Troubleshooting Microsoft Azure Login Using JamfAAD

The JamfAAD integrates Jamf Pro 10.17.0 or later with Microsoft Azure to grant conditional access, which allows you to use the JamfAAD (Azure Active Directory) to troubleshoot login issues with Microsoft Azure.

You can troubleshoot the following issues using the JamfAAD:
  • If users are marked as unresponsive in Azure Active Directory (Azure AD) and there are network issues, you can configure the JamfAAD to recheck for a valid token at check-in.

  • If you think users may be connecting to the wrong server or using an incorrect email address, you can enable additional JamfAAD logging.

For more information on how to troubleshoot pre-fill authentication, see the Troubleshooting the JamfAAD Pre-fill Authentication Issue article.

Configure the JamfAAD Check-in

To resolve issues with users in an unresponsive state or network issues, you can configure the JamfAAD to recheck for a valid Azure AD token at check-in by using the tokenRetryCount and tokenRetryWaitTime preferences. By default, tokenRetryCount is set to zero retries and tokenRetryWaitTime is set to five seconds.

You can configure the JamfAAD check-in in the following ways:
  • Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

  • Run a script using a policy with the execution frequency of "Once per user per computer".

The following examples show how to configure the JamfAAD to retry three times with 42 seconds between each retry.
PLIST Example

To configure JamfAAD check-in by deploying a PLIST file, use the following example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>tokenRetryCount</key>
<integer>3</integer>
<key>tokenRetryWaitTime</key>
<integer>42</integer>
</dict>
</plist>

When configuring the Custom Settings payload, enter the following in the Preference Domain field: com.jamf.management.jamfAAD

For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.

Script Example

To configure JamfAAD check-in by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:

#!/bin/sh
defaults write com.jamf.management.jamfAAD tokenRetryWaitTime -float 42
defaults write com.jamf.management.jamfAAD tokenRetryCount -int 3

For more information on how to run a script, see Running Scripts in the Jamf Pro Administrator's Guide

Enabling Additional JamfAAD Logging

To troubleshoot issues with users logging in to the wrong server or using an incorrect email address, use the logPII preferences key to log additional personally identifiable information from the Azure login process. Personally and organizationally identifiable information is only logged on the computer's local log system— it is not sent to the Jamf Pro server. The log will report the following information:
  • userID—Email address used to log in

  • Authority host—Server the user was redirected to for sign in

  • Token number

You can enable JamfAAD logging in the following ways:
  • Deploy a PLIST file using a configuration profile with the Custom Settings payload configured.

  • Run a script using a policy with the execution frequency of "Once per user per computer".

PLIST Example
To enable JamfAAD logging by deploying a PLIST file, use the following example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key><key>logPII</key></key>
</true>
</dict>
</plist>

When configuring the Custom Settings payload, enter the following in the Preference Domain field:com.jamf.management.jamfAAD

For instructions on deploying configuration profiles with the Custom Settings payload configured, see the Deploying Custom Configuration Profiles Using Jamf Pro article.

Script Example
To enable JamfAAD logging by running a script using a policy with the execution frequency of "Once per user per computer", use the following example:
#!/bin/sh
defaults write com.jamf.management.jamfAAD logPII -bool true
If you want to disable JamfAAD logging, you can use the following script:
#!/bin/sh
defaults delete com.jamf.management.jamfAAD logPII