The error message “CMGConnector_Un-authorizedrequest” has been keeping me quite busy lately. To help others to and to remind myself I am writing this short blog. A few weeks ago I configured a new sccm server to test with Co-management. Everything was going smoothly, until I ran cloud management gateway connection analyzer to test the CMG. During testing, all steps went well except the last step: “Testing the CMG channel for management point: “xxxx””.
The message said that there was an un-authorized request on the Management Point and that I needed to verify that the Azure AD user used had been successfully discovered. This was where it all started. First, I went to see if the user was present in configuration manager. I went to look in the users overview and there was the user.
So this was not the problem. At this point I decided, like a real IT pro, to search the Internet to see if more people have had this problem. One of the first hits was this comprehensive blog by MVP Ronny de Jong. In it, several people had and they indicated that they had solved it by enabling Azure Active Directory User Discovery. On that, I went to check the setting and saw that this setting was already on.
At this I decided to search further and came across this blog which indicated that the error might be caused by MFA. At that I decided to disable MFA for the user to see if it worked. Unfortunately this was not the cause either. I was still getting the same error message.
For example, I came across several blogs that all indicated it was caused by the Azure AD User Discovery or at errors in the build or different. So I decided to rebuild me test server. Maybe you guessed it, this didn’t help either. I got the idea that there might be something wrong in the authorization flow. At that I decided to create a cloud only user in the Azure AD and test again. This test was successful, all steps including the last one now had a green check mark.
I had now discovered that a cloud user could authenticate without problems, but an ad synced cloud user could not. I then discovered that I had not configured active directory user discovery and decided to turn it on.
This turned out to be the solution. After I enabled active directory user discovery it was possible to log in with an Azure AD synced AAD user. I may have read over it, but I did not see this requirement in the Microsoft documentation. Let me know in the comments if you know where this is.
You hero!
Thank you, I had the exact same issue and spent so long trying to solve this, as I too did not see any document saying you need user discovery turned on to make a CMG connection fully work! I done the same, enabled Azure Discovery but not Config Manager’s own AD user Discovery.
And then turning on AD User Discovery in Config Manager resolved this issue.
Thanks again!
Hi Aad,
Thank you for this blog post. I had created a new server for co-management as we are moving our workload to intune but don’t feel comfortable enough yet,
I had spent some time on this too, but enabling this fixed the connection analyzer, and also allowed me to deploy user apps (only machine were working prior)
Thanks again.
Bruh! You saved me on this. I went back and forth with Microsoft and was going down a rabbit hole about client certificates until I decided to research combing the internet and came upon your Post. Issue resolve. Thanks a million!
Good to hear, this is the reason I started this blog. Sharing information with others.
Regards, Aad
Thank you for this post – IT SAVED ME hours of searching. I had the exact same issue and Microsoft said that the problem I was having was due to MFA being setup incorrectly – I told them that MFA is working perfectly for dozens of applications.
Alot of back and forth – Finally I came across your post which pinpointed where my problem was.
Thanx for the assist,
Benji