Microsoft 365 / Entra ID Directory Sync

The Microsoft 365 (M365)/Entra ID Cloud Directory sync integration allows for secure and persistent connectivity between JumpCloud and M365/Entra ID. The integration allows you to automatically, in real-time, provision new JumpCloud user accounts into M365/Entra ID, continuously synchronize specified user attributes from JumpCloud to M365/Entra ID, manage security groups, and take over management of existing user accounts and security groups in M365/Entra ID from JumpCloud. In addition, admins can import users from M365/Entra ID into JumpCloud through the M365/ Entra ID Directory Sync or import and continuously synchronize user attributes using an Entra ID SCIM integration.

Important Considerations

  • You will need to reactivate the sync integration if any of the following occur:
    • The token has expired
    • The token has become invalid
    • The global admin account used to authorize the integration is disabled/has sign-in blocked
    • The person who configured the integration has left the organization or has changed roles 
  • Reactivating an integration does not disconnect users or groups from the M365/Entra ID integration. It creates a new access token for the integration

Adding and authorizing an M365/Entra ID Sync Integration

Creating an integration between JumpCloud and M365/Entra ID starts with adding the M365/Entra ID integration in the Cloud Directories page of the Admin Portal. Once added, you authorize M365/Entra ID Directory synchronization. After you authorize sync, you must validate your password expiration setting in Microsoft.

Warning:

Don’t authorize the same M365/Entra ID domain in multiple M365/Entra ID directory sync instances. If you do, users that are given access to multiple M356/Entra ID directory instances that are connected to the same domain could be suspended if you remove access from one of the instances. You can avoid this by deactivating sync for all but one M365/Entra ID directory sync instances for a single domain. Be aware that after you deactivate sync for an M365/Entra ID directory instance, that sync integration is permanently deleted and cannot be recovered.

To add and authorize M365 Sync integration in JumpCloud

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Cloud Directories.
  3. Click ( + ).
  4. Select M365/Azure AD. 
  5. Give the directory a unique name.

Important:

You’ll receive an error and won’t be able to proceed if:

  • You use invalid characters.
  • You don’t specify a unique name for the directory.
  • The name is more than 255 characters.
  • The name only contains whitespace.
  1. Click authorize sync.
  2. JumpCloud opens a session for you to log in to Microsoft Online – log in with an administrator account. 
  3. Optionally, choose whether to stay signed in. Click No or Yes
  4. Microsoft shows the items JumpCloud needs permissions to access. Click Accept.

Validating the Password Expiration Setting in Microsoft

After account synchronization is established between JumpCloud and M365/Entra ID, perform the following steps to make sure JumpCloud is the authority for password expiration for users in M365/Entra ID.

To check Microsoft’s password expiration setting

  1. In the M365 admin center, navigate to Settings > Org SettingsSecurity & privacy.
  2. Select Password expiration policy.
  3. Ensure that Set passwords to never expire (recommended) is selected.
  1. Click Save.

Importing M365 Users

After you authorize sync with Microsoft, a modal opens with a list of existing active Microsoft user accounts.

You can close this tab to import accounts at a later time, or you can continue importing accounts now.

For more information and instructions for manually importing users, see Sync Users and Groups to Microsoft 365 / Entra ID

For more information about importing and syncing users from M365/Entra ID in real-time using a SCIM integration, see Configure Real-time User Provisioning from Entra ID.

M365/Entra ID Synchronization Configuration and Maintenance

There are a few more steps to complete the M365/Entra ID Cloud Directory Synchronization Integration setup. 

Enabling Management of Security Groups and Memberships

Simplify access control using group management from JumpCloud. Create and update group names and membership in M365/Entra ID from JumpCloud.

To enable security groups and membership management

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Check the box for Enable management of Security Groups and memberships in M365/Azure AD.
  5. Click save.
  6. From the User Groups tab, select the groups you want to manage.
  7. Click save.

To disable security groups and membership management

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Uncheck the box for Enable management of Security Groups and memberships in M365/Azure AD.
  5. In the confirmation modal, click continue
  6. Click save.

