JumpCloud offers direct integration with Microsoft® 365™ so you can manage Microsoft 365 users from the JumpCloud Admin Portal. Their passwords are synced with their JumpCloud password the first time they log in to their JumpCloud User Portal after they’re associated with Microsoft 365.
Integrating M365 with JumpCloud
Benefits
This integration with JumpCloud allows for:
- Secure, persistent connectivity between JumpCloud and Microsoft 365.
- Importing pre-existing Microsoft 365 accounts into JumpCloud.
- Exporting (provisioning) new accounts into Microsoft 365 from JumpCloud.
- Continual synchronization from JumpCloud to Microsoft 365 accounts.
- End user self-service account management from the JumpCloud User Portal.
- Security Assertion Markup Language (SAML) Single Sign-on (SSO) users can log in to JumpCloud and Microsoft 365 with the same set of credentials.
Considerations
- Don’t authorize/create multiple instances of a cloud directory integration to the same M365 domain. If you do, users bound to multiple M365/Entra ID instances could be suspended in your M365/Entra ID directory if you unbind that user from one of the instances. You can avoid this by deactivating sync for multiple M365/Entra ID directory instances for the same domain.
- Be aware that after you deactivate sync for a M365/Entra ID instance and domain, all information specific to that M365/Entra ID directory integration in the JumpCloud Admin Portal will be permanently deleted and cannot be recovered by simply reactivating sync.
- App passwords may be necessary to authenticate legacy endpoints where multi-factor authentication (MFA) is configured in Microsoft 365.
- JumpCloud user accounts are synced with their Microsoft 365 user account based on the primary email address used in Microsoft 365.
- If multiple Microsoft 365 tenants are configured for JumpCloud’s Directory Sync and a JumpCloud user is bound to more than one Microsoft 365 tenant, only the Microsoft 365 tenant with the JumpCloud user’s matching Microsoft 365 primary email address will be synced.
- At this time, JumpCloud doesn’t support integration with GoDaddy’s implementation of Microsoft 365. This version has limited identity management capabilities that require SSO login with GoDaddy’s services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration.
- Don’t import users that you don’t intend to manage with JumpCloud. You have 48 hours to remove unwanted users and to contact your Technical Account Manager to avoid being charged for any users you remove after import.
- If the password takeover functionality has been disabled for your JumpCloud organization, then the password only syncs when the user or admin changes it. In addition, active users with passwords will receive password reset emails from each Cloud Directory to which the user is associated.
- M365/Entra ID group management is only supported for security groups at this time.
Prerequisites
- An active Microsoft 365 domain.
- A user with the Global administrator role in Microsoft 365. We also recommend that you have a Global administrator service account.
M365 Integration Scenarios
You can integrate Microsoft 365 with JumpCloud in the following two ways:
- Taking over existing M365 accounts
- Provisioning new M365 accounts
Taking Over Existing M365 Accounts
When you import existing Microsoft 365 accounts and bind them to the Microsoft 365 directory you’ve enabled for sync, JumpCloud “takes over” the accounts and becomes the manager and password authority for those accounts.
Provisioning New M365 Accounts
Account provisioning involves creating and maintaining user accounts and their attributes. New Microsoft 365 accounts can be provisioned in Microsoft 365 or in JumpCloud.
M365-Initiated Provisioning
When an account is created in Microsoft 365, a temporary password can be sent to an alternate email address, which lets users gain access to their account.
When you create a user account in Microsoft 365, users are provisioned in the following way:
- Import the user into JumpCloud.
- Bind the user to the Microsoft 365 directory.
- The user resets their password in the JumpCloud User Portal.
- Account synchronization is complete.
JumpCloud-Initiated Provisioning
When you create new users in JumpCloud that don’t exist in Microsoft, JumpCloud creates user accounts (provisions) with the JumpCloud user’s credentials and attributes. For the new account to be provisioned to Microsoft 365, the account must have an email address of the primary Microsoft 365 domain that is synced with JumpCloud. This is useful if your organization intends to use JumpCloud to manage your Microsoft 365 deployment.
When creating an account in JumpCloud, an activation email can be sent to an alternate email address. Alternatively, admins can set a temporary password during creation.
To send an activation email to an alternate email address:
- Add the new user to JumpCloud.
- Bind the user to the Microsoft 365 directory.
- Leave Specify initial password unchecked.
- After saving the user, you will be prompted to send the activation email.
- The user will click the link in the activation email that was sent to the address you provided in step 1b and set their password.
- The user logs in to the JumpCloud User Portal with the password they set in step 2.
- Account synchronization is complete.
To set a temporary password for the user during creation:
- Log in the JumpCloud Admin Portal.
- Go to User Management > Users.
- Click ( + ), then select Manual user entry.
- Specify details for the user, making sure to set the following attributes as follows:
- The Company Email address you specify for the user is on the domain of the Microsoft 365 directory you want to provision the user to.
- For Password Settings, select Specify initial password, and then specify the user’s initial password.
- Select the Directories tab, then select the Microsoft 365 directory that matches the Company Email address you specified for the user.
- Click save user. The user’s account, including the initial password you set, are provisioned to Microsoft 365. It may take up to 60 seconds for the user account to be created in Microsoft.
When you go to your Microsoft 365 administrator dashboard, you'll see the new user in the user's list. You can now manage licensing and permissions for the user from Microsoft. Keep in mind that it may take up to a minute for Microsoft 365 to create the account.
User Flows
After you connect a user to a Microsoft 365 directory, the flow differs slightly for staged and active users:
Staged User Flow
- Staged user without a password: After you bind a staged user without a password to an external directory and then change their user state to active, you can choose to send the user an Activation email that tells them how to register their account. After the user registers their account, creates an account password, and logs in to their JumpCloud User Portal, their password is synced to the directories they’re associated with.
- Staged user with a password: After you bind a staged user with a password to an external directory and then change their user state to active, you can choose to send the user a Welcome email that tells them to log in to the User Portal. After they log in to their JumpCloud User Portal, their password is synced to the directories they’re associated with.
- Staged user access in M365: When binding a Staged user to M365, if JumpCloud does not find an existing M365 user to sync, the user will be created in an Active state with a randomized password. This will allow the user account to receive emails, but no login will be possible. However, if JumpCloud finds that the user already exists in M365, JumpCloud will NOT dispatch a password. This means the user may continue to login to their existing M365 account if it already exists. In either case, once the user logs in to JumpCloud’s User Portal for the first time, the password will be synced to M365.
Active User Flow
- Active user with a password: After you bind an active user with a password to an external directory, the user receives an email that informs them about that directory to which they’ve been added, and notifies them to synchronize their password by logging into their JumpCloud User Portal. When the user logs in, they see a modal informing them that their password has been updated.
- Active user without a password: After you bind an active user without a password to an external directory, the user’s password will be synchronized once a password is set by you or the user, and the user logs in to their JumpCloud User Portal.