Configure Real-time User Provisioning from Azure AD

Streamline lifecycle management for your organization by connecting AzureAD with JumpCloud through a real-time user import SCIM integration. This integration lets you manage your organization’s user identities in AzureAD, and easily connect users to all of the IT resources they need through JumpCloud. After you connect AzureAD with JumpCloud through our SCIM server, depending on the integration settings you choose, users are seamlessly created, updated, and deleted in JumpCloud according to the actions you take on users in AzureAD.

Prerequisites:

• A JumpCloud Administrator API key. Learn how to access this key in Step 10 below. 

Considerations:

• Real-time Group import isn’t currently supported. 

Attribute Considerations:

• The Manager attribute isn’t supported.

Integrating AzureAD with the JumpCloud SCIM Server

To integrate AzureAD with the SCIM server:

1. Log in your Azure Active Directory admin center. 
2. Click on Enterprise applications to create a custom app. 
3. Click New application > Create your own application.
   • Note: JumpCloud isn’t in the Azure AD application Gallery. 
4. Under What’s the name of your app? Enter a name to distinguish the JumpCloud integration.
   • Note: We recommend using a name like; Real-time JumpCloud Import, or something similar.
5. Next, answer the question, What are you looking to do with your application? with the multiple choice answer, Integrate any other application you don’t find in the gallery (Non-gallery). Click Create. 
6. Now, you can see your application dashboard. In the left navigation menu, click on Single sign-on.
   • Note: JumpCloud doesn’t have SAML access, so select from the options Disabled or Password-based. 
7. If you select the Password-based option, the Sign-on URL needs to be provided. Copy/Paste the JumpCloud user console URL link into the designated field and click Save. 
8. In the left navigation menu, click Provisioning.
9. Under the Provisioning Mode dropdown menu, select Automatic. This will power the real-time sync using the SCIM server. 
10. Under Admin Credentials, there are two fields required to connect the real-time JumpCloud import’s API and synchronize your user data.
    • Tenant URL: For JumpCloud, this is a SCIM-based URL: https://api.jumpcloud.com/scim/v2
    • Secret Token: A JumpCloud API key should be used to authorize this integration. The API key in JumpCloud is associated with an admin account. Use an admin account that has a role of Admin with Billing, Administrator, or Manager that will be a long lived admin account for your organization. Log into this account and click on your initials in the top right corner, then click API Settings to access your API Key. Copy/paste this key into the Secret Token field. 
11. Click Test Connection. You will receive a notification that the authorization was successful. Click Save.
12. Under Mappings, click on Provision Azure Active Directory Groups. The default option will be enabled to Yes.
    • Note: JumpCloud doesn’t currently support the real-time import of Groups just yet, so this option needs to be toggled to No, then click Save. You will be prompted to confirm you want to save your changes, click Yes. 
13. Now, go back to the Provisioning dashboard > Mappings section and click on the next option, Provision Azure Active Directory Users. Leave this option enabled to Yes. 
14. Under Target Object Actions, there are three available capabilities; Create, Update and Delete. You can choose which options you’d like.
    • Note: For Attribute Mappings, not all of the Azure AD attributes are available or supported within JumpCloud. 
15. Click on an attribute to edit it. The attribute mapped to userName needs to be adjusted to satisfy JumpCloud’s attribute validation. We suggest userPrincipalName, the default mapping, be edited to adjust the source attribute to mailNickname, this is typically the first.lastname. Click Ok.
16. The attribute, mail needs to be edited to adjust the source attribute to userPrincipalName. The primary email in JumpCloud is the work email which serves as the userPrincipalName in Azure AD. 
17. From here, you can delete any attributes that you don’t want mapped. Take a look at the Attribute Mappings table below to see which attributes JumpCloud sends to Azure AD because not all attributes are supported. 
18. Once the Attribute Mappings are set, click Save. You will be prompted to confirm you want to save your changes, click Yes. 
19. Now, go back to the Provisioning dashboard > Settings section. There are options to Send email notifications if failures occur, in addition to Scope, which allows you to choose if you want to Sync all users and groups or only assigned users and groups. 
20. Leave the Provisioning Status toggled On. 
21. If any changes were made, click Save.
22. Go back to the main dashboard > left navigation menu, click on Users and groups to assign users to the app. 
23. Click Add user/group > Users > None Selected to select Users to add. Search for the users you want to add and click Select, then Assign.
    • Note: It takes ~40 minutes for users to be provisioned to JumpCloud. If you need to expedite this process, there is an option to Provision on demand.
      • From the Provisioning dashboard, click Provision on demand, search for the user that needs to be added, select them and click Provision. This will push the new user to JumpCloud immediately.
        • Notes:
          • The user is added in a Password Pending status. Azure AD doesn’t pass the user’s password to JumpCloud.
          • If changes are made to this user within JumpCloud, it won’t be reflected in Azure AD through this integration. 

JumpCloud Supported SCIM Attribute Mappings

The following table lists attributes that the JumpCloud SCIM client will accept from this integration. Learn about JumpCloud Properties and how they work with systemusers in our API.