If you need a more advanced configuration when you set up Single Sign On (SSO) for Microsoft 365 in JumpCloud, you can use the commands provided in this article with the Microsoft Graph PowerShell SDK.
Make sure modern authentication is enabled for the Microsoft 365 Tenant. Learn more in Enable Modern Authentication for Microsoft 365.
Running the command
- Run PowerShell as an administrator and install the Microsoft.Graph Module for Windows PowerShell, if it is not already installed:
- Modify the PowerShell execution policy:
- Set the Execution Policy to Remote Signed by running Set-ExecutionPolicy RemoteSigned
- Answer A to confirm the change to the Execution Policy.
- Enter your M365 Global Administrator credentials.
- Connect to the Microsoft Graph with the required scopes:
- Run Install-Module PowershellGet
- Answer Y to install the NuGet Provider
- Answer A to Answer Yes to All to install from PSGallery.
- Run Install-Module Microsoft.Graph
Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All", "Organization.ReadWrite.All", "Directory.ReadWrite.All"
For more information - see Find your Office 365 Tenant
- Define your Microsoft 365 Domain:
$domain="yourdomain.tld"
- Define the IDP URL, this is the same value as the IDP URL in the connector, default value shown:
$idpUrl="https://sso.jumpcloud.com/saml2/office365"
- Define the SSO metadata URI:
- Log in to the JumpCloud Admin Portal
- Navigate to the SSO Applications tab
- Find and select Microsoft 365
- Select the SSO tab and click Copy Metadata URL
- Return to your Powershell window
- $metadataUri = <https://sso.jumpcloud.com/saml2/metadata/...>
- Define the logout URL:
$logoutUrl=”https://console.jumpcloud.com/userconsole/”
- Define the public cert:
This variable can't contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and can't contain spaces or newlines.
Export the metadata file from your JumpCloud SSO configuration and copy the certificate string between
<ds:X509Certificate> and </ds:X509Certificate>
$certificate="MIIDtTCCAp2gAwIBAgIJAJUpvv+YllN1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAlVTMRMwEQY…
TRUNCATED…
wcsC1lArmug//RG+BPp6yT6qhsm4g4wVcxpHWT8cA1py0TQaIQbNnBqNLDbQJl9oJ3PB9eiKEpEWtdtmcQOW3yB1AdxsQBKxtaNT5PypyLqnJ+e8="
- Define the Issuer URI, this must be the same value as the IdP Entity ID previously defined in the JumpCloud SSO configuration:
$issuerUri="https://YOUR_DOMAIN.com
- Enable SSO for the defined domain:
New-MgDomainFederationConfiguration -DomainId $domain -DisplayName “JumpCloud” -MetadataExchangeUri $metadataUri -IssuerUri $issuerUri -SignOutUri $logoutUrl -PassiveSignInUri $idpUrl -ActiveSignInUri $idpUrl -SigningCertificate $certificate -PreferredAuthenticationProtocol saml -FederatedIdpMfaBehavior “acceptIfMfaDoneByFederatedIdp” | Format-List
- Disconnect from the Graph connection:
Disconnect-MGGraph
Now that you’ve configured the service provider, read SSO with Microsoft 365/Entra ID to learn how to authorize user access and validate authentication workflows.
Troubleshooting
Check the IdP Entity ID value in JumpCloud to the value entered in the $issuerUri command - it must match exactly and be in a “https://domain.com” or “urn:uri:domain.com” format.