Migrating an LDAP Server to an Entra ID Cloud Identity Provider Instance

Jamf Pro Documentation 11.16.0
Solution
Application
Content Type
Technical Documentation
Utilities & Services
version
11.16.0
ft:locale
en-US
vrm_version
11.16.0

You can migrate your LDAP server in Jamf Pro to use Entra ID data. The testing features of the Entra ID migration allow you to verify values for user and group mappings and ensure your directory workflows continue to work correctly after the migration completes.

Note:

Once the migration is complete, the mappings selected in the Entra ID migration assistant will overwrite the mappings currently configured for Entra ID cloud IdP.

Important:
  • The current version of the migration assistant does not verify the computer Login Window payload. If a configuration profile with the Login Window payload exists in your environment, you will need to configure it again after migration.
  • The LDAP server to Entra ID migration is a one-direction process and cannot be undone.
  • Migrating an LDAP server integration's workflows to an Entra ID cloud identity provider means that your source LDAP server configuration will be disabled and will be marked as Migrated. It will not be queried for data.
  • Communication to the LDAP Proxy is disabled once the Entra ID migration is complete.
Requirements

  • Jamf Standard Cloud-hosted or Jamf Premium Cloud-hosted environment

  • Entra ID integration enabled in Jamf Pro.

  • Familiarity with your Entra ID infrastructure

  • Entra ID directory synchronized with your LDAP directory using Entra ID Connect

  • Entra ID cloud IdP connection enabled

  1. In Jamf Pro, click Settings in the sidebar.
  2. In the System section, click Cloud identity providers .
  3. Click the Entra ID instance you want to migrate your directory configuration to.
  4. Click Migrate.
  5. Select the existing source LDAP configuration.
    The migration assistant shows the currently selected Transitive membership lookups setting for your Entra ID configuration. A warning displays if the transitive membership lookup setting does not match the recursive groups search setting from LDAP as this will affect membership results for nested groups.
  6. Click Next.
  7. Enter a username of a user in your source directory in the "Username from source LDAP" field.
  8. Enter a username of a user in Entra ID in the "Username from Azure AD" field.
  9. Click Test.
  10. Verify the information in the Status column for data match. The following table describes the statuses you may see during testing:
    StatusDescription

    Match

    The Values returned for mappings are the same. Workflows that use them will not be affected.

    New

    Entra ID mapping returned a value that has not been used in the source configuration. Review the settings for your environment to ensure the directory-related workflows will not be affected.

    Conflict

    Values returned for mappings are different. Workflows that use them will be affected and may fail to complete.

    Case Conflict

    Values returned for group attributes are case-sensitive and do not match. Workflows that use them will be affected and may fail to complete.

    Mismatch

    Values returned for mappings are different. Internal Jamf Proworkflows that use them will not be affected. Likely causes include case differences or mismatches around duplicates within the multi-value extension attributes.
    Note:

    Jamf pro after a migration will not be affected, but a mismatch may impact systems that depend on Jamf Pro's data for their workflows.

    This differs from a Case Conflict, where a change of case can impact internal Jamf Pro workflows.

    Empty

    Entra ID mappings do not return values. Review the settings for your environment to ensure the directory-related workflows will not be affected.

    If the key data does not match as expected, edit Entra ID attributes until the values work in your environment.
    Note:

    The values must be the same for source and target configurations, except for the ID which is unlikely to match.

    Jamf recommends testing different Entra ID mappings to reduce the amount of conflicts and mismatches.

    Jamf recommends testing at least three users and three groups. You can generate an optional report with the migration summary, including the location data. This allows you to review the settings and verify how values for users and groups in the new configuration are mapped. Access the report in the History details of your Entra ID instance or in Jamf Pro Notifications.

  11. Click Next.
  12. Enter the name of a group in your source directory in the "Group Name from Source LDAP" field.
  13. Enter the name of a group from Entra ID in the "Group Name from Azure AD" field.
  14. Click Test.
  15. Verify the information in the Status column for data match.
    If the key data does not match as expected, edit the Entra ID attributes until the values are sufficient for your environment.
    Note:

    Having transitive groups for SSO enabled under the Entra ID integration can impact access for users. If you used Entra ID SSO before migrating and have Transitive Groups for SSO enabled, verify that group based privileges granted before the migration are still correct.

  16. Click Next to test extension attribute mappings.
    Note:

    If you do not want to test extension attributes, click Skip and proceed to step 21.

  17. Enter a username of a user in your source directory in the "Username from source LDAP" field.
  18. Enter a username of a user in Entra ID in the "Username from Azure AD" field.
  19. Click Test.
    Note:

    The user data is based on the most recent check-in of the user's single device. Jamf Pro stores user extension attributes within a device entry and the migration assistant displays the data for the user's device that has checked-in most recently, ensuring that the latest user data is compared.

  20. Click Next.
    Note:

    The mappings used for users and groups will be saved to the Entra ID integration history. If you navigate away from the navigation assistant, these mappings will need to be retrieved from the Entra ID integration history and manually applied for future use.

  21. (Optional) Click Generate to create a report that summarizes data mapped after the migration assistant is complete.

    A dialog window appears while the report is generating.

    Best Practice:
    While reviewing the report, consider the following:

    • The front sheet of the report (CSV file) provides information to help you interpret the data.

    • The report only lists problematic entries. Empty tabs and fewer rows in the available sheets means higher probability that the migration will be successful.

    • Columns come in pairs and represent LDAP-based data in Jamf Pro and data found in Entra ID.

    • Objects are color-coded according to severity, with red items indicating a mismatch that affects Jamf Pro and yellow items indicating a mismatch that does not affect Jamf Pro. Objects in white indicate a match, but there are data mismatches elsewhere in the row.

  22. Click Save and migrate.
  23. Click Migrate.
    After the migration process completes, your source LDAP server configuration is marked as Migrated.
Note:

Having transitive groups for SSO enabled under the Entra ID integration can impact access for users. If you used Entra ID SSO before migrating and have Transitive Groups for SSO enabled, verify that group based privileges granted before the migration are still correct.