Note:

Disabling group management will leave the groups as-is in M365/Entra ID and stops managing membership.

Managing Domain(s)

Specify one or more domains as part of the integration configuration to have more granular control over which user accounts sync and how the translation rule for the email to User Principal Name (UPN) mapping is applied. There are three (3) possible configurations: no domains, a list of one or more domains but no default, and a list of one or more domains with one of those domains used as a default for the UPN translation rule. Each configuration is described in more detail below.

  • If no domains are configured, the user’s mapped email (company or alternate) is not checked and sent as is. The user syncs as long as their email domain matches one of the verified domains in the M365/Entra ID instance
  • If one or more domains is configured and No default. Only users with matching domains sync is selected, the user’s mapped email default (company or alternate) is checked against the domains listed. Only users with matching email domains are synced
  • If one or more domains is configured and one of the domains is selected to Use as default, the user’s mapped email default (company or alternate) is checked against the domains listed:
    • If the domain matches one of the domains in the list, the email address is sent as is
    • If the domain does not match one of the domains in the list, the email value sent as the UPN wll be the username portion of the source email address (Company or Alternate Email) and the default domain

Examples of how domains are used by the integration.

Domains Configuration Source email(JumpCloud Company Email) Sync results Primary Email value sent to Cloud Directory
No domains [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] Sync failed [email protected]
Domains list = (mydomain.com, alternatedomain.com )&no default selected [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] N/A - user skipped N/A
Domains list = (mydomain.com, alternatedomain.com )&mydomain.com selected to use as default [email protected] Synced [email protected]
[email protected] Synced [email protected]
[email protected] Synced [email protected]

To add domains

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click +Add Domain.
  5. Click the dropdown menu.
  6. Select one of the domains from the list.

Note:

The list is pulled dynamically from M365/Entra ID and only includes verified domains. The domain noted with (default), is the domain specified as the default in M365/Entra ID which is separate from the ‘Use ad default’ option within the integration configuration in JumpCloud.

  1. Repeat steps 4-6 to add additional domains.
  2. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule.
  3. Click save.

To set one of the domains as the default for the integration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains.
  5. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule.
  6. Click save.

To edit the domains list

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Click Edit Domains
  5. Click the radio button next to one of the domains to use that domain for the UserPrincipalName translation rule
  6. Click save.

To change which domain is used as the default for the integration

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains
  5. Click the domain name t and make a new selection
  6. Click Click +Add Domain
  7. Click the dropdown menu
  8. Select one of the domains from the list
  9. Repeat steps 5-8 until all changes have been made
  10. Click save.

To remove domains from the list

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance in which you want to create and manage the group(s).
  4. Click Edit Domains
  5. Click the trash icon next to the domain you want to remove from the list
  6. Click save.

To change from using a default to not specifying a default domain

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Cloud Directories.
  3. Click the M365/Entra ID directory instance.
  4. Click Edit Domains
  5. Click the radio button next to No default. Only users with matching domains sync.
  6. Click save.

Configuring Attribute Mapping and Settings

You can control which attributes sync from the Attribute mapping and settings. For more information, see Sync User Attributes to M365.

Giving JumpCloud Users Access to M365

After you authorize sync for a M365 directory, complete the configuration, and, optionally, import users, you can specify users to manage by associating JumpCloud users and groups to the M365 directory instance. 

Considerations

  • M365/Entra ID group management is only supported for security groups at this time

To connect individual users to an M365 directory

  1. Log in to the JumpCloud Admin Portal.
  2. Go to User Management > Users.
  3. Select the Directories tab.
  4. Select the M365 directory you want to connect the user to.
  5. Click save user.
  6. Synchronization is initiated.

Note:

This will cause users to be logged out of all 365 apps.

