03-08-2021 02:01 PM - edited 03-15-2022 07:55 AM
Updated 14JAN2022 - The github link below has been updated to simplify the setup of the application registrations in Azure and allows for full testing in Jamf Connect Configuration before deploying to a test machine.
https://www.jamf.com/blog/how-to-azure-conditional-access-and-jamf-connect/ - Updated instructions posted to Jamf Blog.
UPDATED: 10 December 2021 - Includes information on how to create a custom scope for Microsoft Azure Conditional Access policies.
openid profile email
The Open ID Connect 2.0 specification uses these default scopes to obtain an access or identity token for a client application. Consequently, in its default configuration, Jamf Connect login uses the "openid profile email" scope in its authentication requests, and the only way to apply a CA policy in this default behavior is to apply the policy to "All cloud apps" with NO exceptions applied or the CA policy will break.
AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access [application UUID]
AADSTS50126: Error validating credentials due to invalid username or password.
Navigate to Azure Active Directory → Enterprise Applications and select the name of your Jamf Connect application in Azure. Navigate to Activity → Sign-ins to open user usage logs.
Shown above are two logins which appear to be failures. Under the “Authentication required” column, the first login says “Multi-factor authentication”. Clicking on the row will pull up additional details about the login attempt.
Under Authentication Details, the “Result detail” will let an administrator determine if the login was successful or a failure. In this example, the login was a success - the Result detail shows that the “User did not pass the MFA challenge (non interactive).” This login can be interpreted in that the user was required to use MFA by either a Conditional Access policy or through Azure Multi-factor authentication.
In the second example, a user with MFA required failed to enter their correct password:
The Authentication required column shows “Single-factor authentication” and the Authentication Details show “Invalid username or password or Invalid on-premise username or password.” While the user is required to use Multi-factor authentication, the user failed the first, single factor and thus was never prompted for MFA.
To eliminate the inaccurate "failed responses" for ROPG, admins must remove any "All cloud apps" scoped requirements for multi-factor authentication and create a custom scope for Jamf Connect login.
Follow the guide in Azure_Conditional_Access_and_Jamf_Connect.pdf (source: GitHub) for step by step instructions.
Several Conditional Access Grant policies can create unacceptable behavior to access a client device:
In the above cases, a user would be unable to log into a client machine to fix the issue of being out of compliance by running a Jamf Pro policy to get the device back into compliance.
In the above cases, the Jamf Connect software is not of the Microsoft apps accessing a specific service (for example, Microsoft Outlook accessing O365 mail), and all access would be blocked.
Administrators are recommended to carefully read conditional access polices and conditions applied to avoid locking users out of client devices inadvertently.
Posted on 05-27-2021 08:06 AM
I've been advised by Jamf support not to implement this.
"We would advise against using the KB. Right now due to limitations in Azure, we can not exclude it from the CA policy - so those errors are expected. We can mitigate the volume of errors by changing the network check to something longer such as 30 minutes to an hour, and set "checkOnNetworkChange" to false."
Posted on 12-10-2021 01:39 PM
Hopefully these new instructions with a custom scope will help.
Posted on 10-18-2021 07:21 AM
Any updates to this? Still looking for a solution.
Posted on 10-25-2021 07:14 PM
also looking for a solution. does JAMF Connect even support Azure MFA/conditional access?
Posted on 10-26-2021 08:26 AM
Posted on 12-10-2021 01:39 PM
Updated information - through further research, determined that "openid" scope was what gets triggered by an "All cloud apps" CA definition. Workaround posted.
Posted on 01-14-2022 11:00 AM
I have followed these steps exactly and ensured everything has been set properly. I am able to successfully be prompted for MFA via the login window and my sign-in logs show the login with the OICD application to be successful, however the login shows the error message "An error occurred. Contact your it administrator". Not sure what I'm missing.
01-14-2022 11:06 AM - edited 03-15-2022 07:56 AM
I've got an update I JUST posted to GitHub (the official jamf blog will be updated soon too) which simplifies the process, requires only two App registrations, and can be fully tested inside of Jamf Connect Configuration. Hit https://github.com/sean-rabbitt/jamf-connect-azure-conditional-access/blob/main/Azure_Conditional_Ac...with the updated deets.
