将 Configuration Manager 连接到 Azure MonitorConnect Configuration Manager to Azure Monitor

可将 Microsoft Endpoint Configuration Manager 环境连接到 Azure Monitor 以同步设备集合数据,并在 Azure Monitor 和 Azure 自动化中引用这些集合。You can connect your Microsoft Endpoint Configuration Manager environment to Azure Monitor to sync device collection data and reference these collections in Azure Monitor and Azure Automation.

先决条件Prerequisites

Azure Monitor 支持 Configuration Manager 当前分支(版本 1606 及更高版本)。Azure Monitor supports Configuration Manager current branch, version 1606 and higher.

配置概述Configuration overview

以下步骤总结了使用 Azure Monitor 配置 Configuration Manager 的步骤。The following steps summarize the steps to configure Configuration Manager integration with Azure Monitor.

  1. 在 Azure Active Directory 中,将配置管理器注册为 Web 应用程序和/或 Web API 应用,并确保有在 Azure Active Directory 中进行注册时收到的客户端 ID 和客户端密钥。In Azure Active Directory, register Configuration Manager as a Web Application and/or Web API app, and ensure that you have the client ID and client secret key from the registration from Azure Active Directory. 如需了解如何完成此步骤的详细信息,请参阅使用门户创建可访问资源的 Active Directory 应用程序和服务主体See Use portal to create Active Directory application and service principal that can access resources for detailed information about how to accomplish this step.

  2. 在 Azure Active Directory 中,授予 Configuration Manager(已注册的 Web 应用)访问 Azure Monitor 的权限In Azure Active Directory, grant Configuration Manager (the registered web app) with permission to access Azure Monitor.

  3. 在 Configuration Manager 中,使用“Azure 服务”向导来添加连接。 In Configuration Manager, add a connection using the Azure Services wizard.

  4. 在运行 Configuration Manager 服务连接点站点系统角色的计算机上下载并安装用于 Windows 的 Log Analytics 代理Download and install the Log Analytics agent for Windows on the computer running the Configuration Manager service connection point site system role. 该代理将 Configuration Manager 数据发送到 Azure Monitor 中的 Log Analytics 工作区。The agent sends Configuration Manager data to the Log Analytics workspace in Azure Monitor.

  5. 在 Azure Monitor 中,以计算机组的形式从 Configuration Manager 导入集合In Azure Monitor, import collections from Configuration Manager as computer groups.

  6. 在 Azure Monitor 中,以计算机组的形式从 Configuration Manager 查看数据。In Azure Monitor, view data from Configuration Manager as computer groups.

为 Configuration Manager 授予访问 Log Analytics 的权限Grant Configuration Manager with permissions to Log Analytics

在以下过程中,你将在 Log Analytics 工作区中,向前面为 Configuration Manager 创建的 AD 应用程序和服务主体授予“参与者”角色。In the following procedure, you grant the Contributor role in your Log Analytics workspace to the AD application and service principal you created earlier for Configuration Manager. 如果尚未创建工作区,请参阅在 Azure Monitor 中创建工作区,然后继续。If you do not already have a workspace, see Create a workspace in Azure Monitor before proceeding. 这样,Configuration Manager 便可以执行身份验证并连接到 Log Analytics 工作区。This allows Configuration Manager to authenticate and connect to your Log Analytics workspace.

Note

必须为 Configuration Manager 指定 Log Analytics 工作区中的权限。You must specify permissions in the Log Analytics workspace for Configuration Manager. 否则,在配置管理器中使用配置向导时会收到一条错误消息。Otherwise, you receive an error message when you use the configuration wizard in Configuration Manager.

  1. 在 Azure 门户中,单击左上角的“所有服务”。In the Azure portal, click All services found in the upper left-hand corner. 在资源列表中,键入“Log Analytics”。In the list of resources, type Log Analytics. 开始键入时,会根据输入筛选该列表。As you begin typing, the list filters based on your input. 选择“Log Analytics”。Select Log Analytics.
  2. 在 Log Analytics 工作区列表中,选择要修改的工作区。In your list of Log Analytics workspaces, select the workspace to modify.
  3. 在左窗格中,选择“访问控制(IAM)”。From the left pane, select Access control (IAM).
  4. 在“访问控制(IAM)”页面中,单击“添加角色分配”,随即出现“添加角色分配”窗格。In the Access control (IAM) page, click Add role assignment and the Add role assignment pane appears.
  5. 在“添加角色分配”窗格中的“角色”下拉列表内,选择“参与者”角色。In the Add role assignment pane, under the Role drop-down list select the Contributor role.
  6. 在“将访问权限分配到”下拉列表中,选择前面在 AD 中创建的 Configuration Manager 应用程序,然后单击“确定”。Under the Assign access to drop-down list, select the Configuration Manager application created in AD earlier, and then click OK.

