Contact Us Get Free Products
Search icon Contact Us Get Free Products
SCCM/MECM

Failed to sign in to Azure error when configuring SCCM Cloud Management Gateway

Jonathan LefebvreJanuary 16 20194 Min Read

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

Jonathan Lefebvre

Table of Content

While configuring the Cloud Management Gateway (CMG) at different client sites, we stumbled on an issue ‘Failed to sign in to Azure‘ to create the Azure web applications.

While we don’t know the official cause or how to prevent it, a workaround is possible.

If you are looking to configure the Cloud Management Gateway from A to Z, see ourprevious post.


SCCM CMG Failed to sign in to Azure – Symptoms

One of the first step to configure the Cloud Management Gateway is to configure the Azure Services. This step consists of creating the connection to the Azure Tenant and create 2 Web Applications, the ConfigMgr Server Application, and ConfigMgr Client Application.

Once the details are provided to create the ConfigMgr Server Application, we received a ‘Failed to sign in to Azure’ error.

sccm cmg failed login azure

Surely enough, we may have done an error providing the credential, so we did retry to sign in, but this time, the error was not the same. ‘Another object with the same value for property identifierUris already exists

sccm cmg failed login azure

Looking into Azure, strangely enough the application already exists! The ‘Failed to sign in to Azure‘ error was not that much a failure in the end.

sccm cmg failed login azure

From that point, we can no longer proceed to next step following the regular steps to configure the Cloud Management Gateway

Configure ConfigMgr Server Application

To be able to configure the ConfigMgr Server Application, select the Import option instead of New.

sccm cmg failed login azure

Provide all the required information

sccm cmg failed login azure
  • Click Verify, this doesn’t require authentication. Wizard can than be completed
Find information in Azure

To get all the required information :

  • Go to Portal.Azure.com
  • Browse to Azure Active Directory
  • The Azure AD tenant name can be seen in the Overview it should be xxxxxxxx.onmicrosoft.com
sccm cmg failed login azure
  • Look for App Registration or  App Registration (Preview)
sccm cmg failed login azure
  • Search for ConfigMgr and you should find only the ConfigMgr Server Application, somehow created previously
sccm cmg failed login azure
  • Double click on it to find the Application(client) ID and Directory (tenant) ID
sccm cmg failed login azure
  • In order to get the Secret key, it must be recreated. Under Certificates & Secrets select New client secret
sccm cmg failed login azure
  • Select In 2 years, add a description if wanted, and click Add.
  • Take note of the key to add it to the wizard
  • Previous Client secret can be deleted
sccm cmg failed login azure

Configure ConfigMgr Client application

Next step is to configure the ConfigMgr client application. Trying it with the wizard to create it is likely to give the following error:’ Failed to Create ClientApp. Server app might not be present in the tenant specified’

sccm cmg failed login azure

Similarly to the Server App, we’ll need to manually provision Azure with the app

  • Go to Portal.Azure.com
  • Browse to Azure Active Directory
  • Look for App Registration and select New Application registration
sccm cmg failed login azure
  • Provide
    • Name : ConfigMgr Client Application
    • Application type : Native
    • Redirect URL : https://ConfigMgrClient
sccm cmg failed login azure
  • Select Create at the bottom
  • Go back to the Client app wizard in SCCM, provide the Application name and Client ID (ApplicationID)
sccm cmg failed login azure

Modify ConfigMgr Client Application

  • Browse to the ConfigMgr Client Application to see the details
sccm cmg failed login azure
  • Go to Authentication and remove the current Public Client(mobile &desktop) entr
sccm cmg failed login azure
  • Select from the drop list, Public Client and add the following Redirect URI
    • ms-appx-web://Microsoft.AAD.BrokerPlugin/<ConfigMgr Server Application ID>
    • Don’t forget to hit Save
sccm cmg failed login azure
  • Go to API Permissions and select Add a permission
sccm cmg failed login azure
  • Under APIs my organization uses search for ConfigMgr Server application and select it
sccm cmg failed login azure
  • Select User_Impersonation and click  Add Permissions at the bottom
sccm cmg failed login azure
  • Back to the API permissions, at the bottom click Grand admin consent for…
sccm cmg failed login azure

