Configure Entra ID as an Identity Provider

Integrate Entra ID as an Identity Provider (IdP) with JumpCloud allowing users to securely authenticate with their IdP credentials to gain access to their managed resources. 

Prerequisites

• A JumpCloud Administrator With Billing account to configure an IdP 
• Microsoft Entra Admin Center login with the permission to create Enterprise Applications, like a Global Administrator or Application Administrator
• Existing users in JumpCloud

Considerations

• Federated authentication will be applied to only specific user groups:
  • See Routing Policies for Identity Providers to learn more
• Creating the IdP won't automatically result in users logging in with that IdP
• User Portal access will be available with a federated login:
  • If you don’t want User Portal access, create a policy to deny this
• Learn how to provision users from your Entra ID directory to JumpCloud

Preparing your IdP to Configure with JumpCloud

To register JumpCloud

1. Log in to your Microsoft Entra Admin Center. 
2. In the left hand navigation, go to Identity > Applications > App registrations. 
3. On the next page, click + New registration and enter the following:
   • *Name - Enter a name associated with JumpCloud. 
   • Supported Account Types - select Accounts in this organizational directory only.
   • Redirect URI- click the Select a platform dropdown menu > Web.
   • URI - enter https://login.jumpcloud.com/oauth/callback
4. Click Register. 
5. On the new JumpCloud app page, go to Manage > Authentication. 
6. Scroll down to Implicit grant and hybrid flows, and select ID tokens (used for implicit and hybrid flows). 
7. Click Save. 
8. Go to Manage > Token configuration > Optional claims.
9. Select +Add optional claim.
   • Token Type - select ID.
   • When the list of claims appears, select email and upn
10. Click Add.
11. At the top of the Add optional claim slide out, select Turn on the Microsoft Graph email, profile permission.
12. Click Add.
13. Go to Manage >API permissions, select Grant admin consent and then select Yes.
14. Go to Overview > Endpoints. 
15. A list of URLs will populate, in the OAuth 2.0 authorization endpoint (v2) field, copy the entire URL up until the /oauth2/v2.0/authorize.

16. Click X to exit the Endpoints window.
17. In the JumpCloud app window, copy the Application (client ID).

18. Under Client credentials, select Add a certificate or secret > + New client secret and enter the following:
    • Description - enter a description for your new secret.
    • Expires - select an expiration in dropdown menu. 
19. Click Add. 
20. The new Client Secret will populate on the page with a Value and Secret ID.

To create a new Entra user

1. From your Microsoft Entra Admin Center, in the left hand navigation, go to Users > All Users > + New user > Create new user.
2. On the next page, enter a User principal name.

3. For Mail nickname*, the option to Derive from user principal name is selected by default. You can change this if you’d like to. 
4. Enter a Display name*.
5. For Password*, keep the auto generated option selected. 
6. For Account enabled*, keep the checkbox selected by default.
7. Click Review + create.
8. On the next page, review your new user’s details and then click Create. 
9. The new user should populate in the list of Users, if it doesn’t, click Refresh. 
10. Next, you need to add an email to the new user. Click on the user you just created. 
11. On the user’s Overview page, click Properties. 
12. Copy the User principal name to your clipboard. This is where the ID token will be sent. 
13. Click the ‘pencil’ icon next to Contact Information to edit. 
14. In the Email field, paste the User principal name that you just copied. 
15. Click Save. If it doesn’t update right away, click Refresh.

Now, you have a connection to JumpCloud in Entra. Next, you’ll want to configure the connection in JumpCloud. 

Configuring Entra ID as an IdP in JumpCloud

1. Log in to your JumpCloud Admin Portal.
2. Go to DIRECTORY INTEGRATIONS > Identity Providers.
3. Click the Add Identity Provider dropdown menu, select Azure and enter the following:
   • Identity Provider Name - enter a name (i.e., Entra OIDC).
   • Azure IdP URL - copy/paste https://login.microsoftonline.com/<Directory (tenant ID)>
   • Client ID - enter the Application (client ID) associated with the new user you created.
   • Client Secret - enter the secret value you received when you created the client credentials.
4. Click Save. 
5. In Authentication, click +Routing Policy.
6. In the User Groups search bar, search for and select all user groups that will log in with Entra ID.
7. You’ll be prompted to verify that you want to enable Federated Device Authentication for your users’ login. Select I understand the impacts above, then click Yes, Continue.
8. Click Create when finished.
9. Now, you can go and test the connection to ensure everything is working as expected. 

Managing the IdP 

To manage the IdP:

1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
2. You can update the Identity Provider Name, Entra IdP URL, Client ID, and Client Secret. 
3. Under Authentication, you’ll see that Federation is applied to your users, allowing them to authenticate with an IdP. 

Deleting the IdP

To delete the IdP:

1. From your JumpCloud Admin Portal, click DIRECTORY INTEGRATIONS > Identity Providers.
2. At the bottom of the IdP Configuration page, under Delete Identity Provider, click Delete IdP. 
3. You’ll be prompted to confirm your deletion, then click Yes, Delete.

Additional Resources:

Walk through a guided simulation for Configuring Entra ID as an Identity Provider