Jamf 10.33 / AzureAD - Can't use Azure AD groups for policies

It works for us but there was a Bug < 10.34 where you can only use < 15 Groups. The Pi was now fixed with 10.34

[PI-009318] Fixed an issue that incorrectly restricted the maximum number of Azure cloud IdP groups configured as limitations or exclusions in scope of an object (e.g., a configuration profile). 
PI-009318 - “Azure AD - Scoping can’t have more than 15 group limitations / exclusions”

Hi @colorenz 

Thank you for your answer.

We only use between 1 and 5 groups in scopes per object.

Do you have an LDAP server also configured in addition to an Azure cloud IdP?

Hey we have swichted from LDAP to Azure cloud IdP only.

ok, maybe the problem is there then.
We have both configured. We don't dare to remove the link with Active Directory because we don't know the exact consequences with the access to self service, Jamf Remote and Jamf admin.

We use the Azure login for the self service with MFA. We do not have Jamf remote and Jamf Admin in use.

OK. Thank you for your help.
We will continue the tests by trying to remove the link with our Active Directory.

On the other hand, if I understood correctly, for access to JSS with Azure AD groups, it will be necessary to create standard groups and users in JSS with the same name as the groups and users in Azure AD?

On the other hand, if I understood correctly, for access to JSS with Azure AD groups, it will be necessary to create standard groups and users in JSS with the same name as the groups and users in Azure AD?

-> Yes 🙂 

Thank you very much for your help.

We will test all of this.

Maybe update to 10.34 first. They PI affected a lot components... SSO Login / Scoping / The Computer Management Tab...

Thanks for the advice

We updated our dev instance. We will do this on our production.

indeed it appears to be exactly the same symptom.

Well, we just have to hope that Jamf fixes this problem in the next releases.

Thank you for taking the time to research, it's super nice

Hello, 

I have another question.

Is it mandatory to activate SSO to access JSS with an Azure AD account?
Because with SSO, I do it well (by creating the standard groups/users corresponding to the Azure AD groups/users).
But without SSO, this is no longer possible.

It's normal.

Thank you

Unfortunately, I can't tell you that. We do it that way so that we can also use MFA.

@glpi-ios , Check you single sign on --> User Mapping section --> Jamf Pro User Mapping 
select username instead of email.

Hi @Himanshu_panwar 
Thank you for your help.

In fact, we don't use SSO at the moment.
But indeed, with the SSO activated, it works better.

The goal is to make it work without SSO at first (we will activate it later).

A year and 10+ Cloud instance upgrades later and the problem hasn't gone away. Can't use Azure AD groups for limitations. And the hassle of re-creating all Azure AD groups in JAMF is not feasible. 

Yes mapping is setup correctly

Yes Testing a user/group shows up correctly

Yes we are only using Cloud Azure AD no on-Prem Connection.

Yes we are targeting all computer specific user (Limitation Azure AD Group) no exclusions and the software does not show up in Self-Service. 

Has anyone else had any luck? we only use JAMF for macOS not for Iphone/Ipad (Intune only for those) 

Hey.

Yes, this is still an issue. I contacted Jamf Support last month and they replied:

"I have checked the PI104479 and it is still opened. Issue was investigated in depth and it would likely require a significant change across the board in how scoping works and is designed. Our developers team is working on finding the best solution for the situation. Unfortunately, we do not have ETR for the issue yet."

We're now on Jamf Pro 10.44.1 and yet this issue is still there.

And yet we are now Jamf Pro 11.0, and the issue still has not been addressed..

This is working now after having Jamf Cloud Ops turn on a tool. Submit a support ticket to have "the Knob" turned on for your cloud instance. This tool allows for Azure AD group limitations to function for user lookup. It is off by default.

The scenario we tested for:

Users are given licenses for adobe product in Azure

The install application is configured in JAMF PRO for all users limited to the Azure AD group {xxxxxx}

Application installs, and Uninstall break fix only shows for the limiting group set in scope.

Requirements:

Self-service SSO must not be forced {Login Method: Allow users to login | Cannot be set to required}

Additionally, the user must be assigned to the computer in the inventory record as this is what Jamf Pro uses to determine the membership for the scoping.

​@HealthcareMac - i think we have a similar issue. Could you elaborate more on the "the Knob" turned on for your cloud instance? 

I had a ticket open for this last year and basically support said because the mapping from EntraID to Jamf Pro uses full UPN (i.e. full email address) jamf pro cannot target the logged in user because the local account does not support the @ symbol. Effectively they are saying that unless we modify the mapping to everything before the @domain.com so it matches the local user it will not work, that doesn’t sound correct to me because everyone else would surely have the same issue? 

Thanks in advance.