Password hash synchronization and pass-through authentication are authentications method that can be implemented in an Azure AD hybrid identity environment. They establish trust between Azure AD and Active Directory and can sync passwords between them in the following ways:
Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords.
Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.
If you are using one of these authentication methods, you can configure Jamf Connect to work alongside either method by configuring Jamf Connect to use the Microsoft identity platform (v2.0) endpoints for authentication. This allows Jamf Connect to use Azure AD to authenticate users at the login window and indirectly sync a user's local password with their Active Directory password.
For more information about the Microsoft identity platform (v2.0), see the following documentation from Microsoft: https://docs.microsoft.com/azure/active-directory/develop/azure-ad-endpoint-comparison
Configuring Jamf Connect with Password Hash Synchronization or Pass-through Authentication Environments
A Jamf Connect registered app in Azure AD
For instructions, see Identity Provider Integrations.
Azure AD Connect
User credentials that are stored in Active Directory
Confirm that your Azure AD environment is using password hash synchronization or pass-through authentication and that Azure AD Connect set up correctly.
Add the following preference keys to your /Library/Preferences/com.jamf.connect.login configuration profile to configure authentication at the login window:
Specifies Azure AD as your cloud IdP to use for authentication
The client ID of the Jamf Connect registered app
Create a Separate Local Password
Prompts users to re-enter their network password, which also becomes the local account password. This ensures a user's network and local password are synced during user creation.
Identity Provider (Password Verification)
Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Azure_v2", which allows Jamf Connect to use the Microsoft identity platform (v2.0) endpoints for password verification.
Client ID (Password Verification)
The client ID of the Jamf Connect registered app. This should be the same value as the OIDCClientID preference key.
Tenant ID (Password Verification)
The tenant ID in your organization to use for password verification.
Add the following IdPSettings dictionary keys to your com.jamf.connect configuration profile to configure password syncing with the menu bar app:
Specifies where Jamf Connect should attempt to sync passwords. Set this value to "Custom".
The client ID of your Jamf Connect app in your IdP. This value allows Jamf Connect to complete a resource owner password grant (ROPG), which is the process that performs password verification.
Specifies your OpenID Connect discovery endpoint.
Test your configuration profiles with Jamf Connect Configuration or a test computer to confirm authentication is correctly configured.
Save your configuration profiles.
You can now deploy your configuration profiles with an MDM solution. For more information, see Deployment.