Failed to sign in to Azure error when configuring SCCM Cloud Management Gateway

Jonathan LefebvreSCCM7 Comments

While configuring the Cloud Management Gateway (CMG) at different client sites, we stumbled on an issue ‘Failed to sign in to Azure‘ to create the Azure web applications.

While we don’t know the official cause or how to prevent it, a workaround is possible.

If you are looking to configure the Cloud Management Gateway from A to Z, see ourprevious post.


SCCM CMG Failed to sign in to Azure – Symptoms

One of the first step to configure the Cloud Management Gateway is to configure the Azure Services. This step consists of creating the connection to the Azure Tenant and create 2 Web Applications, the ConfigMgr Server Application, and ConfigMgr Client Application.

Once the details are provided to create the ConfigMgr Server Application, we received a ‘Failed to sign in to Azure’ error.

sccm cmg failed login azure

Surely enough, we may have done an error providing the credential, so we did retry to sign in, but this time, the error was not the same. ‘Another object with the same value for property identifierUris already exists

sccm cmg failed login azure

Looking into Azure, strangely enough the application already exists! The ‘Failed to sign in to Azure‘ error was not that much a failure in the end.

sccm cmg failed login azure

From that point, we can no longer proceed to next step following the regular steps to configure the Cloud Management Gateway

Configure ConfigMgr Server Application

To be able to configure the ConfigMgr Server Application, select the Import option instead of New.

sccm cmg failed login azure

Provide all the required information

sccm cmg failed login azure
  • Click Verify, this doesn’t require authentication. Wizard can than be completed
Find information in Azure

To get all the required information :

  • Go to Portal.Azure.com
  • Browse to Azure Active Directory
  • The Azure AD tenant name can be seen in the Overview it should be xxxxxxxx.onmicrosoft.com
sccm cmg failed login azure
  • Look for App Registration or  App Registration (Preview)
sccm cmg failed login azure
  • Search for ConfigMgr and you should find only the ConfigMgr Server Application, somehow created previously
sccm cmg failed login azure
  • Double click on it to find the Application(client) ID and Directory (tenant) ID
sccm cmg failed login azure
  • In order to get the Secret key, it must be recreated. Under Certificates & Secrets select New client secret
sccm cmg failed login azure
  • Select In 2 years, add a description if wanted, and click Add.
  • Take note of the key to add it to the wizard
  • Previous Client secret can be deleted
sccm cmg failed login azure

Configure ConfigMgr Client application

Next step is to configure the ConfigMgr client application. Trying it with the wizard to create it is likely to give the following error:’ Failed to Create ClientApp. Server app might not be present in the tenant specified’

sccm cmg failed login azure

Similarly to the Server App, we’ll need to manually provision Azure with the app

  • Go to Portal.Azure.com
  • Browse to Azure Active Directory
  • Look for App Registration and select New Application registration
sccm cmg failed login azure
  • Provide
    • Name : ConfigMgr Client Application
    • Application type : Native
    • Redirect URL : https://ConfigMgrClient
sccm cmg failed login azure
  • Select Create at the bottom
  • Go back to the Client app wizard in SCCM, provide the Application name and Client ID (ApplicationID)
sccm cmg failed login azure

Modify ConfigMgr Client Application

  • Browse to the ConfigMgr Client Application to see the details
sccm cmg failed login azure
  • Go to Authentication and remove the current Public Client(mobile &desktop) entr
sccm cmg failed login azure
  • Select from the drop list, Public Client and add the following Redirect URI
    • ms-appx-web://Microsoft.AAD.BrokerPlugin/<ConfigMgr Server Application ID>
    • Don’t forget to hit Save
sccm cmg failed login azure
  • Go to API Permissions and select Add a permission
sccm cmg failed login azure
  • Under APIs my organization uses search for ConfigMgr Server application and select it
sccm cmg failed login azure
  • Select User_Impersonation and click  Add Permissions at the bottom
sccm cmg failed login azure
  • Back to the API permissions, at the bottom click Grand admin consent for…
sccm cmg failed login azure

Modify ConfigMgr Server application

  • Go to API Permissions of the ConfigMgr Server Application
  • Select Add Permission and select Microsoft Graph
sccm cmg failed login azure
  • Select Application permissions
sccm cmg failed login azure
  • Expand Directory and select Directory.Read.All
  • Back to the API Permissions, at the bottom click Grand admin consent for…
sccm cmg failed login azure

That’s it! After that, completing the Cloud Management Gateway configuration shouldn’t be a problem

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Share this Post

7 Comments on “Failed to sign in to Azure error when configuring SCCM Cloud Management Gateway”

  1. Hi Jonathan,

    This is still the case with 1806 and your article was extremely helpful! Thank you! – Holly

  2. Hi Jonathan, Please can you provide the steps to manually create the web/api server app for CMG. In this blog you have mentioned manually creation of client app but i am curious about web app creation. AS client app creation includes step like “Redirect URI
    ms-appx-web://Microsoft.AAD.BrokerPlugin/” . sameway is there any such step for web app creation too?? PLease can you list the steps for web/api app manual creation for CMG.

  3. Just wanted to give a huge Props to you on this as it worked for me this morning.

    One note though is that the Preview version of the APP Registration page had an issue showing the API Permission page for the Server App. It worked fine in the regular version of the APP Registration page.

    CMG IS UP BABY =)

    1. Hi Rody,
      I believe this is still the case in 1810.

      There are rumors of a fix for 1902.

      Jonathan

Leave a Reply

Your email address will not be published. Required fields are marked *