下载并安装代理Download and install the agent

查看将 Windows 计算机连接到 Azure 中的 Azure Monitor 服务一文,了解在托管 Configuration Manager 服务连接点站点系统角色的计算机上安装用于 Windows 的 Log Analytics 代理的可用方法。Review the article Connect Windows computers to Azure Monitor in Azure to understand the methods available for installing the Log Analytics agent for Windows on the computer hosting the Configuration Manager service connection point site system role.

将 Configuration Manager 连接到 Log Analytics 工作区Connect Configuration Manager to Log Analytics workspace

Note

若要添加 Log Analytics 连接,配置管理器环境必须有针对联机模式配置的服务连接点In order to add a Log Analytics connection, your Configuration Manager environment must have a service connection point configured for online mode.

Note

必须将层次结构中的顶层站点连接到 Azure Monitor。You must connect the top-tier site in your hierarchy to Azure Monitor. 如果先将独立主站点连接到 Azure Monitor,再将管理中心站点添加到你的环境,则必须在新层次结构中删除并重新创建连接。If you connect a standalone primary site to Azure Monitor and then add a central administration site to your environment, you have to delete and recreate the connection within the new hierarchy.

  1. 在 Configuration Manager 的“管理” 工作区中选择“云服务” ,然后选择“Azure 服务”。 In the Administration workspace of Configuration Manager, select Clouds Services and then select Azure Services.

  2. 右键单击“Azure 服务”,然后选择“配置 Azure 服务”。 Right-click Azure Services and then select Configure Azure Services. 此时会显示“配置 Azure 服务” 页。The Configure Azure Services page appears.

  3. 在“常规” 屏幕上,确认已完成以下操作,并且具有每个项的详细信息,然后选择“下一步” 。On the General screen, confirm that you have done the following actions and that you have details for each item, then select Next.

  4. 在 Azure 服务向导的“Azure 服务”页上,执行以下操作:On the Azure Services page of the Azure Services Wizard:

    1. 在 Configuration Manager 中指定对象的“名称”。 Specify a Name for the object in Configuration Manager.
    2. 指定可选的“说明” ,方便你标识此服务。Specify an optional Description to help you identify the service.
    3. 选择 Azure 服务 OMS 连接器Select the Azure service OMS Connector.

    Note

    OMS 现在称为 Log Analytics,是 Azure Monitor 的一项功能。OMS is now referred to as Log Analytics which is a feature of Azure Monitor.

  5. 选择“下一步”,转到 Azure 服务向导的“Azure 应用属性”页。 Select Next to continue to the Azure app properties page of the Azure Services Wizard.

  6. 在 Azure 服务向导的“应用”页上,首先从列表中选择 Azure 环境,然后单击“导入”。 On the App page of the Azure Services Wizard, first select the Azure environment from the list and then click Import.

  7. 在“导入应用”页上,指定以下信息 :On the Import Apps page, specify the following information:

    1. 指定应用的“Azure AD 租户名称”。 Specify the Azure AD Tenant Name for the app.

    2. 对于“Azure AD 租户 ID”,请指定 Azure AD 租户。 Specify for Azure AD Tenant ID the Azure AD tenant. 可以在 Azure Active Directory 的“属性”页上找到此信息。 You can find this information on the Azure Active Directory Properties page.

    3. 对于“应用程序名称”,请指定应用程序名称。 Specify for Application Name the application name.

    4. 对于“客户端 ID”,请指定以前创建的 Azure AD 应用的应用程序 ID。 Specify for Client ID, the Application ID of the created Azure AD app created earlier.

    5. 对于“机密密钥”,请指定已创建的 Azure AD 应用的客户端机密密钥。 Specify for Secret key, the Client secret key of the created Azure AD app.

    6. 对于“机密密钥到期时间”,请指定密钥的到期日期。 Specify for Secret Key Expiry, the expiration date of your key.

    7. 对于“应用 ID URI”,请指定以前创建的 Azure AD 应用的应用 ID URI。 Specify for App ID URI, the App ID URI of the created Azure AD app created earlier.

    8. 选择“验证”, 此时右侧的结果会显示“成功验证!”。 Select Verify and to the right the results should show Successfully verified!.

  8. 在“配置”页上查看相关信息,验证“Azure 订阅”、“Azure 资源组”,以及“Operations Management Suite 工作区”字段是否已预先填充。如果已预先填充,则表明 Azure AD 应用程序在资源组中有足够的权限。 On the Configuration page, review the information to verify the Azure subscriptions, Azure resource group, and Operations Management Suite workspace fields are pre-populated indicating the Azure AD application has sufficient permissions in the resource group. 如果字段为空,则表明应用程序没有所需权限。If the fields are empty, it indicates your application does not have the rights required. 选择要收集并转发到工作区的设备集合,然后选择“添加”。 Select the device collections to collect and forward to the workspace and then select Add.

