure AD tokens. Without a token, the client can't use the Configuration Manager security token service (CCM_STS) communication channel for Azure AD authentication with Configuration Manager site systems.

Client installation

In this workflow sample, you installed the Configuration Manager client on a Windows 10 device over the internet with the following ccmsetup command-line properties:


1. Azure AD info request from ccmsetup

Clients installed from internet need specific command-line properties to use Azure AD authentication. You can include these properties in the command line for internet ccmsetup, but they aren't required. When you don't use Azure AD properties, ccmsetup requests the AADCLIENTAPPID and AADRESOURCEURI properties from the cloud management gateway (CMG). It uses the device's Azure AD TenantID as a reference. If you haven't onboarded the client's TenantID in Configuration Manager, the CMG doesn't give the required properties to ccmsetup to continue client installation.

The following entries are logged in ccmsetup.log of the client:

Getting AAD info from CMG 'CMG.CLOUDAPP.NET'
SMS CCM 5.0: Host=CMG.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/AADAuthInfo?TenantID=9aaf466a-3f40-4468-b3cd-f0010f21f05a, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1304, Options=0xe0
Created connection on port 443
Enabled SSL revocation check.

Important During ccmsetup, the device has to validate the CMG server authentication certificate. The root certificate authority (CA) certificate for the CMG server authentication certificate needs to be available on the client for the chain validation. If you use PKI, when the root CA isn't published on the internet, add the root CA certificate to the device's root CAs store. If the root CA certificate revocation list (CRL) isn't published on internet, add the /nocrlcheck parameter in the ccmsetup command line.

2. Azure AD token request

On a Windows 10 Azure AD domain-joined device, ccmsetup uses the Az