Extension attributes with Cloud Identity Provider

DBrowning
Valued Contributor II

I'm pretty sure I know the answer, but can't find the statement in any documentation.  Is it possible to pull attributes when you have Cloud Identity Provider enabled for Azure in via extension attributes?  If so, what attributes are available?

1 ACCEPTED SOLUTION

DBrowning
Valued Contributor II

Figured it out.  I had a bad EA asking for something that wasn't permitted.  Removed that EA and now I'm getting data!!

View solution in original post

20 REPLIES 20

stevewood
Honored Contributor II
Honored Contributor II

Yes, you can pull extended attributes from Azure AD into an Extension Attribute. I used the Microsoft Graph Explorer to find a weird attribute (proxyAddresses), one that I knew would not be in Jamf Pro, put it into an Extension Attribute and the info was pulled back.

DBrowning
Valued Contributor II

Do you have Azure setup under LDAP servers or Cloud Identity Provider?

MMTechno
New Contributor II

Hi there, i have been looking into the same thing. Total newbie here. 

How do you achieve calling Graph from JAMF to populate the data? Is it an API call? I am a bit lost...

When i look into my JAMF instance in the "Extension Attributes" there is nothing that mentions my iDP. Jamf training also mentions LDAP but we are not connecting any of that as we are going cloud first.

 

MMTechno_0-1705431456692.png

Any idea where i need to look or what i have to read to understand what i should do to pull the data from Azure  ?

Thanks

 

MMTechno
New Contributor II

Apologies this is the right screenshot

MMTechno_0-1705432644321.png

 

stevewood
Honored Contributor II
Honored Contributor II

As long as you have a Cloud Identity Provider configured under Settings -> System -> Cloud Identity Providers, you should have the option to pull from Directory Service.

CleanShot 2024-01-16 at 13.56.45.png

I have nothing configured under LDAP Servers. I only have entries under Cloud Identity Providers.

stevewood
Honored Contributor II
Honored Contributor II

And my mention of Microsoft Graph was simply as a way to determine what attribute to pull out of Entra ID.

MMTechno
New Contributor II

Thanks

interesting... I have not got the option. I have Azure Configured and test returns results without issue. Might be a JAMF quirk? 

stevewood
Honored Contributor II
Honored Contributor II

Under Settings -> Computer Management -> Inventory Collection, make sure you have "Collect user and location information from Directory Service" checked.

I just spun up a fresh instance, added Cloud Identity Provider connected to my Entra ID instance, and checked that box and I get the Directory Service Attribute Mapping option in Extension Attributes.

CleanShot 2024-01-16 at 14.49.50.png

 

That checkbox is also needed if you want user information to populate on device records in Jamf Pro.

MMTechno
New Contributor II

BOOM!

MMTechno_0-1705438530619.png

Thanks a lot for that! Cheeky little option that was! 

 

@MMTechno, did you have to do anything else? Still, after finding these instructions, we struggled to pull the fields we wanted. Some examples we want to pull data from are in the pictures below, and we will map to those spots.

daniel_ross_0-1705687459959.png

daniel_ross_1-1705687468872.png

 

 

stevewood
Honored Contributor II
Honored Contributor II

@daniel_ross I'm guessing those fall under `onPremiseExtensionAttributes` right? Currently Jamf Pro is unable to collect from that JSON object because it is a list of attributes (like an array). 

You may find those attributes elsewhere in the user record where they have a UDID of sorts as part of the name. Something like `extension_a34572989d08a08c899b999a_country`, or whatever. If you have those entires and they are not part of a JSON "array" (for lack of a better term), then you may be able to pull those in.

RParker
New Contributor II

Did you ever solve this? I'm running into this same issue.

andrewsp
New Contributor II

Hey Steve... Do you know what the attribute name would be to get a list of groups that a user is a member of? When using LDAP, the attribute name was "memberOf" but that doesn't seem to work after switching to an Entra ID connection.

stevewood
Honored Contributor II
Honored Contributor II

As far as I am aware, Entra ID does not have the concept of 'memberOf.' Instead, you determine group membership by looping through every group and checking if the user is part of the group. So unfortunately there is no easy way to build an Extension Attribute to pull in group information because of that.

stevewood
Honored Contributor II
Honored Contributor II

CIP... I have no LDAP servers configured in the server I was testing with.

DBrowning
Valued Contributor II

Interesting....mine won't pull anything in.....

stevewood
Honored Contributor II
Honored Contributor II

Are you verifying the attribute you are pulling from has data via the Microsoft Graph Explorer first? And then I have to ask it, you are updating inventory on the device, right? ;-)

 

DBrowning
Valued Contributor II

yes and yes!  I noticed using the graph explorer, if you use v1 there is very limited info.  If I switch to Beta i get a lot more data (including the proxyAddresses which is not returned on v1).

stevewood
Honored Contributor II
Honored Contributor II

The only other thing I can think is that you still have an LDAP server configured. I believe that an LDAP server takes precedence over CIP. I had my Okta dev account configured under LDAP and when I tried to pull info it would pull from Okta and not Azure. So I deleted the Okta LDAP setup and CIP took over.

Worst case, you can open a support ticket and they should be able to assist.

DBrowning
Valued Contributor II

Figured it out.  I had a bad EA asking for something that wasn't permitted.  Removed that EA and now I'm getting data!!