Excluding the Custom API from Conditional Access Policies

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

When a policy is scoped to All cloud apps, any login request using the openid scope is included in that policy. Configuring a direct exclusion for the Jamf Connect - Conditional Access Policy API application removes the multifactor authentication (MFA) requirement for the ROPG portion of Jamf Connect and prevents related errors from appearing in logs.

Requirements

  • Access to your organization's Microsoft Entra ID admin console.

  • An application registration with a custom API.

  • An application registration that calls the custom scope.

  1. Log in your organization's Microsoft Entra admin center.
  2. In the Microsoft Entra ID portal, navigate to Entra ID Conditional Access.
  3. In your Conditional Access policy list, search for any policies scoped to All cloud apps.
  4. Select a policy and click Target Resources.
  5. Click the Exclude tab.
  6. Click Select Specific Resources.
  7. Select Jamf Connect - Conditional Access Policy API.
  8. Click Save.
    Important:

    If the save fails, verify that the Jamf Connect - Conditional Access Policy API application does not allow public client flows. If the application has a redirect URI configured, delete the redirect URI and try again.

  9. Repeat this process for all other Conditional Access policies scoped to All cloud apps.

Jamf Connect is now exempt from MFA, and ROPG-related errors will no longer appear in logs.