Hi all!
A while ago I wrote a post on how to add Azure AD as LDAPs provider into Jamf Pro: https://travellingtechguy.blog/integrate-azure-ldap-in-jamf-pro/
This still works and will still be required if you want to add LDAP functionality from Azure into an on-prem Jamf Pro server. However, with the release of Jamf Pro 10.27, JamfCloud now offers an easier alternative: integrating Azure AD as a Cloud Identity provider.
The benefit of this is that it does not require Azure AD Domain Services (AADDS) to be enabled in your Azure AD tenant, which simplifies things and reduces costs as well I presume.
However, if you already have AADDS enabled and configured, you should not switch to the new Cloud Identity Provider integration. Doing so your LDAP server identity and associated user ID’s in Jamf Pro would change, causing ‘the same user’ not to be recognised as the same user account in Jamf Pro. Which would in turn cause problems with scoping if for instance you have LDAP limitation configured.
Important: Do not integrate Jamf Pro with Azure AD as a cloud identity provider if your environment already includes Azure AD Domain Services (AADDS)*** and Microsoft’s Active Directory LDAP configurations. A migration workflow will be available in a future release of Jamf Pro.
*** Small typo in the Jamf pro Admin Guide at the time of writing this post. Admin guide mentions ADFS, but this should be AADDS
That all said, let’s have a quick look at how to integrate Azure AD into Jamf Pro if you have no Azure AD integration configured yet. This is really going to be a walk in the park as the workflow is very straight forward.
Requirements:
- JamfCloud
- No LDAPs integration with Azure AD and AADDS configured yet
- Access to the Azure tenant with appropriate credentials, such as a Global Admin, to manage consent requested by the Jamf Pro Azure AD Connector
Let’s go.
Official guide: https://docs.jamf.com/10.27.0/jamf-pro/release-notes/What’s_New.html
Go to the Jamf Pro settings and click on the Cloud Identity Providers icon. From there you can add a new provider via the “+ New” key:
As you can see there are now 2 options to select from. Apart from the Azure AD provider you can also choose for the Google iDP for which I wrote a post a earlier already: https://travellingtechguy.blog/google-ldap-as-cloud-identity-provider-in-jamf-pro/
If you go for Azure and click next, you will be informed about the fact that the browser will redirect to Microsoft (Azure) to grand admin consent. It’s perfectly normal that the entire page redirects.
Next you’ll be presented with an Azure login webApp in which you need to authenticate with an account that has the privileges to grant Admin Consent for the Jamf Pro Azure AD Connector.
Click on Accept to grant the permission and you will be automatically redirected to your Jamf Cloud instance again. If everything went right you should now see this green ‘Verification Status: Success notification, and the tenant ID of your Azure AD should automatically be populated. The only thing you need to do is to populate the Display Name you want to set for this configuration in the Jamf Pro GUI.
Click save. Congratz, you have successfully added Azure AD in Jamf Pro via the Cloud Identity Provider integration!
Yes, you can for sure configure the mappings and change them according to your needs or custom attributes you have in your Azure AD. For my setup, which is typically the case with test environments, the default settings were just fine.
I can query my users:
My group lookups work:
And I can check group membership as well:
Note: Just like when we integrate LDAPs via AADDS or SSO with Azure in Jamf Pro, you can only map groups by the identifier (OID) value. The name of the group in Jamf Pro must be the same as the group OID value in Azure. This is important when you add Azure AD groups to Jamf Pro for access to the GUI, Self Service or for enrolment authentication.
One final note from the Jamf Pro admin guide / release notes:
Note: When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
That’s it! Straight forward right? If not, don’t hesitate to reach out with questions!
As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!
Brgds,
TTG
Apple ecosystem enthusiast, geek, tech gadget freak, Belgian living in the Netherlands
Senior Enterprise Support Engineer | Jamf
Note: Just like when we integrate LDAPs via AADDS or SSO with Azure in Jamf Pro, you can only map groups by the identifier (OID) value. The name of the group in Jamf Pro must be the same as the group OID value in Azure. This is important when you add Azure AD groups to Jamf Pro for access to the GUI, Self Service or for enrolment authentication.
So what actually does that mean?
I’m asking because I set this up, set an azure group, added it as an admin group in Jamf, have so’s setup and working but my test user still can’t login to Jamf itself despite being in the group and passing through the so successfully
Hi, I have now figured out how to use Azure groups to manage Jamf console access.
The most vital part is when the SSO connector is set up to add in the groups claim which isn’t enabled by default.
Then all you need to do is create a standard group in jamf that is named after the azure jamf-admin groups OID and NOT its name.
Indeed, Azure returns groups in the form of OID (UUID format) and not the friendly group name.
There was a very minor change on group schema… it should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups — this was an issue that Jamf helped me with and wanted to spread the news.
Hi Michael, thanks for sharing, but I guess you ate referring to Azure as SSO in Jamf right? Not purely the above Azure iDP integration.
Yes, I should have qualified that. I apologize.
Thanks a lot!
Hi from France. I have a question about using Azure as the Cloud Identity Provider introduced in Jamf Pro 10.27. The integration is done. It looks like I can immediately use an Azure AD user to enroll the Mac with Automated Device Enrollement (and that creates the local account). Also its works to enroll the Mac with User-Initiated Enrollment. It is also functional to authenticate in the Self Service and to use Azure AD groups in policies as limitations. I’m wondering if I’m missing something because it looks like to simple. The only thing I’m thinking of is that I can’t authenticate as an Azure AD user to administer Jamf Pro because I didn’t setup SSO, correct ? But is there something else ? I have an integration of Jamf School with Azure AD but it is not so straightforward, we have the Redirect pane, etc.
… correction. I added the Azure AD group in the Jamf Pro Users & Groups Settings with Auditor privileges and my Azure AD user can now access to the Jamf Pro console. Everything looks like Azure AD is behaving as an LDAP server.
Hi, well by the looks of it you indeed have enabled and tested all possible integrations and functionality of this. Adding Azure as iDP indeed allows you to use you Azure account in a similar way as LDAP.
Hi. That is the reason why I don’t understand the following statement : Single sign-on (SSO) with Azure must be configured in Jamf Pro to use authentication workflows (e.g., user-initiated enrollment and logging in to Jamf Pro). For information on how to configure SSO in Jamf Pro, see Single Sign-On. (https://docs.jamf.com/10.28.0/jamf-pro/administrator-guide/Azure_AD_Integration.html). And there may be something with that also : When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.
But I don’t have the licence for MFA so I can’t observe that.