If your organization uses Microsoft Entra ID Conditional Access policies, Jamf Connect may experience unexpected issues when syncing user passwords. Policies that require multifactor authentication, device compliance evaluation, or third-party authentication methods cause the background password checks that Jamf Connect runs to be recognized as attempted logins. These authentications appear in Entra ID logs as "Interrupted" due to the ROPG workflow Jamf Connect uses to synchronize passwords, which may affect user login risk evaluations, lock out users, or generate unwanted alerts.
By default, Jamf Connect cannot be explicitly targeted or excluded from Conditional Access policies due to the use of public client flows. By creating a custom scope and a private application registration for Jamf Connect, administrators can exclude Jamf Connect from Conditional Access policies scoped to All Cloud Apps. After completing these tasks, users can log in to Jamf Connect and sync their passwords without failing Conditional Access policy requirements.
Jamf recommends creating new application registrations for Jamf Connect rather than modifying existing ones. This helps prevent unexpected errors or conflicts during deployment.
Follow these steps to make Jamf Connect compatible with Microsoft Entra ID Conditional Access policies:
Create an application registration with a custom API.
Create an application registration that calls the custom API as a scope.
Exclude the new custom API from Conditional Access policies scoped to all cloud apps.
Create a Jamf Connect configuration using the custom API and scope.