Posted on 01-14-2022 02:33 PM
Thank you so much for the updated document! Glad I caught you just in time :).
After making the changes, the OICD test worked in the configuration application, however ROPG did not. It appears to require the client secret. After entering my client secret in both the IdP and Connect tabs, it proceeds to error out for OICD and ROPG. I can gather additional troubleshooting info if necessary. Would like to clarify if I'm missing anything about the client secret first.
Posted on 01-14-2022 02:36 PM
Client secret should not be required. If you defined a client secret in the public app (the one without any API permissions at all), you can either remove it or add that client secret to the OIDC and ROPG configuration in Jamf Connect Configuration to test it. I was not testing with a client secret.
Posted on 03-15-2022 07:29 AM
The link appears to be broken!
Posted on 03-15-2022 07:57 AM
Links updated. I changed the name of the pdf.
Posted on 01-14-2022 02:48 PM
Sample configuration profile with this setup:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AllowNetworkSelection</key>
<true/>
<key>CreateJamfConnectPassword</key>
<true/>
<key>OIDCAdmin</key>
<array>
<string>Admin</string>
</array>
<key>OIDCAdminAttribute</key>
<string>roles</string>
<key>OIDCClientID</key>
<string>[YOUR PUBLIC APPLICATION UUID STRING HERE]</string>
<key>OIDCDiscoveryURL</key>
<string>https://login.microsoftonline.com/[YOUR TENANT UUID STRING HERE]/v2.0/.well-known/openid-configuration</string>
<key>OIDCNewPassword</key>
<false/>
<key>OIDCProvider</key>
<string>Azure</string>
<key>OIDCROPGID</key>
<string>[YOUR PUBLIC APPLICATION UUID STRING HERE]</string>
<key>OIDCRedirectURI</key>
<string>https://127.0.0.1/jamfconnect</string>
<key>OIDCScopes</key>
<string>api://[YOUR RANDOMLY GENERATED API IDENTIFIER HERE]/jamfconnect+openid+profile+email</string>
<key>OIDCTenant</key>
<string>[YOUR TENANT UUID STRING HERE]</string>
<key>OIDCUsePassthroughAuth</key>
<true/>
<key>ROPGDiscoveryURL</key>
<string>https://login.microsoftonline.com/[YOUR TENANT UUID STRING HERE]/.well-known/openid-configuration</string>
<key>ROPGTenant</key>
<string>[YOUR TENANT UUID STRING HERE]</string>
</dict>
</plist>
Posted on 04-13-2022 02:11 AM
Hi there !
I've worked on many Connect implementations with Azure, and used your article as a reference many times.
Now, I was wondering, why would the ROPG part of JAMF Connect simply not ask for MFA when getting the AADSTS50076 answer ? People would not really be surprised to get a prompt to confirm MFA when changing location.
This would simplify a lot the discussions with organisations whhich really want to apply MFA to any app, and are annoyed by creating a second app which is MFA-exempt.
Posted on 04-13-2022 07:29 AM
The ROPG check that happens every 60 minutes is supposed to be a "non-interactive" login. End users may become... unhappy if they're prompted to MFA every 60 minutes.
The real trick here is that the request for MFA response AADSTS50076 will ONLY come up if the non-interactive send of the user name and password is correct. At that point, Jamf Connect's menu bar agent knows the password is correct and we don't really need the identity/access token. We just want to know the password is still correct.
Posted on 04-13-2022 07:34 AM
Agreed, however that some companies will lock the account of a number of failed attempts, and they are not happy with failed logins in Azure logs. It could be an idea to give a configuration key to allow re-entering MFA for those cases.
Posted on 04-13-2022 07:40 AM
This is the purpose of the instructions above - allow there to be a app registration that is not subject to MFA requirements to prevent the "failed" login.
To me, an MFA request every 60 minutes risks a larger danger of training a user to accept every MFA request blindly rather than improve security.
04-13-2022 07:50 AM - edited 04-13-2022 07:51 AM
Oh yes, and this is what I did. Some organisations are a bit stubborn and refusing any app that does not have MFA...