Cloud identity providers - Synchronization User with Microsoft Entra ID

KacperDream
New Contributor

Hi,

I have set up Cloud identity providers and I am wondering if there is a mechanism that will allow me to do a sync of users from Microsoft Entra ID to Jamf Pro automatically.

I mean users from the "users" tab not from the system tab "User accounts and groups".

How is the issue of sychronization of accounts solved ?

8 REPLIES 8

DBrowning
Valued Contributor II

Sounds like you are looking to do this.  Under the Inventory Collection settings, make sure to check Collect.  

DBrowning_0-1715181757811.png

 

Not working. I still do not see any users with Entra ID.

DBrowning
Valued Contributor II

The username that is shown must match what is in entra.  so if the username is bob but the entra username is bob.smith it won't show.  And I just thought maybe you are looking to import all the users?  If so that doesn't happen.  The users tab just shows the users of enrolled devices.  

Ok so there is no way for me to have the users appear in "Users" first by syncing the Entra ID ?

I wanted to secure the entrolment in this way by manually assigning users to devices.

So I would have to do it in such a way that I add the entra id groups in the enrolment restriction to know that we can only assign selected users to computers BUT only when these authorized and selected users execute the enrolment.

Am I thinking correctly?

DBrowning
Valued Contributor II

I believe I'm following your description correctly and yes.  If you are only wanting a small set of users to be able to enroll, then yes you'd have to use the UIE restrictions.  

A_Collins
Contributor

If you are referring users section in jamf, that is auto populated once computer/device is assign to a user. As far as I know there is no connection or sync from idp. That comes from jamf database 

mainelysteve
Valued Contributor II

As others have pointed out you can't sync users from an IdP or AD into JAMF Pro. The users shown in that section are users who end up there because they enrolled a Mac or iPad. 

You're pretty much restricted to IdP or AD group membership to allow enrollment which I think will work just fine in your case. I guess if you wanted to really lock things down you'd create individual pre-stages and assign individual enrollment customizations to achieve a 1:1 computer+user relationship before the computer is even setup.

kai_wang1
New Contributor III

https://community.jamf.com/t5/jamf-pro/challenges-with-user-attribute-mappings-in-jamf-pro-and-micro...

Check this. I'm testing similar scenario: Entra ID + SSO. We can enroll Mac as ABM and prefilled username as SSO ID. After enrollment, user's info added to Jamf Inventory -> User and location automatically.