Mac OS and Azure AD LDAP Authentication

SebC 56

Another forum that moved from very useful social.microsoft.com to this unfriendly Q&A site, pity!

But whatever.

There was a thread years ago about this:

https://social.msdn.microsoft.com/Forums/en-US/a06c8321-8aab-49c5-b0bc-59d9e84807bd/how-to-configure-ldap-authentication-for-mac-os-and-azure-ad?forum=WindowsAzureAD

Anybody has any info on current situation? (before I waste time to find myself that ie it does not work)

I could join my machines to local AD (which might be the case in the end), but while moving with all Windows machines to AAD/Intune, I would like to do the same with Macs (I am not yet in position to do Intune, as I do not have enough time for testing)
But at least authentication could be from AAD

Thanks

Seb

James Hamil 21,621 Reputation points Microsoft Employee

2020-08-31T20:29:54.627+00:00

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.
Daniel Reis 6 Reputation points

2022-01-12T10:15:13.787+00:00

I know this is an old thread, but I will leave this here.

https://support.apple.com/en-gb/guide/apple-business-essentials/axm78b477c81/web

It seems to be in trial still but worth a shot!

11 answers

Jon Alfred Smith 541 Reputation points

2020-08-10T18:37:37.337+00:00

There is still no native option to join Macs to an Azure AD domain. You could, but should not, use Azure AD Domain Services (not recommend by Microsoft). You could look into Azure Active Directory SSO integration with Jamf Pro
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial

Personally I never liked to join my Macs to on-premises AD. In my wife's and my small Microsoft 365 Business Premium tenant, we use two Macs as our primary machines. They are registered in Azure AD and enrolled in Intune, though. Configuration and configuration policies with conditional access – all of which works very well. In addition to automatic distribution of software.
Please sign in to rate this answer.

2 people found this answer helpful.
a-kaylenk 1 Reputation point

2021-06-17T10:30:16.867+00:00

I'm really disappointed with Apple here and their lack of interest in the MEA region for MDM and connectivity with their peers in the industry (I.e.. Microsoft) . We will have to start making efforts to move our infrastructure completely over to Microsoft as a result as the incompatibility and lack of enthusiasm to do anything industry standard with their peers i- they are Not business friendly. Microsoft Surface books seems to be the next logical answer. As far as MDM / Intune is concerned - No we do not want to signup for JAMF licenses.

Apple is totally anti consumer - with brilliant branding marketing and their customers in MEA are waking up to that.
Sign in to comment
SebC 56 Reputation points

2020-09-11T05:20:48.467+00:00

If I do not join Mac to local AD then my users could not possibly login to that Mac (few shared machines)

And how do you enroll Mac in Intune without going the full ASM (Apple School Manager)?
I have that question opened with zero take up

I am about to move away (management decision) from Jams, so will not be looking into it again...

Seb
Please sign in to rate this answer.
Paul Gately 1 Reputation point

2020-11-20T21:53:11.253+00:00

You enroll Macs to Intune via the Intune company portal app installed locally on the Mac you're enrolling. You do not need ASM nor ABM to accomplish this task. As a matter of fact having either of those services actually adds a layer of complexity to your deployment/enrollment.

Link to Company portal app configuration - https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp

There are third-party solutions to federating SSO to your Macs, but if you have only a handful this is probably not an efficient use of funds. Just setup a generic login to the shared machines and sign them into Intune.
Sign in to comment
Thomas Nagels 1 Reputation point

2020-11-20T09:05:49.507+00:00

A late reply, but maybe still relevant: I use Jumpcloud to achieve this. They have user /password sync for multiple platforms including the combination Microsoft365 and osx. Have been using the free tier of their product for quite a while now and it seems to work well.

Thomas
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
SebC 56 Reputation points

2020-11-24T20:38:20.317+00:00

@Thomas Nagels
Thanks, Jumpcloud free is not enough (only 10)

@Paul Gately
Thanks, generic login is not ideal, because that would never allow use of OneDrive app (which is a "must" for me)

So AD join is still the only option I can see
Please sign in to rate this answer.
PK10 1 Reputation point

2020-11-30T08:11:11.45+00:00

Seems that this can not be achieved with Intune only if I understand things correct. The Intune does not offer such functionality right now. If you are going to use Azure you need to use third party products. But what is your main goal exactly?

You wanna run local accounts that get created with AAD credentials? You wanna get the AD functionality such as password rotation/password sync/SSO?
Sign in to comment
SebC 56 Reputation points

2021-04-19T20:21:09.037+00:00

I need a user to be able to login to Mac machine with they credentials (what is so surprising about it?)

Users has ONE set of credentials: email & password (AD account synced to AAD)

User uses the same credentials for OneDrive/Teams/proxy/printing/eStream etc

I do not see any other option apart from having Mac joined to directory (AD in that case)

Would love somebody to prove me wrong here!

How could I select appropriate response as "Answered." when there is nothing answered, but only lots of lose random opinions?

Windows can be joined to AAD only, user uses the ONLY ONE set of credential they have, and everything works
Please sign in to rate this answer.
Dan Laws 1 Reputation point

2021-04-29T15:11:15.477+00:00

Awesome and I agree...THIS IS NOT A ANSWER!!!
Sign in to comment