With an existing application registration that exposes a custom API, an additional application registration can call that custom scope for use in a Conditional Access policy.
- Log in your organization's Microsoft Entra admin center.
- Click .
- Create a new app registration.
Name this application Jamf Connect - OIDC Endpoint.
- Select Accounts in this organizational directory only under Supported account types.
- Select Public client/native (mobile & desktop) under Redirect URI.
- Enter https://127.0.0.1/jamfconnect in the Redirect URI field.
- Click Register.
- In the sidebar, click Authentication.
- Enable Allow public client flows.
This feature enables Resource Owner Password Grant (ROPG) to validate passwords.
- In the sidebar, click API permissions.
- Click Grant admin consent for [domain] to read user information on behalf of the user.
- Click + Add a permission.
- Select the My APIs tab and click Jamf Connect - Conditional Access Policy API.
- Click Delegated permissions.
- Select the checkbox for jamfconnect.
- Click Add permissions.
- Click Grant admin consent for [domain] to grant permission to access the API on behalf of users.
- (Optional) Under App roles, add a role for Administrator and Standard.
These roles allow you to define which users or groups should have administrator rights. See Login Window Settings for more information.
- Click Overview.
- Copy the Application (client) ID and the Directory (tenant) ID for later use in your Jamf Connect configuration.
- Click .
- Select the Jamf Connect - OIDC Endpoint application.
- Assign users and roles to the application.
The application can now call the custom scope and be targeted by Conditional Access policies for Jamf Connect.