Microsoft Endpoint Manager Permissions Changes

Microsoft has made security enhancements to their Azure permissions that requires action from customers using the macOS Conditional Access or iOS Device Compliance integrations. This article explains the steps you must take to grant consent to the new permissions requested by Microsoft, according to your integration type.
Note:

You must repeat these steps for each integration type you configured.

General Requirements

To update the permissions requested by Microsoft, you must have an Azure Active Directory account with global or domain administrator rights.

Updating a Cloud Connector Integration

If you connected your Jamf Pro instance to Microsoft Endpoint Manager using the Cloud Connector, do the following:

  1. Open Azure Active Directory and navigate to Enterprise applications.
  2. Click one of the following:
    • For macOS integrations, click Cloud Connector.

    • For iOS integrations, click Cloud Connector for Device Compliance.

  3. Click Permissions.
  4. Click Grant admin consent for your organization.
    Note:

    The name of your Azure AD organization displays on the button.

  5. Enter your Microsoft Azure administrator credentials, and follow the onscreen instructions to grant the permissions requested by Microsoft.
Your permissions are now up to date.

Updating a Manual Integration

If you manually connected your Jamf Pro instance to Microsoft Endpoint Manager, do the following:

  1. Open Azure Active Directory and navigate to App registrations.
  2. Select the application registration you configured when you initially integrated with Microsoft Endpoint Manager.
    Note:

    If you do not know the name of the application registration, you can search for the value in the Application ID field in the Conditional Access settings in Jamf Pro. For more information, see Conditional Access in the Jamf Pro Administrator's Guide.

    Due to changes on the Microsoft API backend permissions, changes are needed for the Microsoft and Jamf integration. Refer to Support Tip: Intune service discovery API endpoint will require specific permissions for more information from the Intune team at Microsoft.

  3. Click API permissions.
  4. Click Add a permission.
  5. Under Microsoft Graph, click Application permissions, and then select Application.Read.All.
  6. Click Add permissions.
  7. Click API permissions.
  8. Click Add a permission.
  9. Scroll down to Azure AD Graph, click Applications permissions, and then select Applications.Read.All.
  10. Click Add permissions.
  11. Click Grant admin consent for your organization.
    Note:

    The name of your Azure AD organization displays on the button.

  12. Click Yes.
Your permissions are now up to date.