If you have setup Co-management in your MECM console you can now manage devices from the Microsoft Endpoint Manager Admin Center. If you want to know what you can do with the Microsoft Endpoint Manager Admin Center read this walktrough from Microsoft.
In this post I will show you how you can fix the Configuration missing error if you want to use one of the following features when selecting a device that is Co-managed: Resource explorer (preview), Client details (preview), Timeline (preview), Collections (preview), Applications (preview), CMPivot (preview) and Scripts (preview). In this post i will be using MECM version 2010.

First lets look at the error that is shown. If you have selected a device in the Admin Center you select one of the features mentioned above and you will get the Configuration Missing error code 401. Go to Microsoft Endpoint Manager Admin Center, Devices, All Devices and select a device.

The details below will show you that MEM is unable to get device info. You have to make sure Azure AD and AD user discovery are configured and the user is discovered by both. The user must also have read permissions or more in Configuration Manager.

I am logged on to the Admin Center with the account sysadmin@iamsysadmin.eu, this account must be synchronized with and match the cloud identity.

Check if the Azure AD and AD user discovery are active

Lets open the MECM console and go to: \Assets and Compliance\Overview\Users. I am seeing sysadmin present in the Users list, this means the AD user discovery is allready set.

If you don’t see the user listed here you must enable the MECM discovery methode AD User Discovery:

Go to: \Administration\Overview\Hierarchy Configuration\Discovery Methods.

Right click on Acitve Directory User Discovery and select Properties.

Check the checkbox: Enable Active Directory User Discovery and select the AD container you want to run the discovery on and click OK.

You can use the computer account of the site server or specify an account to run the discovery methode. In this case I will use the computer account. Click OK.

If you want you can adjust the polling schedules or change the AD attributes that the discovery hase to discover. Click OK.

Click Yes.

Now lets check if the Azure AD user discovery is active. I will select the account sysadmin, right click and select properties.

Lets confirm the following discovery data:

• Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant.
• Azure Active Directory User ID: This value should be a GUID for this account in Azure AD.
• User Principal Name: The format of this value is user@domain. For example, jqpublic@contoso.com.

Looking at the image above we can confirm that the Azure AD user discovery is NOT active. Lets enable it.
In the MECM console go to: \Administration\Overview\Cloud Services\Azure Services. Click on Configure Azure Services in the ribbon.

Select Cloud Management and specify the Name and Description. Click Next.

Click Browse to add a web app, Click Create and on the Create Server Application enter the following information:

• Application Name: Provide a friendly name for the app (max 200 characters);
• HomePage URL: Provide the homepage URL for the app (max 200 characters);
• App ID URI: Provide the identifier URL for the app (max 200 characters);
• Secret key validity period: Select 1 Year or 2 Years for the key validity period;
• Azure AD Admin Account: Sign in with the tenant administrator account;
• Azure AD Tenant Name: Automatically populated after signing in;
  
  Click OK.

We are now back on the Server App dialog box. Click OK.

Click Browse to add a Native Client app, Click Create and on the Create Client Application enter the following information:

• Application Name: Provide a friendly name for the app (max 200 characters);
• Azure AD Admin Account: Sign in with the tenant administrator account;
• Azure AD Tenant Name: Automatically populated after signing in;
  
  Click OK.

We are now back on the Client App dialog box. Click OK.

Click Next in the Azure Services Wizard.

On the Configure Discovery Settings page, check Enable Azure Active Directory User Discovery.

You can change the full discovery polling schedule and the delta discovery by clicking Settngs. Default schedule for the full discovery is once every 7 days and the default interval for the delta discovery is an interval of every 5 minutes.

Click Next.

On the Confirm the settings page, click Next. On the Completion page click Close.

Now lets run the Azure Active Directory User Discovery Full Discovery. Go to: \Administration\Overview\Cloud Services\Azure Services. Select the just added Azure Service and rightclick on the agent type you want to run the sync on (in this case AZure AD User Discovery). Select Run Full Discovery Now.

Click Yes.

Open the SMS_AZUREAD_DISCOVERY_AGENT.log. This log files provides the information about the full and delta discoveries of the Azure Active Directory User Discovery.

Lets go back to: \Assets and Compliance\Overview\Users, you will now see that there might be some additional users added. Now there are also Cloud-only users added to the MECM console and a On-premises Directory Service Account.

You can recognize cloud only users by only having the Agent Name of SMS_AZUREAD_USER_DISCOVERY_AGENT

Now lets check again if the Azure AD user discovery is active. I will select the account sysadmin, right click and select properties.

Lets confirm the following discovery data:

• Azure Active Directory Tenant ID: This value should be a GUID for the Azure AD tenant.
• Azure Active Directory User ID: This value should be a GUID for this account in Azure AD.
  
  We now can confirm Azure AD user disovery is working fine.

Check the MECM permissions (read only)

Now lets check if the user has got the minimum required permission in MECm to run the actions in the Admin Center.
Go to: \Administration\Overview\Security\Administrative Users.

The account has got sufficient permissions.

If you want to know how to add an Administrative user go to this Microsoft post.

Check the results

Log on to the Microsoft Endpoint Manager Admin Center with the account with al the prereqs mentioned in this post. Select Devices, All Devices and select a device.

Select one of the options to check. We now see that all of the *** (preview) options don’t give the error annymore. You can now check Resource explorer (preview), Client details (preview), Timeline (preview), Collections (preview), Applications (preview), CMPivot (preview) and Scripts (preview) of the devices that are on-prem in Admin Center.