Azure AD Integration

Integrating Jamf Pro with Azure AD as a cloud identity provider allows for the following LDAP workflows without the need to configure Azure AD Domain Services:

  • Look up all users and groups for inventory purposes

  • Performing user membership lookups and use them to map privileges to relevant accounts in Jamf Pro

  • Configuring user authentication and scoping

Important: If Jamf Pro already integrates with an Azure Active Directory Domain Services or Microsoft’s Active Directory LDAP configuration that you plan to migrate to an Azure AD instance, do not add this Azure AD instance as a cloud identity provider in Jamf Pro. To ensure your existing LDAP workflows (e.g., scoping or user accounts and groups) continue to work correctly, you will need to migrate your configuration when the migration assistant is available in a future release of Jamf Pro. Adding the Azure AD integration prior to migration may break your environment.

When integrating Jamf Pro with Azure AD, consider the following:

  • Your Jamf Pro instance needs to be hosted in Jamf Cloud.

  • Your Azure AD privileges (e.g., Global Administrator) allow you to manage consent requested by the Jamf Pro Azure AD Connector app.

  • User groups added in Jamf Pro have the same name as groups configured in Azure. Accounts and groups added in Jamf Pro must be the standard type.

  • When working with LDAP-specific workflows, (e.g., adding scope limitations and exclusions), Azure AD cloud identity items are listed under the LDAP headings.

  • Single sign-on (SSO) with Azure must be configured in Jamf Pro to use authentication workflows (e.g., user-initiated enrollment and logging in to Jamf Pro). For information on how to configure SSO in Jamf Pro, see Single Sign-On.

Note: When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.

Configuring an Azure AD Cloud Identity Provider Connection

When a server connection is added, it is enabled by default. You can configure multiple connections and choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this server. This means you can add a different configuration without deleting the current connection. To disable the connection, use the switch.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/82677754/Settings_Icon.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/82677754/icon-CloudIdentityProviders.png .

  5. Click New images/download/thumbnails/82677754/Icon_New_Button.png .

  6. Choose Azure and click Next. You are redirected to the administrator consent page in Microsoft.

  7. Enter your Microsoft Azure credentials and follow the onscreen instructions to grant the permissions requested by the Jamf Pro Azure AD Connector application.

  8. After the request completes, in Jamf Pro configure the settings on the Server Configuration tab. Consider the following:

    • The display name for the configuration must be unique.

    • The Tenant ID value is pre-populated with information from Microsoft.

    • When single sign-on (SSO) with Azure is configured in Jamf Pro, select Transitive groups for SSO to enforce transitive membership lookups in the user and group directory. This ensures that all Azure groups that a group is a member of are included in a directory lookup. There is no need to run recursive queries to list groups for which a user is a member of.

  9. Use the Mappings tab to specify user attribute mappings and group attribute mappings. See the "Default Attribute Mappings for Azure AD as a Cloud Identity Provider" section below for default mappings reference and use it while troubleshooting the connection.

    Important: To ensure the configuration works as expected, you must set “id” as the value for the Group Id mapping.

  10. Click Save images/download/thumbnails/82677754/floppy-disk.png .

Saving a server connection triggers an automatic verification process. After your configuration is saved, you can test the mappings. For more information, see Testing Attribute Mappings.

Default Attribute Mappings for Azure AD as a Cloud Identity Provider

The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider attributes:

Jamf Pro Attribute Mapping Name

Cloud Identity Provider Attribute Mapping Value























For more information on mapping sets, see the following documentation from Microsoft:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.