Integrating with Microsoft Azure AD

Microsoft Azure AD Change Required

If Microsoft Azure AD is your IdP, upcoming changes to Microsoft Authentication Library (MSAL) require changes to your Jamf Connect configuration. Existing applications remain functional, but in December 2022 Microsoft will discontinue security updates for Azure Active Directory Authentication Library (ADAL), deprecating the use of common endpoints.

To align with these changes in Jamf Connect, you must include organization-specific tenant information for your registered authentication applications in your configuration using the OIDC Tenant login window preference or the Tenant menu bar app preference. The information entered applies to all Jamf Connect products and is required to use ROPG test in Jamf Connect Configuration. If both of these fields are left blank, you will now receive an alert that a required field is missing. This helps you set up your configuration correctly.

For more information, see the OIDC Tenant preference in Login Window Preferences and the Tenant ID preference in Menu Bar App Preferences. Also see Migrate applications to the Microsoft Authentication Library (MSAL) in the Microsoft Azure Product Documentation.

To integrate with Azure AD, you must create an app registration for Jamf Connect.
  1. Log in to the Microsoft Azure Portal.
  2. Click the Azure Active Directory in the left sidebar.
  3. Click App registrations, and then click new registration.
  4. Enter Jamf Connect or something similar the Name field.
  5. Select Accounts in this organizational directory only in Supported account types.
  6. Choose Public client (mobile & desktop) from the Redirect URI pop-up menu, and then enter in the Redirect URI field.

    If you also plan to use the Jamf Unlock app in your organization, enter jamfunlock://callback/auth as an additional redirect URI to use for authentication.

  7. Click Register.
Your Jamf Connect app registration is added to Azure AD.

You can now edit the app registration to grant admin consent for API calls and modify authentication settings.


If you are using Jamf Connect with Automated Device Enrollment (formerly DEP), remove this application from any conditional access controls. The user will be signing in to the computer before conditional access can be instantiated.

Granting Admin Consent for API Calls in Azure AD

  1. Navigate to your app registration.
  2. From the Manage section in the sidebar, click API permissions.
  3. In Grant Consent settings, click Grant admin consent for your company and then click Yes when prompted.

Modifying App Authentication Settings in Azure AD

  1. Navigate to your app registration.
  2. From the Manage section in the sidebar, click Authentication.
  3. In Advanced settings, set the Allow public client flows setting to Yes.

    When this setting is set to Yes, the User & groups tab will be hidden, if you navigate to Azure AD Enterprise applications and select your app. If you need to assign specific users and groups your Jamf Connect app, disable this feature and re-enable it after users and groups are assigned.

Assigning Users

You can assign users to the application if you want to limit access. By default, any user in any domain can authenticate to the application. You can also do the following:

  • Hide Jamf Connect from users. This limits a user's interaction with the application to the login window of a computer.

  • Grant admin consent for your organization. This can be done in the "Permissions" section of the application settings.

Configuring App Roles in Azure AD

You can create users as local administrators on computers by using app roles defined in Azure AD.

  1. Click the Azure Active Directory in the left sidebar.
  2. Click App registrations, and then select your Jamf Connect app registration.
  3. Click App Roles from the sidebar.
  4. Click + Create app role.
  5. In the Create app role pane, do the following:
    1. Enter a role name, such as Administrator, in the Display Name field.

      This value is only used in the Azure AD UI.

    2. Select Users/Groups for Allowed member types.
    3. Enter a role value, such as Administrator, in the Value field.

      This value is included in the user's ID token during Jamf Connect authentication.

    4. Add an app role description.
    5. Make sure the Do you want to enable this app role? checkbox is selected.
    6. Click Apply.
  6. Repeat this process to create additional app roles.

Your Jamf Connect app registration now has two or more app roles for role-based local account creation.