Microsoft Endpoint Manager Permissions Changes

Updated: 26 July 2022
Product: Jamf Pro
Microsoft has made security enhancements to their Azure permissions that requires action from customers using the macOS Conditional Access or iOS Device Compliance integrations. This article explains the steps you must take to grant consent to the new permissions requested by Microsoft, according to your integration type.
Note:

You must repeat these steps for each integration type you configured.

General Requirements

To update the permissions requested by Microsoft, you must have an Azure Active Directory account with global or domain administrator rights.

Updating a Cloud Connector Integration

If you connected your Jamf Pro instance to Microsoft Endpoint Manager using the Cloud Connector, do the following:

  1. Open Azure Active Directory and navigate to Enterprise applications.
  2. Click one of the following:

    • For macOS integrations, click Cloud Connector.

    • For iOS integrations, click Cloud Connector for Device Compliance.

  3. Click Permissions.
  4. Click Grant admin consent for your organization.
    Note:

    The name of your Azure AD organization displays on the button.

  5. Enter your Microsoft Azure administrator credentials, and follow the onscreen instructions to grant the permissions requested by Microsoft.
Your permissions are now up to date.

Updating a Manual Integration

If you manually connected your Jamf Pro instance to Microsoft Endpoint Manager, do the following:

  1. Open Manage Azure Active Directory and navigate to App registrations.
  2. Select the application registration you configured when you initially integrated with Microsoft Endpoint Manager.
    Note:

    If you do not know the name of the application registration, you can search for the value in the Application ID field in the Conditional Access settings in Jamf Pro. For more information, see Conditional Access in the Jamf Pro Documentation.

    Due to changes on the Microsoft API backend permissions, changes are needed for the Microsoft and Jamf integration. Refer to Support Tip: Intune service discovery API endpoint will require specific permissions for more information from the Intune team at Microsoft.

  3. Click API permissions.
  4. Remove all permissions from the application.
    Note:

    Integration will not succeed if there are any unexpected permissions in the application registration.

  5. Click Add a permission.
  6. On the Request API permissions page, select Intune > Application permissions.
  7. Select only the check box for update_device_attributes and save the new permission.
  8. Under Microsoft Graph, select Application permissions > Application.Read.All.
  9. Click Add permissions.
  10. Click Grant admin consent for your organization.
    Note:

    The name of your Azure AD organization displays on the button.

  11. Click Refresh and confirm that admin consent has been granted for the update_device_attributes permission.
Your permissions are now up to date.