How can we improve Azure Active Directory?

Azure AD join Mac OS X

It would be really cool to be able to Azure AD join other devices, like Mac OS for example.

112 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Hampus NordanfjallHampus Nordanfjall shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    archived  ·  Azure AD TeamAdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Thanks for your feedback. Azure AD Join is unique to Windows 10 as it uses Windows components to generate/store the artifacts used for subsequent logins and enable SSO to other resources. AADJ on Mac OS or any non-Windows OS is not a possibility currently

    We are working on other approaches to enable conditional access from Mac OS devices

    /Ravi

    12 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Richard BrooksRichard Brooks commented  ·   ·  Flag as inappropriate

        Well, actually, you guys need to change your mind on this one. Active Directory is going away in the SMB market. Microsoft really need to step up to the plate and make this a priority, or companies are going to start to bail. Myself included.

      • GiuseppeGiuseppe commented  ·   ·  Flag as inappropriate

        I think this feature is essential for a cloud-only company that relies on office365 and Azure

      • GiuseppeGiuseppe commented  ·   ·  Flag as inappropriate

        I tried you solution, but the server is always not responding. 'Cannot connect to node ...' In a Directory browser it worked fine.
        Anyone an idea?

      • mark zigadlomark zigadlo commented  ·   ·  Flag as inappropriate

        Try this...

        How to Configure LDAP Authentication for Mac OS and Azure AD

        Prerequisites
        1. Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

        Network Account Server Setup
        1. System Preferences > Users & Groups > Login Options > click Lock Icon to allow changes
        2. Network Account Server > Join > Open Directory Utility > click Lock Icon to allow changes
        3. LDAPv3 > edit Pencil > New > Server Name
        • Enter FQDN of your LDAPs end point, Ie ldaps.mycompany.com
        • Check Encrypt using SSL > Manual
        4. Enter a Configuration Name of your choice > Edit
        • Check Use custom port and enter 636

        Search & Mappings Tab
        1. Click the (+) button and add the Users record type
        a. Enter your Search Base, ie dc=mycompany,dc=com
        2. With Users highlighted click (+) and add the following Attribute Types and associated values:
        • NFSHomeDirectory - #/Users/$sAMAccountName$
        • PrimaryGroupID - #20
        • RealName – cn
        • RecordName – sAMAccountName
        • UniqueID – uSNCreated
        • UserShell - #/bin/bash

        Security Tab
        1. Check Use authentication when connecting and enter a Distinguished name
        a. Ie cn=username,ou=AADDC Users,dc=mycompany,dc=com
        2. OK > OK when done

        Search Policy Tab
        1. For Authentication and Contacts use the Search dropdown to select Custom path > (+) > ADD
        a. Choose the Directory Domain you just created
        2. Apply and close the Directory Utility
        3. You should now see the Network Account Server you just created with a green dot next to it. If you see a red dot it either has not connected yet or something is wrong with your setup. A reboot sometimes helps
        4. Logout and login as a valid Network user.

        Create mobile account
        GUI
        https://support.apple.com/kb/PH25671?locale=en_US

        Command Line
        sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

        Summary Comments
        After the mobile account is created you can make the network user a local admin and give them access to unlock the drive at boot time if using File Vault.

        A mobile account will also be needed if the user needs to log into the Mac while not connected to the Internet.

        Wireless is not available at the Mac OS login screen. 1st time users will have to login with an Ethernet connection.

      • Andy SaputraAndy Saputra commented  ·   ·  Flag as inappropriate

        I think that can be accomplished if Microsoft could provide something like contoso.azuread.onmicrosoft.com or adatum.azuread.onmicrosoft.com then we would be able to join any of our Macs or other devices to the Azure AD.

        I'm currently managing 937 non-Windows, and most of them are Macs, would be great if Microsoft makes Azure AD available to non-Windows devices.

        Cheers!

      Feedback and Knowledge Base