Microsoft Entra ID

Training Video

Watch the Integrate Microsoft Entra ID with Jamf Account training video to learn how to configure SSO through Jamf Account.

Requirements

You must have Microsoft Entra ID administrator credentials with at least one of the following roles:

Global Administrator
Application Administrator
Cloud Application Administrator

Log in to the Microsoft Entra admin center.
Click Overview.
Copy the value under Primary domain and save it for later.
The primary domain is used as the tenant domain in this integration.
Click Applications.
Click App registration.
(Generic SSO connection-only) Find your Authority URL:
1. Click Endpoints.
2. Copy the value Authority URL (Accounts in this organizational directory only) (the first entry) and save it for later.
  This is your Microsoft Entra ID domain URL.
Click out of the Endpoints pane, and then click New registration.
Add a name, like Jamf Account, and ensure Supported account types is Accounts in this organizational directory only selected.
Configure your redirect URI:
1. In the Select a platform pop-up menu, choose "Web".
2. Enter the region-specific URI associated with your IdP configuration.
  - https://us.auth.jamf.com/login/callback
  - https://eu.auth.jamf.com/login/callback
  - https://au.auth.jamf.com/login/callback
  - https://jp.auth.jamf.com/login/callback
3. Click Register.
4. Copy the Application (client) ID (e.g., 78eb25ed-abe6-43v5-b7af-2018b1cfb57f) and save for later.
Find and save the client secret value:
1. Click Certificates & secrets.
2. Click New client secret.
3. Enter a description and select an expiration date.
4. Click Add.
  The client secret details display on the Client secrets tab.
5. Copy and save the client secret value displayed in the Value column. You will need it later in the integration process.
  Note:
  The client secret will only be shown once. If you do not copy the value at this step, you will need to create a new client secret and use its value instead.
Add access tokens:
1. Click Token configuration.
2. Click Add optional claim.
3. Select Access as the token type.
4. Select the following checkboxes:
  - email
  - family_name
  - given_name
  - login_hint
  - verified_primary_email
5. Click Add.
Note:A notice may appear stating that some of these claims require API permissions. You can add these permissions automatically by selecting the checkbox to grant the required API permissions, and then clicking Add.
Add ID tokens:
1. Click Add optional claim.
2. Select ID as the token type, and then select the following checkboxes:
  - email
  - family_name
  - given_name
  - login_hint
  - verified_primary_email
3. Click Add.
Click API permissions in the sidebar to ensure these Delegated permissions have been added. If any permissions are missing, click Add a permission and configure email, profile, User.Read, and openid.
If using groups and the Entra connection type in Jamf Account, also add Directory.Read.All as a Delegated permission, as specified in Okta's Auth0 documentation on Microsoft Graph API permission requirements.
If using groups and the Generic OIDC connection type in Jamf Account, navigate to Enterprise Applications.
1. Click Manage.
2. Click Token Configuration.
3. Ensure the groups claim is enabled for ID token type.
For more information on connection types in Jamf Account for Microsoft Entra ID, see Adding an SSO Connection in Jamf Account.
Note:Jamf recommends using the Entra connection type for most environments. For further assistance deciding which connection type best suits your environment, contact Jamf Support.

Your app integration is created. Before you connect your IdP with Jamf Account, you must verify your SSO domain. For instructions, see Verifying your SSO Domain in Jamf Account.