Admin elevation with Azure AD Credentials

jerickson
New Contributor

Been searching around in integration, company portal, and azure documentation but the specific item I am trying to figure out is when it prompts for Admin elevation, is it possible to configure to use an Admin group from Azure AD to use Azure AD Admin Credentials? That way we aren't using a local account or logging into an Admin account each time. Similarly as we would do with UAC on a Windows device. 

Similarly if you were AD bound with an on prem, you could designate an Admin group so could use your credentials. 

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor II

This is not possible. JAMF Connect is authenticating accounts against IDP at login. MacOS is still using local accounts as it’s designed to use. For point of time privilege escalation your will need a tool for that like CyberArk EPM. You could put a policy in SS that only your privileged users can see, have them log in to SS and run the policy to make the user an admin for 10min or something.

View solution in original post

3 REPLIES 3

piotrr
Contributor III

Not as I understand it. Jamf Connect verifies a user login with Azure AD and creates a matching local account on the Mac, it does not make an Azure AD directory connection and cannot perform group lookups. 

There may be some other way for you to do this, but it would most likely create a local admin user each time. 

AJPinto
Honored Contributor II

This is not possible. JAMF Connect is authenticating accounts against IDP at login. MacOS is still using local accounts as it’s designed to use. For point of time privilege escalation your will need a tool for that like CyberArk EPM. You could put a policy in SS that only your privileged users can see, have them log in to SS and run the policy to make the user an admin for 10min or something.

daniel_behan
Contributor III

A great tool for this is Privileges that can be assigned by group membership, require authentication, reason for elevation and even can forward logs to a SIEM like Splunk.

 

A less complex tool is JAMF's MakeMeAnAdmin.  You can simply set a Self Service Policy that grants temporary admin rights.