I've been advised by Jamf support not to implement this.

"We would advise against using the KB. Right now due to limitations in Azure, we can not exclude it from the CA policy - so those errors are expected. We can mitigate the volume of errors by changing the network check to something longer such as 30 minutes to an hour, and set "checkOnNetworkChange" to false."

Any updates to this? Still looking for a solution.

also looking for a solution.  does JAMF Connect even support Azure MFA/conditional access?

Hopefully these new instructions with a custom scope will help.

Updated information - through further research, determined that "openid" scope was what gets triggered by an "All cloud apps" CA definition.  Workaround posted.

I have followed these steps exactly and ensured everything has been set properly.  I am able to successfully be prompted for MFA via the login window and my sign-in logs show the login with the OICD application to be successful, however the login shows the error message "An error occurred. Contact your it administrator".  Not sure what I'm missing.

I've got an update I JUST posted to GitHub (the official jamf blog will be updated soon too) which simplifies the process, requires only two App registrations, and can be fully tested inside of Jamf Connect Configuration. Hit https://github.com/sean-rabbitt/jamf-connect-azure-conditional-access/blob/main/Azure_Conditional_Access_and_Jamf_Connect.pdf with the updated deets.

Thank you so much for the updated document! Glad I caught you just in time :).

After making the changes, the OICD test worked in the configuration application, however ROPG did not.  It appears to require the client secret.  After entering my client secret in both the IdP and Connect tabs, it proceeds to error out for OICD and ROPG.  I can gather additional troubleshooting info if necessary.  Would like to clarify if I'm missing anything about the client secret first.

Client secret should not be required.  If you defined a client secret in the public app (the one without any API permissions at all), you can either remove it or add that client secret to the OIDC and ROPG configuration in Jamf Connect Configuration to test it.  I was not testing with a client secret.

Sample configuration profile with this setup:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>OIDCAdmin</key>
<array>
<string>Admin</string>
</array>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>[YOUR PUBLIC APPLICATION UUID STRING HERE]</string>
<key>OIDCDiscoveryURL</key>
<string>https://login.microsoftonline.com/[YOUR TENANT UUID STRING HERE]/v2.0/.well-known/openid-configuration</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>[YOUR PUBLIC APPLICATION UUID STRING HERE]</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCScopes</key>
<string>api://[YOUR RANDOMLY GENERATED API IDENTIFIER HERE]/jamfconnect+openid+profile+email</string>
<key>OIDCTenant</key>
<string>[YOUR TENANT UUID STRING HERE]</string>
<key>OIDCUsePassthroughAuth</key>
<true/>
<key>ROPGDiscoveryURL</key>
<string>https://login.microsoftonline.com/[YOUR TENANT UUID STRING HERE]/.well-known/openid-configuration</string>
<key>ROPGTenant</key>
<string>[YOUR TENANT UUID STRING HERE]</string>
</dict>
</plist>

The link appears to be broken!

Links updated. I changed the name of the pdf. 

Hi there !

I've worked on many Connect implementations with Azure, and used your article as a reference many times.

Now, I was wondering, why would the ROPG part of JAMF Connect simply not ask for MFA when getting the AADSTS50076 answer ? People would not really be surprised to get a prompt to confirm MFA when changing location.

This would simplify a lot the discussions with organisations whhich really want to apply MFA to any app, and are annoyed by creating a second app which is MFA-exempt.

The ROPG check that happens every 60 minutes is supposed to be a "non-interactive" login.  End users may become... unhappy if they're prompted to MFA every 60 minutes.

The real trick here is that the request for MFA response AADSTS50076 will ONLY come up if the non-interactive send of the user name and password is correct.  At that point, Jamf Connect's menu bar agent knows the password is correct and we don't really need the identity/access token.  We just want to know the password is still correct.

Agreed, however that some companies will lock the account of a number of failed attempts, and they are not happy with failed logins in Azure logs. It could be an idea to give a configuration key to allow re-entering MFA for those cases.

This is the purpose of the instructions above - allow there to be a app registration that is not subject to MFA requirements to prevent the "failed" login.  

To me, an MFA request every 60 minutes risks a larger danger of training a user to accept every MFA request blindly rather than improve security.

Oh yes, and this is what I did. Some organisations are a bit stubborn and refusing any app that does not have MFA...

When I attempt to test the ROPG login with the Jamf Connect Configuration application, it displays the error AADSTS900144: The request body must contain the following parameter: 'resource'.  Fortunately, the OIDC test is working great with MFA.  I have yet to test in an actual install.

I'm not sure if I'm missing a step during this setup or if I have something misconfigured.  I'd appreciate any help with this.  Thanks!

Try removing the 

ROPGDiscoveryURL

key from your setup.  I have a feeling you're running a version before 2.12 where ROPG was redesigned to detect if it was on the V1 or the V2 endpoint.

ROPGDiscoveryURL

Removing the ROPGDiscoveryURL still provides the same error message.  I am running Jamf Connect Configuration version 2.12.

I would like to add it seems the ROPG test is attempting to send the request to https://login.microsoftonline.com/[tenantid]/oauth2/token

Because it contains personal information, you'll want to contact success@jamf.com with a copy of the com.jamf.connect.login and com.jamf.connect config profiles so we can see what is wrong with the config.

In regards to the following:

(H3) Step Four: Remove any Conditional Access policies applied to All cloud apps Navigate to
portal.azure.com → Azure Conditional Access. Examine any application applied to the scope of “All
cloud apps”. Either set “Enable policy” to “Off” for any application that has a Grant of “Require
multi-factor authentication” or modify the “Cloud apps or actions” to specifically list resources
that should have MFA applied.Applying a policy to require MFA for “All cloud apps” will cause the ROPG application in the next
step to inaccurately show failed logins in the Azure sign-in
logs.

Rather than modify "All cloud apps" to include all apps except Jamf, can Jamf just be added as an exclusion to existing CA's that require MFA? Would it just be "Jamf Connect - Conditional Access Policy API" that needs to be excluded?

Wondering this as well.