Cloud Password Validation in Azure AD for Jamf Connect

To avoid setting up Active Directory Federated Services for password validation, or if multiple on-premise Active Directory domains are federated to one Azure AD domain, enable Password Hash Sync in your Azure domain.

Determining if Password Hash Sync is Enabled

  1. Log in to the Microsoft Azure Portal.
  2. Click the Azure Active Directory in the left sidebar.
  3. From the Manage section in the sidebar, click Azure AD Connect.
  4. In the Provision from Active Directory section, under "Azure AD Connect sync", check the status of Password Hash Sync.

If Password Hash Sync displays as disabled, see the Implement password hash synchronization with Azure AD Connect sync documentation from Microsoft.

Testing Password Hash Sync with Jamf Connect Configuration

  1. Create an app registration in Microsoft Azure AD. For more information, see Integrating with Microsoft Azure AD in the Jamf Connect Documentation.
  2. Copy the Application ID found in the overview of the app registration, and then create a new configuration in Jamf Connect Configuration.
  3. In the new configuration, under the Identity provider tab, paste the Application ID in to the OIDC client ID and the ROPG client ID fields.
  4. Click Test in the upper right corner and select OIDC from the pop-up menu.
  5. Sign in on the new window with credentials of a user who exists in a federated domain and who is assigned to the application.
    • If a positive test result appears with a message confirming you have successfully authenticated to your Open ID Connect provider, move on to the next step.

    • If a negative test result appears, check your App registration, and follow the instructions in Integrating with Microsoft Azure AD in the Jamf Connect Documentation.

  6. Click Test in the upper right corner and select ROPG from the pop-up menu.
  7. Sign in on the new window with the same credentials used for the previous test. Do not use an on-premises Active Directory short name for the username; Microsoft Azure AD user names are in UPN format (e.g., edith.mackenzie@example.com).
If a negative test result appears, ensure:
  • The username and password are correct.

  • The user is assigned to the application.

  • Allow public client flows is set to Yes in the app registration in Microsoft Azure AD.

If the negative test result was not caused by one of the above errors, see Creating a Home Realm Discovery (HRD) Policy.

Creating a Home Realm Discovery (HRD) Policy

A Home Realm Discovery (HRD) policy allows a specific application to use the Password Hash Sync stored in Azure AD to determine the validity of a provided password. This HRD policy is applied to an individual app registration and is not a global setting.

Requirements
  • A user with Azure Global Administrator rights

  • Microsoft PowerShell installed on a device that supports the AzureADPreview module (For more information, see the following documentation from Microsoft: Azure AD).

  • Azure AD PowerShell modules (For more information, see the following documentation from Microsoft: Install Azure Active Directory PowerShell for Graph).

  1. Using PowerShell, sign in to Azure AD with your admin account:
    Connect-AzureAD -Confirm
  2. Determine which, if any, policies have been created for your tenant:
    Get-AzureADPolicy
  3. If it does not already exist, create an HRD policy to AllowCloudPasswordValidation:
    New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuthPolicy -Type HomeRealmDiscoveryPolicy
  4. Get the Object ID of the newly created policy:
    Get-AzureADPolicy
  5. Locate the Object ID of the Jamf Connect app registration:
    Get-AzureADServicePrincipal
    Note:
    For large organizations, this command only returns about 100 values. Use the following command to narrow the returned values:
    Get-AzureADServicePrincipal -SearchString [first word in the name of your Jamf Connect app]
  6. Assign the HRD policy to the Jamf Connect application:
    Add-AzureADServicePrincipalPolicy -Id <ObjectID of the Jamf Connect app registration> -RefObjectId <ObjectId of the Policy>

To validate the HRD policy, navigate to Jamf Connect Configuration, and then rerun the ROPG test. For more information, see Testing Password Hash Sync with Jamf Connect Configuration.