As Jason and Aaron have pointed out, the CMG service in Azure is not a domain joined machine.
The CMG is a proxy service that communicates via https to your on-prem MP and SUP server(s) on your internal network. The MP and SUP server(s) are the ones that initiate the contact to the CMG web service. Traffic is encrypted via certificate and only travels on the https protocol. Hopefully that helps. Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of SCCM Admin Sent: Wednesday, August 9, 2017 2:19 PM To: firstname.lastname@example.org Subject: Re: [mssms] Cloud Management Gateway So what about the server that the MP and DP reside on? How will devices get applications and policies that are on the internet? On Wed, Aug 9, 2017 at 3:50 PM Jason Sandys <ja...@sandys.us<mailto:ja...@sandys.us>> wrote: That documentation in no way says anything about your site server in Azure and in no way discusses the CMG as being domain joined either. Whomever is drawing this conclusion is incorrect and needs to read the documentation. In fact, the CMG is a service provide by Azure – you have no explicit control over it. There is also a CMG connector role that you load on a site system (or your site server) but this is an on-prem role and has nothing to do with Azure except that it communicates with the CMG that is in Azure. So, it’s time to either correct the security guys and/or give them the proper information. J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of SCCM Admin Sent: Wednesday, August 9, 2017 11:52 AM To: email@example.com<mailto:firstname.lastname@example.org> Subject: Re: [mssms] Cloud Management Gateway https://docs.microsoft.com/en-us/sccm/core/understand/configuration-manager-on-azure#networking<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.microsoft.com_en-2Dus_sccm_core_understand_configuration-2Dmanager-2Don-2Dazure-23networking&d=DwMFaQ&c=YEQWdgm3lcu5w_Y3fWOQZUGtAhl_lImuPlnxuD4zIqo&r=Wt1AnIJSL-QR3NSRMkqMiZk8t1T9Lph8HsySFKA5XGo&m=ejH3a01oqSEwm03MaD7aZyE-PDzmb2KGerVtY1IQyp4&s=8vKLxEShgUYH5NEapUsbp3U5atNC9tWS0kp1rl7IG3U&e=> On Wed, Aug 9, 2017 at 11:43 AM, Nemec, Dale <dale.ne...@tektronix.com<mailto:dale.ne...@tektronix.com>> wrote: My CMG’s are not domain joined and are working as expected. Do you have a link to the documentation that you are following/referencing? Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of SCCM Admin Sent: Tuesday, August 8, 2017 4:24 PM To: email@example.com<mailto:firstname.lastname@example.org> Subject: [mssms] Cloud Management Gateway We submitted our plans to implement CMG and after speaking with security they had issues with securing our site server in Azure since it has to be domain joined. Could we put that server in another trusted domain and apply a trust between the two. Also is there that much of a security threat to having a server in Azure as apposed on premises? ________________________________ Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.