While configuring the Cloud Management Gateway (CMG) at different client sites, we stumbled on an issue ‘Failed to sign in to Azure‘ to create the Azure web applications.
While we don’t know the official cause or how to prevent it, a workaround is possible.
If you are looking to configure the Cloud Management Gateway from A to Z, see ourprevious post.
SCCM CMG Failed to sign in to Azure – Symptoms
One of the first step to configure the Cloud Management Gateway is to configure the Azure Services. This step consists of creating the connection to the Azure Tenant and create 2 Web Applications, the ConfigMgr Server Application, and ConfigMgr Client Application.
Once the details are provided to create the ConfigMgr Server Application, we received a ‘Failed to sign in to Azure’ error.
Surely enough, we may have done an error providing the credential, so we did retry to sign in, but this time, the error was not the same. ‘Another object with the same value for property identifierUris already exists‘
Looking into Azure, strangely enough the application already exists! The ‘Failed to sign in to Azure‘ error was not that much a failure in the end.
From that point, we can no longer proceed to next step following the regular steps to configure the Cloud Management Gateway
Configure ConfigMgr Server Application
To be able to configure the ConfigMgr Server Application, select the Import option instead of New.
Provide all the required information
- Click Verify, this doesn’t require authentication. Wizard can than be completed
Find information in Azure
To get all the required information :
- Go to Portal.Azure.com
- Browse to Azure Active Directory
- The Azure AD tenant name can be seen in the Overview it should be xxxxxxxx.onmicrosoft.com
- Look for App Registration or App Registration (Preview)
- Search for ConfigMgr and you should find only the ConfigMgr Server Application, somehow created previously
- Double click on it to find the Application(client) ID and Directory (tenant) ID
- In order to get the Secret key, it must be recreated. Under Certificates & Secrets select New client secret
- Select In 2 years, add a description if wanted, and click Add.
- Take note of the key to add it to the wizard
- Previous Client secret can be deleted
Configure ConfigMgr Client application
Next step is to configure the ConfigMgr client application. Trying it with the wizard to create it is likely to give the following error:’ Failed to Create ClientApp. Server app might not be present in the tenant specified’
Similarly to the Server App, we’ll need to manually provision Azure with the app
- Go to Portal.Azure.com
- Browse to Azure Active Directory
- Look for App Registration and select New Application registration
- Provide
- Name : ConfigMgr Client Application
- Application type : Native
- Redirect URL : https://ConfigMgrClient
- Select Create at the bottom
- Go back to the Client app wizard in SCCM, provide the Application name and Client ID (ApplicationID)
Modify ConfigMgr Client Application
- Browse to the ConfigMgr Client Application to see the details
- Go to Authentication and remove the current Public Client(mobile &desktop) entr
- Select from the drop list, Public Client and add the following Redirect URI
- ms-appx-web://Microsoft.AAD.BrokerPlugin/<ConfigMgr Server Application ID>
- Don’t forget to hit Save
- Go to API Permissions and select Add a permission
- Under APIs my organization uses search for ConfigMgr Server application and select it
- Select User_Impersonation and click Add Permissions at the bottom
- Back to the API permissions, at the bottom click Grand admin consent for…
Modify ConfigMgr Server application
- Go to API Permissions of the ConfigMgr Server Application
- Select Add Permission and select Microsoft Graph
- Select Application permissions
- Expand Directory and select Directory.Read.All
- Back to the API Permissions, at the bottom click Grand admin consent for…
That’s it! After that, completing the Cloud Management Gateway configuration shouldn’t be a problem
[ratings]Share this Post
15 Comments on “Failed to sign in to Azure error when configuring SCCM Cloud Management Gateway”
Pingback: azure portal sign in failed - jobsmalaysia.co
Pingback: cloud gateway sign in - howinfo.org
“Should find only the ConfigMgr Server Application, somehow created previously”
What happens when this was deleted?
Similarly, after manually re-creating the “ConfigMgr Server Application”, it does not show up as an API to be given permissions over the Client Application Registration.
Can someone please post the full configuration for the ConfigMgr Server Application Registration.
I found this to occur when i performed this for a client, and they granted me Owner permissions on the subscription but not Global admin on the tenant. Thats why it couldnt do it properly.
Saw the same thing, this hint solved it.
If a tenant showing these symptoms was created prior to Aug 2017 it is worth checking that modern authentication is enabled on your tenant. I suspect the cause is 2FA enabled but modern auth disabled. I had exact symptoms and used this guide to get things working on 1806 (thanks!!!). After enabling modern auth and upgrading to 1902 on the same weekend the Azure auth all ran OK from the console.
I suspect but cant now confirm that enabling modern auth was the fix rather than the upgrade.
Nadal connection logs on the clients are much cleaner now also.
https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
1902 here not fixed
Hi Jonathan,
This is still the case with 1806 and your article was extremely helpful! Thank you! – Holly
Is this document still valid since it looks like the Azure screens have changed?
Hi Jonathan, Please can you provide the steps to manually create the web/api server app for CMG. In this blog you have mentioned manually creation of client app but i am curious about web app creation. AS client app creation includes step like “Redirect URI
ms-appx-web://Microsoft.AAD.BrokerPlugin/” . sameway is there any such step for web app creation too?? PLease can you list the steps for web/api app manual creation for CMG.
Just wanted to give a huge Props to you on this as it worked for me this morning.
One note though is that the Preview version of the APP Registration page had an issue showing the API Permission page for the Server App. It worked fine in the regular version of the APP Registration page.
CMG IS UP BABY =)
Glad we helped 😀
Jonathan
This is happening to me as well. I am on 1806, does this happen in 1810?
Hi Rody,
I believe this is still the case in 1810.
There are rumors of a fix for 1902.
Jonathan