+1In our Azure logs, it shows the Jamf Pro Azure AD Connector authenticating with one of our administrator’s accounts multiple times per hour. I’ve tried looking into the documentation here: Azure AD Integration - Jamf Pro Documentation 10.43.0 | Jamf but I am wondering if this could work with a service account just to keep our user sign-in longs clean. Or if there are other best practices, I’m open to suggestions.
Thanks!
Best answer by h1431532403240
Hi! Thank you for the response, this really answers most of my questions! The only follow up question I have is about downgrading or limiting permissions on the Global Admin account after connecting. What could we downgrade? Or better yet, what would we have to keep in order to maintain the connection? Thanks again!
Yes, you can safely disable or delete that Global Admin account after setup — the integration will keep working fine.
The reason is that the Global Admin is only needed to click "approve" during the initial consent. After that, Jamf Pro talks to Azure using Client Credentials Flow, which means it authenticates with the Enterprise App's own credentials (client ID + secret), not any user account. The Jamf docs mention this:
"Jamf Pro requests an access token from Azure using the Client Credentials Flow."
So once consent is granted, that admin account is basically out of the picture.
As for whether deleting the user will also delete the Enterprise App — nope, they're completely separate objects. The account is just "the person who clicked approve." It doesn't have any ongoing tie to the app itself.
Just make sure you don't delete the Jamf Pro Azure AD Connector under Enterprise Applications in Entra ID — that's what actually keeps things running.
Refs:
+6Hi,
I understand your concern — you want to keep your Azure Sign-in logs clean and prevent your administrator account from being cluttered with Jamf Pro Connector activity.
Yes, you can use a dedicated account for the integration:
jamf-connector-admin@yourdomain.com)Steps:
+1Hi,
I understand your concern — you want to keep your Azure Sign-in logs clean and prevent your administrator account from being cluttered with Jamf Pro Connector activity.
Yes, you can use a dedicated account for the integration:
jamf-connector-admin@yourdomain.com)Steps:
Hi! Thank you for the response, this really answers most of my questions! The only follow up question I have is about downgrading or limiting permissions on the Global Admin account after connecting. What could we downgrade? Or better yet, what would we have to keep in order to maintain the connection? Thanks again!
+6Hi! Thank you for the response, this really answers most of my questions! The only follow up question I have is about downgrading or limiting permissions on the Global Admin account after connecting. What could we downgrade? Or better yet, what would we have to keep in order to maintain the connection? Thanks again!
Yes, you can safely disable or delete that Global Admin account after setup — the integration will keep working fine.
The reason is that the Global Admin is only needed to click "approve" during the initial consent. After that, Jamf Pro talks to Azure using Client Credentials Flow, which means it authenticates with the Enterprise App's own credentials (client ID + secret), not any user account. The Jamf docs mention this:
"Jamf Pro requests an access token from Azure using the Client Credentials Flow."
So once consent is granted, that admin account is basically out of the picture.
As for whether deleting the user will also delete the Enterprise App — nope, they're completely separate objects. The account is just "the person who clicked approve." It doesn't have any ongoing tie to the app itself.
Just make sure you don't delete the Jamf Pro Azure AD Connector under Enterprise Applications in Entra ID — that's what actually keeps things running.
Refs:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.