Help

Admin elevation with Azure AD Credentials

Go to solution
jerickson
New Contributor

Posted on ‎04-13-2023 05:11 PM

Been searching around in integration, company portal, and azure documentation but the specific item I am trying to figure out is when it prompts for Admin elevation, is it possible to configure to use an Admin group from Azure AD to use Azure AD Admin Credentials? That way we aren't using a local account or logging into an Admin account each time. Similarly as we would do with UAC on a Windows device. 

Similarly if you were AD bound with an on prem, you could designate an Admin group so could use your credentials. 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎04-14-2023 04:57 AM

This is not possible. JAMF Connect is authenticating accounts against IDP at login. MacOS is still using local accounts as it’s designed to use. For point of time privilege escalation your will need a tool for that like CyberArk EPM. You could put a policy in SS that only your privileged users can see, have them log in to SS and run the policy to make the user an admin for 10min or something.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
piotrr
Contributor III

Posted on ‎04-14-2023 12:34 AM

Not as I understand it. Jamf Connect verifies a user login with Azure AD and creates a matching local account on the Mac, it does not make an Azure AD directory connection and cannot perform group lookups. 

There may be some other way for you to do this, but it would most likely create a local admin user each time. 

0 Kudos

Go to solution
AJPinto
Honored Contributor III

Posted on ‎04-14-2023 04:57 AM

This is not possible. JAMF Connect is authenticating accounts against IDP at login. MacOS is still using local accounts as it’s designed to use. For point of time privilege escalation your will need a tool for that like CyberArk EPM. You could put a policy in SS that only your privileged users can see, have them log in to SS and run the policy to make the user an admin for 10min or something.

0 Kudos

Go to solution
daniel_behan
Contributor III

Posted on ‎04-14-2023 06:20 AM

A great tool for this is Privileges that can be assigned by group membership, require authentication, reason for elevation and even can forward logs to a SIEM like Splunk.

 

A less complex tool is JAMF's MakeMeAnAdmin.  You can simply set a Self Service Policy that grants temporary admin rights.

0 Kudos