Integrating Jamf Pro with Microsoft Entra ID as a cloud identity provider enables the following directory-based workflows:
Look up all users and groups for inventory purposes
Performing user membership lookups and use them to map privileges to relevant accounts in Jamf Pro
Configuring user authentication and scoping
When integrating Jamf Pro with Entra ID, consider the following:
You must have a Jamf Standard Cloud-hosted or Jamf Premium Cloud-hosted environment.
You need Global Administrator Entra ID privileges to manage consent requested by the Jamf Pro Entra ID Connector enterprise app.
User groups added in Jamf Pro that have the same name as groups configured in Entra ID. Accounts and groups added in Jamf Pro must be the standard type.
When working with directory-related workflows (e.g., adding scope limitations and exclusions), Entra ID cloud identity items are listed under the Directory Service headings.
Jamf Pro may experience performance issues if too many cloud IdP groups are included in the scope of an object. If you need to use multiple criteria within a scope, consider creating a smart group with those criteria, and then scope to that smart group instead.
Entra ID as a cloud IdP integration uses Microsoft Graph API and connections to the Microsoft Graph domain. Together with the consent granted by the administrator via the Cloud Connector, this ensures the directory data are automatically passed and used in the directory workflows in Jamf Pro. No actions other than reading data are performed in Entra ID.
When setting up the Graph API connection between Jamf Pro and Entra ID, Global Administrator user privileges are required to authenticate. After successful authentication, an application for Jamf Pro is automatically added in Entra ID to use the Graph API. This means that the application in Entra ID does not need to be manually created. After the application is added, the session is terminated. When Jamf Pro is performing lookups in Entra ID, it is in a read-only state. Jamf Pro cannot write data back to Entra ID.
The following diagram shows the typical Jamf Pro and Entra ID IdP integration workflow:
After receiving the consent, the Cloud Connector Web application performs authorization of a given client identifier and the received tenant identifier against the Entra ID authorization endpoint. As a result, Entra ID responds with an authorization code. This code is passed with the tenant identifier back to Jamf Pro. After Jamf Pro receives the set of data from the Cloud Connector Web application, it verifies the received authorization code. If there are no issues in the data set, the configuration is saved. This approach ensures Jamf Pro limits the usage of your Entra ID tenant data only to the allowed client/application.
The TLS version used for securing data in transit is 1.2 or higher with Perfect Forward Secrecy (PFS). Jamf Pro will always attempt to negotiate the highest protocol first.
To create the connection, the following set of permissions is required for the Jamf Pro application:
Sign in and read user profile
Read directory data
The following set of permissions is required for the application:
GroupMember.Read.All (Application)
User.Read (Delegated)
User.Read.All (Application)
When the connection to Entra ID is enabled, Jamf Pro can query the directory information from Entra ID. The following diagram shows the typical flow for directory data lookups:
When the administrator initializes the directory lookup, Jamf Pro requests an access token from Entra ID using the Client Credentials Flow. After the token is granted, Jamf Pro queries the directory data via the Microsoft Graph API. After successful client verification, a data set is returned. Jamf Pro maps this data to an object that can then be used in directory workflows in Jamf Pro. For information about Microsoft Graph REST API, see Microsoft Graph REST API v1.0 endpoint reference.