Streamline lifecycle management for your organization by connecting Entra ID with JumpCloud through a real-time user import SCIM integration. This integration lets you manage your organization’s user identities in Entra ID, and easily connect users to all of the IT resources they need through JumpCloud. After you connect Entra ID with JumpCloud through our SCIM server, depending on the integration settings you choose, users are seamlessly created, updated, and deleted in JumpCloud according to the actions you take on users in Entra ID.
Your organization can now also enable RADIUS access with user's Entra ID credentials. See RADIUS Configuration and Authentication.
Prerequisites
- A JumpCloud Administrator API key
Considerations
- The ?aadOptscim062020 feature flag must be added to the Tenant URL for user updates and deprovisioning to be supported.
- Only new users will be created if this flag is not added
- Real-time Group import isn’t currently supported
Attribute Considerations
- The manager attribute isn’t supported
Integrating Entra ID with the JumpCloud SCIM Server
- Log in your Microsoft Entra admin center.
- Click on Enterprise applications to create a custom app.
- Click New application > Create your own application.
JumpCloud isn’t in the Entra application Gallery.
- Under What’s the name of your app? Enter a name to distinguish the JumpCloud integration.
- Next, answer the question, What are you looking to do with your application? with the multiple choice answer, Integrate any other application you don’t find in the gallery (Non-gallery). Click Create.
- Now, you can see your application dashboard. In the left navigation menu, click on Single sign-on.
JumpCloud doesn’t have SAML access, so select from the options Disabled or Password-based.
- If you select the Password-based option, the Sign-on URL needs to be provided. Copy/Paste the JumpCloud user console URL link into the designated field and click Save.
- In the left navigation menu, click Provisioning.
- Under the Provisioning Mode dropdown menu, select Automatic. This will power the real-time sync using the SCIM server.
- Under Admin Credentials, there are two fields required to connect the real-time JumpCloud import’s API and synchronize your user data.
- Tenant URL: For JumpCloud, this is a SCIM-based URL: https://api.jumpcloud.com/scim/v2/?aadOptscim062020
- Secret Token: A JumpCloud API key should be used to authorize this integration. The API key in JumpCloud is associated with an admin account. Use an admin account that has a role of Admin with Billing, Administrator, or Manager that will be a long lived admin account for your organization. See Generating a New API Key.
- Click Test Connection. You will receive a notification that the authorization was successful. Click Save.
- Under Mappings, click on Provision Microsoft Entra ID (formerly Active Directory) Groups. The default option will be enabled to Yes.
JumpCloud doesn’t currently support the real-time import of Groups just yet, so this option needs to be toggled to No, then click Save. You will be prompted to confirm you want to save your changes, click Yes.
- Now, go back to the Provisioning dashboard > Mappings section and click on the next option, Provision Microsoft Entra ID (formerly Active Directory) Users. Leave this option enabled to Yes.
- Under Target Object Actions, there are three available capabilities; Create, Update and Delete. You can choose which options you’d like.
For Attribute Mappings, not all of the Entra ID attributes are available or supported within JumpCloud. Any unsupported attributes that are left enabled in Entra ID can cause the provisioning to fail.
- Click on an attribute to edit it. The attribute mapped to userName needs to be adjusted to satisfy JumpCloud’s attribute validation. We suggest userPrincipalName, the default mapping, be edited to adjust the source attribute to mailNickname, this is typically the first.lastname. Click Ok.
- The attribute, mail needs to be edited to adjust the source attribute to userPrincipalName. The primary email in JumpCloud is the work email which serves as the userPrincipalName in Entra.
- From here, you can delete any attributes that you don’t want mapped. Take a look at the Attribute Mappings table below to see which attributes JumpCloud sends to Entra because not all attributes are supported.
- Once the Attribute Mappings are set, click Save. You will be prompted to confirm you want to save your changes, click Yes.
- Now, go back to the Provisioning dashboard > Settings section. There are options to Send email notifications if failures occur, in addition to Scope, which allows you to choose if you want to Sync all users and groups or only assigned users and groups.
- Leave the Provisioning Status toggled On.
- If any changes were made, click Save.
- Go back to the main dashboard > left navigation menu, click on Users and groups to assign users to the app.
- Click Add user/group > Users > None Selected to select Users to add. Search for the users you want to add and click Select, then Assign.
It takes ~40 minutes for users to be provisioned to JumpCloud. If you need to expedite this process, there is an option to Provision on demand.
- From the Provisioning dashboard, click Provision on demand, search for the user that needs to be added, select them and click Provision. This will push the new user to JumpCloud immediately.
- Notes:
- The user is added in a Password Pending status. Entra ID doesn’t pass the user’s password to JumpCloud.
- If changes are made to this user within JumpCloud, it won’t be reflected in Entra ID through this integration.
We recommend using a name like Real-time JumpCloud Import, or something similar.
JumpCloud Supported SCIM Attribute Mappings
The following table lists attributes that the JumpCloud SCIM client will accept from this integration. Learn about JumpCloud Properties and how they work with systemusers in our API.
Recommended Entra Attribute Mappings | SCIM v2 Mapping | JumpCloud Property | JumpCloud UI | JumpCloud Validation | Type |
---|---|---|---|---|---|
mailNickname | userName | username | required, no special characters, (max length 1024). note: email may not be used as username. Some integrations leverage the email substring for the username | string | |
givenName | name.givenName | firstname | First Name | max length 1024 | string |
surname | name.familyName | lastname | Last Name | max length 1024 | |
userPrincipalName | emails: value (primary) | Company Email | email, required, max length 1024 | string | |
displayName | displayName | displayName | Display Name | - | string |
Switch([IsSoftDeleted], , "False", "True", "True", "False") |
active |
!suspended && !passwordExpired |
N/A | - | boolean |
- | meta.created | N/A | N/A | - | string |
- | meta.lastModified | N/A | N/A | - | string |
jobTitle | title | jobTitle | Job Title | - | string |
department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:department |
department | Department | - | string |
- | locale | location | Location | - | string |
- | costCenter | costCenter | Cost Center | - | string |
- | userType | employeeType | Employee Type | - | string |
- | organization | company | Company | - | string |
employeeID |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:user:employeeNumber |
employeeIdentifier | Employee ID | - | string |