Sync Behavior

  • If the user didn’t previously exist in Microsoft, and their email matches the M365 directory domain, a new, active user account is provisioned to Microsoft
  • If the user resets their JumpCloud password, it’s synced to Microsoft. When set, existing Microsoft sessions expire and the user must log in again

After you connect a user to an M365 directory, the flow differs slightly for new and active users:

Active user flow
  • An active user is a user in an “active” user state, has a password, and that password status is ‘active’. After an admin binds an active user to an external directory, the user receives an email that tells them the directory they’ve been added to and to synchronize their password by logging into their User Portal
New user flow
  • A new user is a user in an “active” user state with a password status of “password pending.” After an admin binds a new user without a password to an external directory, the user receives a Welcome to JumpCloud (activation) email that tells them how to register their account

Connecting User Groups to an M365 Directory

To connect user groups to an M365 directory as security groups:

  1. Log in to the JumpCloud Admin Portal.
  2. Go to User Management > User Groups.
  3. Select a group to view its details.
  4. Select the Directories tab.
  5. Select the M365 directory you want to connect the group to.
  6. Click save group. Synchronization is initiated.

Note:

This will cause users to be logged out of all 365 apps.

Sync Behavior

  • See the Connecting Individual Users to an M365 Directory Sync Behavior section above for details about how members of the user group sync
  • If the Enable management of Security Groups and memberships in M365/Azure AD option is checked, groups will sync as follows:
    • If a group with the same name exists in M365/Entra ID, JumpCloud takes over the group
    • If a group with the same name does not exist in M365/Entra ID, a group is created in M365/Entra ID
    • If there is more than one group with the same name in M365/Entra ID, a third group is created in M365/Entra ID
    • At this time, M365/Entra ID group management is only supported for security groups

M365/Entra ID Synchronization Integration Maintenance

After synchronization with a M365 directory, you can perform these maintenance tasks:

Renaming a M365 Directory

You can rename a M365 directory at any time in the Admin Portal. 

To rename a M365 directory

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories
  3. Select the M365 directory you want to rename.
  4. Click the Pencil icon to edit the directory name.
  5. Enter a new unique name for the directory.
  6. Click outside of the name field to save the new name.

Reactivating M365 Sync

Important:

If the integration has stopped syncing, check the following.  If any of these situations occur, you will need to reactivate the integration. Reactivating the integration does not disconnect users or groups from the integration. You will need to reactivate the sync integration if any of the following occur:

  • The token has expired
  • The token has become invalid
  • The global admin account used to authorize the integration is disabled/has sign-in blocked
  • The person who configured the integration has left the organization or has changed roles

To reactivate sync for a M365 domain

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories.
  3. Select the M365 directory where you want to reactivate sync.
  4. Click Reactivate Sync.
  1. Follow Microsoft’s prompts to authorize JumpCloud.

Deactivating M365 Sync

If you no longer want to sync a M365 directory with JumpCloud, you can deactivate sync for it. Deactivation breaks sync for a M365 directory and unbinds all connected users and groups. Only deactivate sync for an M365 directory if you no longer need it to sync with JumpCloud.

Important:

After you deactivate sync for an M365 directory:

  • The following information is permanently deleted for the M365 directory, and isn’t recovered by reactivating sync:
    • Name
    • Configuration
    • Connections to users, groups, and resources
    • This specific instance of M365/Entra ID in JumpCloud
  • Sync ceases between JumpCloud and the M365 directory. 
  • User attribute changes are no longer propagated from JumpCloud to M365
  • All users are removed / unbound from the M365 directory in JumpCloud.
  • Users will not be effected and will retain access to their respective Microsoft applications.

To deactivate sync for an M365 domain

  1. Log in to the JumpCloud Admin Portal.
  2. Go to DIRECTORY INTEGRATIONS > Cloud Directories.
  3. Select the M365 directory where you want to deactivate sync.
  4. Click Deactivate Sync.
  1. Click Deactivate Sync again. Users or groups that are bound to this directory are unbound from the directory and the JumpCloud instance is removed.

Disabling M365/Entra ID Accounts from JumpCloud

For details about disabling accounts in M365/Entra ID from JumpCloud, see Sync Users and Groups to Microsoft 365/Entra ID.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case