Creating a Home Realm Discovery (HRD) Policy

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

A Home Realm Discovery (HRD) policy allows a specific application to use the Password Hash Sync stored in Entra ID to determine the validity of a provided password. This HRD policy is applied to an individual app registration and is not a global setting.

Applying the HRD policy to Jamf Connect ensures that end users are directed to the correct IdP for authentication.

Requirements
  1. Using PowerShell, sign in to Entra ID with your admin account and check for existing policies. See Set up an HRD policy using Microsoft Graph PowerShell (Microsoft) for more information.
  2. Create the HRD policy using Microsoft Graph PowerShell and get the resulting Object ID. See Create an HRD policy using Microsoft Graph PowerShell (Microsoft) for required commands and example policies.
  3. Locate the service principal IDs of the applications to which you want to assign the policy. See Locate the service principal to assign the policy using Microsoft Graph PowerShell (Microsoft).
  4. Assign the HRD policy to the Jamf Connect application using the policyId (the Object ID) for the policy and the ServicePrincipalId for Jamf Connect. See Assign the policy to your service principal using Microsoft Graph PowerShell (Microsoft) for more information.
    Below is the command to assign the HRD policy. 
    connect-MgGraph -scopes "Policy.ReadWrite.ApplicationConfiguration", "Application.ReadWrite.All"

# Define the parameters for the New-MgServicePrincipalHomeRealmDiscoveryPolicy cmdlet  
$assignParams = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<policyId>"
}

New-MgServicePrincipalHomeRealmDiscoveryPolicyByRef -ServicePrincipalId $servicePrincipalId -BodyParameter $assignParams

To validate the HRD policy, navigate to Jamf Connect Configuration, and then run the ROPG test again. For more information, see Testing Password Hash Sync with Jamf Connect Configuration.

If you continue to see failures after adding a HRD policy, see the Selective password hash synchronization configuration for Microsoft Entra Connect documentation from Microsoft. Determine if an administrator set a policy to restrict Password Hash Sync on your domain and discuss with your domain administrator the use of Jamf Connect and how policies can be created to turn on Password Hash Sync for user accounts while leaving service accounts out of Entra ID.