Azure AD Integration

Integrating Jamf Pro with Azure AD as a cloud identity provider allows for the following LDAP workflows without the need to configure Azure AD Domain Services:

  • Look up all users and groups for inventory purposes

  • Performing user membership lookups and use them to map privileges to relevant accounts in Jamf Pro

  • Configuring user authentication and scoping

When integrating Jamf Pro with Azure AD, consider the following:

  • Your Jamf Pro instance needs to be hosted in Jamf Cloud.

  • Your Azure AD privileges (e.g., Global Administrator) allow you to manage consent requested by the Jamf Pro Azure AD Connector app.

  • User groups added in Jamf Pro have the same name as groups configured in Azure. Accounts and groups added in Jamf Pro must be the standard type.

  • When working with directory-related workflows (e.g., adding scope limitations and exclusions), Azure AD cloud identity items are listed under the LDAP headings.

Azure AD as a cloud IdP integration uses Microsoft Graph API and connections to the https://graph.microsoft.com domain. Together with the consent granted by the administrator via the Cloud Connector, this ensures the directory data are automatically passed and used in the directory workflows in Jamf Pro. No actions other than reading data are performed in Azure.

When setting up the Graph API connection between Jamf Pro and Azure AD, a global administrator user is required to authenticate. After successful authentication, an application for Jamf Pro is automatically added in Azure AD to use the Graph API. This means is that the application in Azure AD does not need to be manually created. After the application is added, the session is terminated. When Jamf Pro is performing lookups in Azure AD, it is in a read-only state. Jamf Pro cannot write data back to Azure AD.

The following diagram shows the typical Jamf Pro and Azure AD IdP integration:

images/download/attachments/82684637/Azure_AD_Cloud_IdP_Integration_v2_%281%29.png

After receiving the consent, the Cloud Connector Web application performs authorization of a given client identifier and the received tenant identifier against Azure's authorization endpoint. As a result, Azure responds with an authorization code. This code is passed with the tenant identifier back to Jamf Pro. After Jamf Pro receives the set of data from the Cloud Connector Web application, it verifies the received authorization code. If there are no issues in the data set, the configuration is saved. This approach ensures Jamf Pro limits the usage of Azure's tenant data only to the allowed client/application.

The TLS version used for securing data in transit is 1.2 or higher with Perfect Forward Security (PFS). Jamf Pro will always attempt to negotiate the highest protocol first.

To create the connection, the following set of permissions is required for the Jamf Pro application:

  • Access directory as the signed in user

  • Sign in and read user profile

  • Read directory data

When the connection to Azure is enabled, Jamf Pro can query the directory information from Azure. The following diagram shows the typical flow for directory data lookups:

images/download/attachments/82684637/Azure_AD_Cloud_IdP_Lookups_%281%29.png

When the administrator initializes the directory lookup, Jamf Pro requests an access token from Azure using the Client Credentials Flow. After the token is granted, Jamf Pro queries the directory data via the Microsoft Graph API. After successful client verification, a data set is returned. Jamf Pro maps this data to an object that can then be used in directory workflows in Jamf Pro. For information about Microsoft Graph REST API, see Microsoft Graph REST API v1.0 reference.

Multi-factor Authentication

When Azure AD with multi-factor authentication (MFA) enabled is added as the cloud identity provider, some authentication workflows in Jamf Pro (e.g., Self Service login and enrollment login) do not work for Azure AD user groups and accounts. To allow users to use the workflows, you must configure single sign-on (SSO) with Azure. For information on how to configure SSO in Jamf Pro, see Single Sign-On.

Important: Self-Service for Mobile Devices does not support single sign-on workflows.

The following table summarizes how multi-factor authentication (MFA) status in Azure affects Jamf Pro authentication workflows for Azure AD cloud IdP:

Type of Workflow

With MFA Disabled in Azure

With MFA Enabled in Azure

With MFA Enabled in Azure and SSO with Azure Configured in Jamf Pro

Jamf Pro login

Supported
(standard login page)

Not supported

Supported
(Microsoft login screen)

Enrollment login (User-initiated enrollment and Enrollment Customization)

Supported
(enrollment login page and the LDAP Authentication pane in Enrollment Customization)

Not supported

Supported
(Microsoft login page/the SSO Authentication pane in Enrollment Customization)

Jamf Pro Applications (e.g., Jamf Admin)

Supported
(standard login window)

Not supported

Not supported

Self-Service for macOS login

Supported
(standard login window)

Not supported

Supported
(Microsoft login screen)

Self-Service for Mobile Devices login

Supported
(standard login window)

Not supported

Not supported

Configuring an Azure AD Cloud Identity Provider Connection

Important: If Jamf Pro already integrates with an Azure Active Directory Domain Services or Microsoft’s Active Directory LDAP configuration that you plan to migrate to an Azure AD instance, do not add this Azure AD instance as a cloud identity provider in Jamf Pro. To ensure your existing LDAP workflows (e.g., scoping or user accounts and groups) continue to work correctly, you will need to migrate your configuration when the migration assistant is available in a future release of Jamf Pro. Adding the Azure AD integration prior to migration may break your environment.

When a server connection is added, it is enabled by default. You can configure multiple connections and choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this server. This means you can add a different configuration without deleting the current connection. To disable the connection, use the switch.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/82684637/Settings_Icon.png .

  3. Click System Settings.

  4. Click Cloud Identity Providers images/download/thumbnails/82684637/icon-CloudIdentityProviders.png .

  5. Click New images/download/thumbnails/82684637/Icon_New_Button.png .

  6. Choose Azure and click Next. You are redirected to the administrator consent page in Microsoft.

  7. Enter your Microsoft Azure credentials and follow the onscreen instructions to grant the permissions requested by the Jamf Pro Azure AD Connector application.

  8. After the request completes, in Jamf Pro configure the settings on the Server Configuration tab. Consider the following:

    • The display name for the configuration must be unique.

    • The Tenant ID value is pre-populated with information from Microsoft.

    • When single sign-on (SSO) with Azure is configured in Jamf Pro, select Transitive groups for SSO to enforce transitive membership lookups in the user and group directory. This ensures that all Azure groups that a group is a member of are included in a directory lookup. There is no need to run recursive queries to list groups for which a user is a member of. You can configure a specific user mapping in the User Mapping from the SAML Assertion field. This allows you to adjust username mapping during transitive membership requests and match the user identifier from the SAML single sign-on settings in the Azure configuration.

  9. Use the Mappings tab to specify user attribute mappings and group attribute mappings. See the "Default Attribute Mappings for Azure AD as a Cloud Identity Provider" section below for default mappings reference and use it while troubleshooting the connection.

    Important: To ensure the configuration works as expected, consider the following:

    • The values for the User Id mapping must support the $filter parameter in Azure AD.

    • The value for the Group Id mapping defaults to "id" and cannot be changed.

  10. Click Save images/download/thumbnails/82684637/floppy-disk.png .

Saving a server connection triggers an automatic verification process. After your configuration is saved, you can test the mappings. For more information, see Testing Attribute Mappings.

Default Attribute Mappings for Azure AD as a Cloud Identity Provider

The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider attributes:

Jamf Pro Attribute Mapping Name

Cloud Identity Provider Attribute Mapping Value

userId

id

userName

userPrincipalName

realName

displayName

email

mail

department

department

building

 

room

 

phone

mobilePhone

position

jobTitle

groupId

id

groupName

displayName

For more information on mapping sets, see the following documentation from Microsoft:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.