Azure AD join Mac OS X
It would be really cool to be able to Azure AD join other devices, like Mac OS for example.
Thanks for your feedback. Azure AD Join is unique to Windows 10 as it uses Windows components to generate/store the artifacts used for subsequent logins and enable SSO to other resources. AADJ on Mac OS or any non-Windows OS is not a possibility currently
We are working on other approaches to enable conditional access from Mac OS devices
They closed off voting on this, but someone posted another here: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/17295463-enable-apple-mac-binding-with-azure-ad-domain-serv
I'm back. Since Apple isn't going to do this, and seems to care little about the enterprise, it's up to you, Microsoft. Bring us AADJ for MacOS!
Trent Boorman commented
Would love to see this functionality. Definitely appreciate some of the moves Microsoft has made to support Mac and iOS recently. This is feature request is being driven by employee preferences.
Glad to hear you are looking at other approaches here. Any updates as to what those might be and when to expect them would definitely be appreciated.
By the way, closing off voting on this subject is not cool at all.
I'm going to keep this up until someone responds. We need a means whereby the Mac is an equal citizen in Azure AD. The method Microsoft is suggesting (that of having a "Company Page" from which you log in to Azure provides only half of the necessary solution, which must also include Identity Management at the workstation login level. As Mac users, we demand equal treatment. Expect to see me again at this post in 30 days.
Microsoft ADFS workplace join also need allow MAC OS for single sign-on feature for other corporate web applications
Virgilio Serrano commented
This will be a great! We could really use this.
Five months go by and still Microsoft doesn't get it. We don't want another approach for conditional access. We want AADJ. Please get with the program, people.
Paul Shadwell commented
I need this now!!
I just got Seamless Single Sign-on to work via AAD and AD Sync for Windows and was shocked that I couldn't configure the mMacs to do the same. I was sure this was possible.
Would also love to see this. Moving to the cloud with an increase in mac usage is not easy! Love the O365 eco system, just need to get mac's to bind to it.
Flagged as inappropriate. The archiving is what I consider inappropriate.
Well, actually, you guys need to change your mind on this one. Active Directory is going away in the SMB market. Microsoft really need to step up to the plate and make this a priority, or companies are going to start to bail. Myself included.
Mike Kauspedas commented
Would love to see this, essential for cloud only companies 100% invested in office 365 + Azure.
I think this feature is essential for a cloud-only company that relies on office365 and Azure
I tried you solution, but the server is always not responding. 'Cannot connect to node ...' In a Directory browser it worked fine.
Anyone an idea?
mark zigadlo commented
How to Configure LDAP Authentication for Mac OS and Azure AD
1. Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain
Network Account Server Setup
1. System Preferences > Users & Groups > Login Options > click Lock Icon to allow changes
2. Network Account Server > Join > Open Directory Utility > click Lock Icon to allow changes
3. LDAPv3 > edit Pencil > New > Server Name
• Enter FQDN of your LDAPs end point, Ie ldaps.mycompany.com
• Check Encrypt using SSL > Manual
4. Enter a Configuration Name of your choice > Edit
• Check Use custom port and enter 636
Search & Mappings Tab
1. Click the (+) button and add the Users record type
a. Enter your Search Base, ie dc=mycompany,dc=com
2. With Users highlighted click (+) and add the following Attribute Types and associated values:
• NFSHomeDirectory - #/Users/$sAMAccountName$
• PrimaryGroupID - #20
• RealName – cn
• RecordName – sAMAccountName
• UniqueID – uSNCreated
• UserShell - #/bin/bash
1. Check Use authentication when connecting and enter a Distinguished name
a. Ie cn=username,ou=AADDC Users,dc=mycompany,dc=com
2. OK > OK when done
Search Policy Tab
1. For Authentication and Contacts use the Search dropdown to select Custom path > (+) > ADD
a. Choose the Directory Domain you just created
2. Apply and close the Directory Utility
3. You should now see the Network Account Server you just created with a green dot next to it. If you see a red dot it either has not connected yet or something is wrong with your setup. A reboot sometimes helps
4. Logout and login as a valid Network user.
Create mobile account
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
After the mobile account is created you can make the network user a local admin and give them access to unlock the drive at boot time if using File Vault.
A mobile account will also be needed if the user needs to log into the Mac while not connected to the Internet.
Wireless is not available at the Mac OS login screen. 1st time users will have to login with an Ethernet connection.
Andy Saputra commented
I think that can be accomplished if Microsoft could provide something like contoso.azuread.onmicrosoft.com or adatum.azuread.onmicrosoft.com then we would be able to join any of our Macs or other devices to the Azure AD.
I'm currently managing 937 non-Windows, and most of them are Macs, would be great if Microsoft makes Azure AD available to non-Windows devices.