The error message “CMGConnector_Un-authorizedrequest” has been keeping me quite busy lately. To help others to and to remind myself I am writing this short blog. A few weeks ago I configured a new sccm server to test with Co-management. Everything was going smoothly, until I ran cloud management gateway connection analyzer to test the CMG. During testing, all steps went well except the last step: “Testing the CMG channel for management point: “xxxx””.
The message said that there was an un-authorized request on the Management Point and that I needed to verify that the Azure AD user used had been successfully discovered. This was where it all started. First, I went to see if the user was present in configuration manager. I went to look in the users overview and there was the user.
So this was not the problem. At this point I decided, like a real IT pro, to search the Internet to see if more people have had this problem. One of the first hits was this comprehensive blog by MVP Ronny de Jong. In it, several people had and they indicated that they had solved it by enabling Azure Active Directory User Discovery. On that, I went to check the setting and saw that this setting was already on.
At this I decided to search further and came across this blog which indicated that the error might be caused by MFA. At that I decided to disable MFA for the user to see if it worked. Unfortunately this was not the cause either. I was still getting the same error message.
For example, I came across several blogs that all indicated it was caused by the Azure AD User Discovery or at errors in the build or different. So I decided to rebuild me test server. Maybe you guessed it, this didn’t help either. I got the idea that there might be something wrong in the authorization flow. At that I decided to create a cloud only user in the Azure AD and test again. This test was successful, all steps including the last one now had a green check mark.
I had now discovered that a cloud user could authenticate without problems, but an ad synced cloud user could not. I then discovered that I had not configured active directory user discovery and decided to turn it on.
This turned out to be the solution. After I enabled active directory user discovery it was possible to log in with an Azure AD synced AAD user. I may have read over it, but I did not see this requirement in the Microsoft documentation. Let me know in the comments if you know where this is.