If Jamf Pro already integrates with an Microsoft Entra ID Domain Services or Microsoft’s Active Directory LDAP configuration that you plan to migrate to an Entra ID instance, do not add this Entra ID instance as a cloud identity provider in Jamf Pro until you are ready to migrate your configuration. To ensure your existing LDAP workflows (e.g., scoping or user accounts and groups) continue to work correctly, you will need to migrate your configuration. For more information, see Migrating an LDAP Server to an Entra ID Cloud Identity Provider Instance. Adding and using data from the Entra ID integration prior to migration may break your environment.
When a server connection is added, it is enabled by default. You can configure multiple connections and choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this server. This means you can add a different configuration without deleting the current connection. To disable the connection, use the switch.
Requirements
Jamf Standard Cloud-hosted or Jamf Premium Cloud-hosted environment
Global Administrator or higher privileges in Entra ID
Standard user groups added in Jamf Pro that have the same name as groups configured in Entra ID
In Jamf Pro, click Settings
in the sidebar.
In the System section, click Cloud identity
providers
.
Click New.
Choose Entra ID and click Next. You are redirected to the administrator consent page in Microsoft.
Enter your Microsoft Entra ID credentials and follow the onscreen instructions to grant the permissions requested by the Jamf ProEntra ID Connector application.
When prompted, verify the URL is correct and click Continue.
After the request completes, in Jamf Pro configure the settings on the Server Configuration tab. Consider the following:
The display name for the configuration must be unique.
The Tenant ID value is pre-populated with information from Microsoft.
When single sign-on (SSO) with Entra ID is configured in Jamf Pro, select Transitive groups for SSO to enforce transitive membership lookups in the user and group directory. This ensures that all Entra ID groups that a group is a member of are included in a directory lookup. There is no need to run recursive queries to list groups for which a user is a member of. You can configure a specific user mapping in the User Mapping from the SAML Assertion field. This allows you to adjust username mapping during transitive membership requests and match the user identifier from the SAML single sign-on settings in the Entra ID configuration.
Select Transitive membership lookups to enforce membership lookups for directory workflows that include all groups that a user or group is a member of. This is recursive and checks more than only the direct membership.
It is recommended to set the Connection Timeout value to 5.
Use the Mappings tab to specify user attribute mappings and group attribute mappings. See the "Default Attribute Mappings for Entra ID as a Cloud Identity Provider" section below for default mappings reference and use it while troubleshooting the connection.
Important:
To ensure the configuration works as expected, consider the following:
The values for the User Id mapping must support the $filter parameter in Entra ID.
The value for the Group Id mapping defaults to "id" and cannot be changed.
Saving a server connection triggers an automatic verification process. After your configuration is saved, you can test the mappings. For more information, see Testing Cloud Identity Provider Attribute Mappings.