  9. 查看“确认设置”页上的选项,然后选择“下一步”,开始创建并配置连接。 Review the options on the Confirm the settings page, and select Next to begin creating and configuring the connection.

  10. 配置完成后,会显示“完成”页。 When configuration is finished, the Completion page appears. 选择“关闭” 。Select Close.

将 Configuration Manager 链接到 Azure Monitor 后,可以添加或删除集合,并查看连接的属性。After you have linked Configuration Manager to Azure Monitor, you can add or remove collections, and view the properties of the connection.

更新 Log Analytics 工作区连接属性Update Log Analytics workspace connection properties

如果密码或客户端机密密钥过期或丢失,需要手动更新 Log Analytics 连接属性。If a password or client secret key expires or is lost, you'll need to manually update the Log Analytics connection properties.

  1. 在 Configuration Manager 的“管理”工作区中选择“云服务” ,然后选择“OMS 连接器” ,打开“OMS 连接属性” 页。In the Administration workspace of Configuration Manager, select Cloud Services and then select OMS Connector to open the OMS Connection Properties page.
  2. 在此页中,单击“Azure Active Directory”选项卡,查看“租户”、“客户端 ID”、“客户端密钥过期”。On this page, click the Azure Active Directory tab to view your Tenant, Client ID, Client secret key expiration. 如果“客户端密钥” 已过期,则对其进行“验证” 。Verify your Client secret key if it has expired.

导入集合Import collections

将 Log Analytics 连接添加到 Configuration Manager 并在运行 Configuration Manager 服务连接点站点系统角色的计算机上安装代理之后,下一步是将集合以计算机组的形式从配置服务器导入 Azure Monitor 中。After you've added a Log Analytics connection to Configuration Manager and installed the agent on the computer running the Configuration Manager service connection point site system role, the next step is to import collections from Configuration Manager in Azure Monitor as computer groups.

完成从层次结构导入设备连接的初始配置后,每隔 3 小时检索一次集合信息,以保持最新的集合成员身份。After you have completed initial configuration to import device collections from your hierarchy, the collection information is retrieved every 3 hours to keep the membership current. 随时可以选择禁用此功能。You can choose to disable this at any time.

  1. 在 Azure 门户中,单击左上角的“所有服务” 。In the Azure portal, click All services found in the upper left-hand corner. 在资源列表中,键入“Log Analytics” 。In the list of resources, type Log Analytics. 开始键入时,会根据输入筛选该列表。As you begin typing, the list filters based on your input. 选择“Log Analytics 工作区” 。Select Log Analytics workspaces.

  2. 在 Log Analytics 工作区列表中,选择 Configuration Manager 注册到的工作区。In your list of Log Analytics workspaces, select the workspace Configuration Manager is registered with.

  3. 选择“高级设置” 。Select Advanced settings.

  4. 依次选择“计算机组”、“SCCM”。 Select Computer Groups and then select SCCM.

  5. 选择“导入 Configuration Manager 集合成员身份” ,并单击“保存” 。Select Import Configuration Manager collection memberships and then click Save.

    计算机组 - SCCM 选项卡

查看配置管理器中的数据View data from Configuration Manager

将 Log Analytics 连接添加到 Configuration Manager 并在运行 Configuration Manager 服务连接点站点系统角色的计算机上安装了代理之后,来自代理的数据将发送到 Azure Monitor 中的 Log Analytics 工作区。After you've added a Log Analytics connection to Configuration Manager and installed the agent on the computer running the Configuration Manager service connection point site system role, data from the agent is sent to the Log Analytics workspace in Azure Monitor. 在 Azure Monitor 中,Configuration Manager 集合以计算机组的形式显示。In Azure Monitor, your Configuration Manager collections appear as computer groups. 可以从“设置”>“计算机组” 下的“Configuration Manager” 页查看这些组。You can view the groups from the Configuration Manager page under Settings\Computer Groups.

在导入集合后,可以看到已检测到的具有集合成员身份的计算机数。After the collections are imported, you can see how many computers with collection memberships have been detected. 此外还可以看到已导入的集合数。You can also see the number of collections that have been imported.

计算机组 - SCCM 选项卡

单击上面任意一项,都会打开日志查询编辑器,相应显示所有已导入的组,或者属于每个组的所有计算机。When you click either one, log query editor opens displaying either all of the imported groups or all computers that belong to each group. 使用日志搜索,可以针对集合成员身份数据执行进一步的深度分析。Using Log Search, you can perform further in-depth analysis the collection membership data.

后续步骤Next steps

使用日志搜索查看有关配置管理器数据的详细信息。Use Log Search to view detailed information about your Configuration Manager data.