Can I use a script in a policy to pass idp group membership into a local group

New Contributor II

Basically the title.

Our Jamf Pro environment is setup with Jamf connect via Okta, and our users use their AD short name to login, so changing it to Azure AD would be too much of a change (unless we can change the login username).

As such, we can't leverage as easily AzureAD group membership on the local device.

Is it possible to use a policy + script to create a local group that contains the members of the Azure AD idp  group?




New Contributor II

Thanks for your very detailed response Bryant!

That makes perfect sense. I'll have a look into doing that + testing etc.



New Contributor III

Hi @njh359, what was the response? It looks like the post by Bryant2S has disappeared.

I'm in a similar situation and interested in any tips.

New Contributor II

Hey Deej,


So unfortunately it's not a super simple.

I ended up connecting up the azure idp, and then had to put together a few scripts leveraging the Jamf API. 

1. To create local groups named after their aad group counterparts

2. To run a jamf API call ( to test the logged on users membership of specific groups in aad. 

3. If the user was a member i then added them to the relevant group. 

As the group membership (in our scenario) can change, i used outset to run script 2/3 on login. So the entire AAD group wasn't actually passed into the local group, just the user.

But it works for us; we're using beyondtrust PMC, so the Azure users/groups option wasn't an option for our mac's.