Jamf Blog
Person in a wheelchair on a video call
September 27, 2022 by Michael Epping

Best practice when working with Microsoft Entra ID

Mark Morowczynski and Michael Epping, product managers in the Microsoft Entra ID product group at Microsoft, use their customer experience to shed light on how to drive Microsoft 365 and Microsoft Entra ID security and usability improvements on macOS.

What is Microsoft Entra ID and Conditional Access?

If your organization uses Microsoft 365, Microsoft Entra ID is already available for you to use. Microsoft Entra ID is not just an identity provider, it is a full-blown identity access solution and includes several additional capabilities such as single sign-on to SaaS and a line of business apps, governance, identity protection and multi-cloud permissions management. Over time, users, devices and app resources have moved to cloud services – and Microsoft Entra ID helps secure access to these resources. In many organizations, identity is the new control pane.

Microsoft Entra Conditional Access is Microsoft Entra ID’s Zero Trust authentication and authorization engine. Admins can define a set of conditions and every time a user or device tries to access a resource protected by Microsoft Entra ID, the conditions are evaluated before access is granted. If the conditions are not met, the user or the device will be blocked.

Graph representing Azure Conditional Access with conditions on one side and controls on the other.

If you are the person managing macOS devices in your organization, it is important for you to understand the conditional access policies in your environment, as they can greatly impact the experience of your macOS users. In successful organizations, the Mac admins and the identity and access management (IAM) teams have ongoing conversations as they tweak and optimize their conditional access policies. Microsoft provides a deployment guide for conditional access.

Now that we understand the basics, let’s look at the recommendations we have for macOS customers:

1. Determine if you have a prompting problem.

Over-prompting your users with frequent password screens and MFA requests can reduce the security posture of your organization. This is because users can learn bad behaviors like blindly approving MFA requests and being easily phished. Over-prompting also impacts productivity, especially on devices like macOS where single sign-on (SSO) with Microsoft Entra ID is not configured out of the box. To ensure that you have the most optimal configuration, you need to understand what your users are seeing and experiencing with prompts.

The Microsoft Entra ID sign-in logs have all of the raw data that you require for this recommendation. The pre-built Microsoft Entra ID workbook comes with data visualizations, as well as recommendations, and can answer questions such as:

  • Which users are being prompted the most?
  • Which applications have a high prompt count?
  • What is the device state?
Circle graph showing percent of user prompts by operating system with 46.5% belonging to an unknown OS, 39.9% Windows 10, 7.7% MacOS, 3.3% Windows, and 1.1% other
Circle graph showing percent of user prompts by device stat with 95.4% Unmanaged and 4.6% Azure AD joined

2. Enroll in an MDM and use device compliance.

It is highly recommended that you enroll your macOS devices into an MDM and use device compliance so that you can structure your conditional access policies correctly. There are two important reasons why you need to deploy MDM:

  • MDM is the only modern way to deploy SSO features to macOS.
  • SSO helps us improve the end-user experience (fewer prompts) and security.
  • MDM helps us improve device and identity security through Conditional Access.

Microsoft Entra ID supports receiving compliance information from Jamf Pro and other MDM providers. This way, Conditional Access policies can be satisfied by Macs that are being managed by Jamf Pro or other MDM providers.

Flowchart showing how Azure AD accepts compliance info from Jamf Pro and other MDM providers.

3. Set up single sign-on (SSO) with Microsoft Entra ID

Once SSO is deployed, your users will see a drastic drop in the number of prompts they see when accessing any application integrated with Microsoft Entra ID. The modern option for SSO is built on top of modern authentication which relies on standards-based protocols such as SAML, OpenID Connect and OAuth 2.0. The key advantage of modern authentication is that it is web-based. The flexibility of web technology is that it gives us many security options not traditionally available with on-premises Active Directory.

Deploying the Enterprise (Redirect) SSO Extension

For more information, Microsoft provides documentation on the base configuration for the SSO extension and for Jamf Pro-specific configurations for Microsoft Entra ID SSO.

Many customers also use tools like Jamf Connect that can validate credentials against an IDP rather than on-premises Active Directory. These tools use the OAuth 2.0 Resource Owner Password Credentials (ROPC, sometimes called ROPG) grant flow to validate username and password credentials against Microsoft Entra ID. ROPC is not user interactive in a web browser, so it has limitations. For example, ROPC sign-ins will fail if there are Conditional Access policies that require MFA or device compliance in place, even if the user’s username and password were correct. This can have other adverse impacts, like the user appearing to be at risk in Microsoft Entra ID Protection. Make sure that you work with your identity admins to configure Jamf Connect with your Microsoft integrations – we recommend that customers never exempt users from Conditional Access policies to accommodate ROPC. Instead, work with your identity admins to exempt Jamf Connect’s ROPC app from being in-scope of those Conditional Access policies.

Resource owner password credentials workflow with MFA error

4. Authenticator app and passwordless

The fourth recommendation is to use the Microsoft Authenticator app for MFA and start moving your users to passwordless authentication. Passwordless authentication provides a much better experience for users and is more secure than using a phone call or SMS for MFA. To get your users to move away from phone and SMS, you can use a feature in Microsoft Entra ID called Nudge that will guide users to set up the Authenticator app as part of the sign-in flow. To learn more about Nudge and how you can set it up, see aka.ms/nudge.

5: SSO for everything

The fifth recommendation is to enable Single Sign-On (SSO) for all the applications in your organization. All of the work in steps one through four won't matter much if your apps are not integrated with your identity provider. To implement this recommendation, you need to work with your procurement and security teams to ensure any new applications you bring into your organization are set up correctly for SSO. Microsoft Entra ID includes an app gallery with over 3000 apps pre-integrated, with more being added each month. If your app doesn’t show up in the gallery, you can request that Microsoft work with the vendor to add it.

Recap and go-dos!

  • Work with your IAM/Security team on the end user experience on Apple devices.
  • Use data in the Microsoft Entra ID Authentication Prompt analysis workbook.
  • Set device compliance via an MDM that integrates with Microsoft Entra ID.
  • Deploy the Microsoft Entra Enterprise SSO plugin to macOS and iOS.
  • Nudge users to start moving to passwordless authentication methods.
  • More SSO! Bring your modern auth apps to your IAM team. Move away from apps that require line of sight to an on-premises Active Directory Domain Controller.

Reach out to Mark Morowczynski and Michael Epping via Twitter or on the MacAdmins Slack channel for Microsoft Entra ID:

Michael Epping
Other authors:
Mark Morowczynski

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.