Modify ConfigMgr Server application

  • Go to API Permissions of the ConfigMgr Server Application
  • Select Add Permission and select Microsoft Graph
sccm cmg failed login azure
  • Select Application permissions
sccm cmg failed login azure
  • Expand Directory and select Directory.Read.All
  • Back to the API Permissions, at the bottom click Grand admin consent for…
sccm cmg failed login azure

That’s it! After that, completing the Cloud Management Gateway configuration shouldn’t be a problem

[ratings]

Comments (15)
Pingback: https://jobsmalaysia.co/azure-portal-sign-in-failed/
Pingback: https://howinfo.org/cloud-gateway-sign-in/

Dylan

01.23.2020 AT 08:38 PM
"Should find only the ConfigMgr Server Application, somehow created previously" What happens when this was deleted?
Hide replies 1

Dylan

01.23.2020 AT 09:36 PM
Similarly, after manually re-creating the "ConfigMgr Server Application", it does not show up as an API to be given permissions over the Client Application Registration. Can someone please post the full configuration for the ConfigMgr Server Application Registration.
Hide replies 0

TP

10.15.2019 AT 12:41 PM
I found this to occur when i performed this for a client, and they granted me Owner permissions on the subscription but not Global admin on the tenant. Thats why it couldnt do it properly.
Hide replies 1

Morten

12.06.2019 AT 02:36 AM
Saw the same thing, this hint solved it.
Hide replies 0

Stewart

06.13.2019 AT 04:27 PM
If a tenant showing these symptoms was created prior to Aug 2017 it is worth checking that modern authentication is enabled on your tenant. I suspect the cause is 2FA enabled but modern auth disabled. I had exact symptoms and used this guide to get things working on 1806 (thanks!!!). After enabling modern auth and upgrading to 1902 on the same weekend the Azure auth all ran OK from the console. I suspect but cant now confirm that enabling modern auth was the fix rather than the upgrade. Nadal connection logs on the clients are much cleaner now also. https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
Hide replies 0

paul

05.04.2019 AT 10:06 AM
1902 here not fixed
Hide replies 0

Holly

04.12.2019 AT 01:00 AM
Hi Jonathan, This is still the case with 1806 and your article was extremely helpful! Thank you! - Holly
Hide replies 0

Tim

02.20.2019 AT 11:05 AM
Is this document still valid since it looks like the Azure screens have changed?
Hide replies 0

Vikram

02.14.2019 AT 11:49 PM
Hi Jonathan, Please can you provide the steps to manually create the web/api server app for CMG. In this blog you have mentioned manually creation of client app but i am curious about web app creation. AS client app creation includes step like "Redirect URI ms-appx-web://Microsoft.AAD.BrokerPlugin/" . sameway is there any such step for web app creation too?? PLease can you list the steps for web/api app manual creation for CMG.
Hide replies 0

Rody

01.30.2019 AT 12:08 PM
Just wanted to give a huge Props to you on this as it worked for me this morning. One note though is that the Preview version of the APP Registration page had an issue showing the API Permission page for the Server App. It worked fine in the regular version of the APP Registration page. CMG IS UP BABY =)
Hide replies 1

Jonathan Lefebvre

01.30.2019 AT 01:43 PM
Glad we helped 😀 Jonathan
Hide replies 0

Rody

01.29.2019 AT 02:22 PM
This is happening to me as well. I am on 1806, does this happen in 1810?
Hide replies 1

Jonathan Lefebvre

01.29.2019 AT 03:23 PM
Hi Rody, I believe this is still the case in 1810. There are rumors of a fix for 1902. Jonathan
Hide replies 0
Related posts
Benoit LecoursNovember 21 20233 Min Read
Enable SCCM Cloud Attach

SCCM Cloud Attach is a concept introduced in SCCM 2002 but has since evolved a lot. You can...

Intune SCCM/MECM
Benoit LecoursOctober 25 20235 Min Read
Our list of Intune Community Tools – 2023 Edition

Based on the popularity of my Best SCCM Community Tools post published in 2018, 2019 and 2020, and...

Intune SCCM/MECM
Benoit LecoursOctober 17 20232 Min Read
SCCM Distribution Point Network bandwidth limitation

SCCM is a powerful tool for managing and deploying software and updates across an...

SCCM/MECM
Request a Quote

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours. We are open from Monday to Friday.

Reports Guides Support

Consulting Services

Information

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Never share sensitive information (credit card numbers, social security numbers, passwords) through this form.
Request Sent

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Comment Sent

Thank for your reply!

Error

Something went wrong!