How can we improve Azure Active Directory?

Azure AD join Mac OS X

It would be really cool to be able to Azure AD join other devices, like Mac OS for example.

112 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Hampus Nordanfjall shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    archived  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Thanks for your feedback. Azure AD Join is unique to Windows 10 as it uses Windows components to generate/store the artifacts used for subsequent logins and enable SSO to other resources. AADJ on Mac OS or any non-Windows OS is not a possibility currently

    We are working on other approaches to enable conditional access from Mac OS devices

    /Ravi

    25 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Richard Brooks commented  ·   ·  Flag as inappropriate

        I'm back. Since Apple isn't going to do this, and seems to care little about the enterprise, it's up to you, Microsoft. Bring us AADJ for MacOS!

      • Trent Boorman commented  ·   ·  Flag as inappropriate

        Would love to see this functionality. Definitely appreciate some of the moves Microsoft has made to support Mac and iOS recently. This is feature request is being driven by employee preferences.

        Glad to hear you are looking at other approaches here. Any updates as to what those might be and when to expect them would definitely be appreciated.

      • Richard Brooks commented  ·   ·  Flag as inappropriate

        I'm going to keep this up until someone responds. We need a means whereby the Mac is an equal citizen in Azure AD. The method Microsoft is suggesting (that of having a "Company Page" from which you log in to Azure provides only half of the necessary solution, which must also include Identity Management at the workstation login level. As Mac users, we demand equal treatment. Expect to see me again at this post in 30 days.

      • Robin commented  ·   ·  Flag as inappropriate

        Microsoft ADFS workplace join also need allow MAC OS for single sign-on feature for other corporate web applications

      • Richard Brooks commented  ·   ·  Flag as inappropriate

        Five months go by and still Microsoft doesn't get it. We don't want another approach for conditional access. We want AADJ. Please get with the program, people.

      • Paul Shadwell commented  ·   ·  Flag as inappropriate

        I need this now!!
        I just got Seamless Single Sign-on to work via AAD and AD Sync for Windows and was shocked that I couldn't configure the mMacs to do the same. I was sure this was possible.
        Very disappointed.

      • Luke commented  ·   ·  Flag as inappropriate

        Would also love to see this. Moving to the cloud with an increase in mac usage is not easy! Love the O365 eco system, just need to get mac's to bind to it.

      • Andrew commented  ·   ·  Flag as inappropriate

        Flagged as inappropriate. The archiving is what I consider inappropriate.

      • Richard Brooks commented  ·   ·  Flag as inappropriate

        Well, actually, you guys need to change your mind on this one. Active Directory is going away in the SMB market. Microsoft really need to step up to the plate and make this a priority, or companies are going to start to bail. Myself included.

      • Giuseppe commented  ·   ·  Flag as inappropriate

        I think this feature is essential for a cloud-only company that relies on office365 and Azure

      • Giuseppe commented  ·   ·  Flag as inappropriate

        I tried you solution, but the server is always not responding. 'Cannot connect to node ...' In a Directory browser it worked fine.
        Anyone an idea?

      • mark zigadlo commented  ·   ·  Flag as inappropriate

        Try this...

        How to Configure LDAP Authentication for Mac OS and Azure AD

        Prerequisites
        1. Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

        Network Account Server Setup
        1. System Preferences > Users & Groups > Login Options > click Lock Icon to allow changes
        2. Network Account Server > Join > Open Directory Utility > click Lock Icon to allow changes
        3. LDAPv3 > edit Pencil > New > Server Name
        • Enter FQDN of your LDAPs end point, Ie ldaps.mycompany.com
        • Check Encrypt using SSL > Manual
        4. Enter a Configuration Name of your choice > Edit
        • Check Use custom port and enter 636

        Search & Mappings Tab
        1. Click the (+) button and add the Users record type
        a. Enter your Search Base, ie dc=mycompany,dc=com
        2. With Users highlighted click (+) and add the following Attribute Types and associated values:
        • NFSHomeDirectory - #/Users/$sAMAccountName$
        • PrimaryGroupID - #20
        • RealName – cn
        • RecordName – sAMAccountName
        • UniqueID – uSNCreated
        • UserShell - #/bin/bash

        Security Tab
        1. Check Use authentication when connecting and enter a Distinguished name
        a. Ie cn=username,ou=AADDC Users,dc=mycompany,dc=com
        2. OK > OK when done

        Search Policy Tab
        1. For Authentication and Contacts use the Search dropdown to select Custom path > (+) > ADD
        a. Choose the Directory Domain you just created
        2. Apply and close the Directory Utility
        3. You should now see the Network Account Server you just created with a green dot next to it. If you see a red dot it either has not connected yet or something is wrong with your setup. A reboot sometimes helps
        4. Logout and login as a valid Network user.

        Create mobile account
        GUI
        https://support.apple.com/kb/PH25671?locale=en_US

        Command Line
        sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

        Summary Comments
        After the mobile account is created you can make the network user a local admin and give them access to unlock the drive at boot time if using File Vault.

        A mobile account will also be needed if the user needs to log into the Mac while not connected to the Internet.

        Wireless is not available at the Mac OS login screen. 1st time users will have to login with an Ethernet connection.

      • Andy Saputra commented  ·   ·  Flag as inappropriate

        I think that can be accomplished if Microsoft could provide something like contoso.azuread.onmicrosoft.com or adatum.azuread.onmicrosoft.com then we would be able to join any of our Macs or other devices to the Azure AD.

        I'm currently managing 937 non-Windows, and most of them are Macs, would be great if Microsoft makes Azure AD available to non-Windows devices.

        Cheers!

      ← Previous 1

      Feedback and Knowledge Base