04-13-2022 04:14 PM - edited 04-13-2022 04:15 PM
Hi guys! My organization is looking to migrate our authentication method from our current Microsoft Active Directory LDAP method to Azure AD Cloud. Has anyone had any experience with the migration tool yet?
Were there any issues you experienced afterwards? How is authentication to features such as MacOS Self-Service or Self-Enrollment with/without SSO configured? Looking at the chart it seems that nothing will work on Azure AD with MFA enabled if SSO isn't configured.
While reviewing the documentation I noticed that the link below states that prior to performing the migration, we will need to create and enable Azure AD Integration in JAMF Pro
https://docs.jamf.com/10.37.0/jamf-pro/documentation/Azure_AD_Cloud_Identity_Migration.html
Yet the documentation listed for Azure AD says specifically to NOT configure Azure AD as a Cloud Identity Provider in JAMF Pro and "Adding the Azure AD integration prior to migration may break your environment."
https://docs.jamf.com/10.37.0/jamf-pro/documentation/Azure_AD_Integration.html
Thanks in advance for any info you guys can provide!
Posted on 04-13-2022 11:31 PM
@kvmart good morning kvmart. We are connected to Azure® since about a year. But that takes no impact to our "jamf PRO® world". MS Azure® is not allowed to write in our Active Directory® . Our domain controller is the leader and Azure® can read only .Our jamf PRO® Server is Active Directory® member of our own domain. The user authentication is done with LDAP. Building the connection between our Domain (Controller) and Azure® was not my job, but if you have some questions, I will try to ask my colleague, if he can help.
Posted on 04-16-2022 04:22 PM
We will be attempting this on Monday or Tuesday. I can report back to you on any issues and how it went.
Posted on 04-16-2022 07:38 PM
Sounds good! We're probably looking into performing our move in the next two weeks. Definitely would appreciate any info you can provide. Good luck!
Posted on 04-26-2022 12:01 PM
Just to give you an update, we haven't done the migration just yet. We have a week left of classes to get done with and don't want to pull the trigger. I am mostly concerned with the Login Window Payload and how that will be affected.
05-25-2022 10:09 AM - edited 04-06-2023 09:28 AM
Hi all, as an update, we completed the Jamf migration steps and so far so good following the basic outline of the steps below:
1. Add Azure AD as a cloud identity provider with someone that has access to allow new applications within Azure AD.
2. Once Azure AD has successfully been added, it was noted that the username and SID attributes were listed as a conflict. The attribute differences didn't seem to be much of a concern but was asked by my management to attempt to contact Jamf support. After multiple attempts with no real answers from different Support areas (creating a support case online, calling in, contacting success@jamf.com etc. we moved forward anyways.
3. Go back to the Cloud Identity Providers list, select Azure AD and click on the "Migrate" option
4. Follow the steps and test multiple users/groups for expected attribute results, NOTE: The conflicts may still be listed but as long as the fields all make sense (username is now username@domain.com) continue forward
5. Due to Microsoft Multi-factor Authentication being enabled in our environment, we needed to configure SSO in order to actually use Azure sign-in. We followed the steps on Microsoft's documentation with a Global Admin: Tutorial: Azure Active Directory single sign-on (SSO) integration with Jamf Pro | Microsoft Docs
6. Configured SSO within Azure AD first for use with Jamf, then went to the Single-Sign On in Jamf portal and enabled SSO (with the failover URL in mind: (https://mydomain.jamfcloud.com/?failover) and configured settings with the information provided.
7. Unchecked the "Allow users to bypass the Single Sign-On authentication" checkbox in our domain.jamfcloud portal did not automatically redirect until that setting was turned off.
8. NOTE: To allow any authentication within JAMF, (Azure sign in for SSO, Mobile device authentication and Access to JAMF Pro Admin Portal) users must be granted access to the JAMF Pro application via Azure's apps (Can be tied to an AD group)
Hopefully my findings help make someone else's migration go just a bit smoother!
EDIT: Added more details to #8, users must be added to the JAMF Pro Azure App for any form of authentication including SSO, initial login, self service, etc.