Configure Real-time User Provisioning from Azure AD

Streamline lifecycle management for your organization by connecting AzureAD with JumpCloud through a real-time user import SCIM integration. This integration lets you manage your organization’s user identities in AzureAD, and easily connect users to all of the IT resources they need through JumpCloud. After you connect AzureAD with JumpCloud through our SCIM server, depending on the integration settings you choose, users are seamlessly created, updated, and deleted in JumpCloud according to the actions you take on users in AzureAD.


Your organization can now also enable RADIUS access with user's Azure AD credentials. See RADIUS Configuration and Authentication.


  • A JumpCloud Administrator API key. Learn how to access this key in Step 10 below. 


  • Real-time Group import isn’t currently supported. 

Attribute Considerations:

  • The Manager attribute isn’t supported.

Integrating AzureAD with the JumpCloud SCIM Server

To integrate AzureAD with the SCIM server:

  1. Log in your Azure Active Directory admin center. 
  2. Click on Enterprise applications to create a custom app. 
  3. Click New application > Create your own application.
    • Note: JumpCloud isn’t in the Azure AD application Gallery. 
  4. Under What’s the name of your app? Enter a name to distinguish the JumpCloud integration.
    • Note: We recommend using a name like; Real-time JumpCloud Import, or something similar.
  5. Next, answer the question, What are you looking to do with your application? with the multiple choice answer, Integrate any other application you don’t find in the gallery (Non-gallery). Click Create
  6. Now, you can see your application dashboard. In the left navigation menu, click on Single sign-on.
    • Note: JumpCloud doesn’t have SAML access, so select from the options Disabled or Password-based
  7. If you select the Password-based option, the Sign-on URL needs to be provided. Copy/Paste the JumpCloud user console URL link into the designated field and click Save
  8. In the left navigation menu, click Provisioning.
  9. Under the Provisioning Mode dropdown menu, select Automatic. This will power the real-time sync using the SCIM server. 
  10. Under Admin Credentials, there are two fields required to connect the real-time JumpCloud import’s API and synchronize your user data.
    • Tenant URL: For JumpCloud, this is a SCIM-based URL:
    • Secret Token: A JumpCloud API key should be used to authorize this integration. The API key in JumpCloud is associated with an admin account. Use an admin account that has a role of Admin with Billing, Administrator, or Manager that will be a long lived admin account for your organization. Log into this account and click on your initials in the top right corner, then click API Settings to access your API Key. Copy/paste this key into the Secret Token field. 
  11. Click Test Connection. You will receive a notification that the authorization was successful. Click Save.
  12. Under Mappings, click on Provision Azure Active Directory Groups. The default option will be enabled to Yes.
    • Note: JumpCloud doesn’t currently support the real-time import of Groups just yet, so this option needs to be toggled to No, then click Save. You will be prompted to confirm you want to save your changes, click Yes
  13. Now, go back to the Provisioning dashboard > Mappings section and click on the next option, Provision Azure Active Directory Users. Leave this option enabled to Yes
  14. Under Target Object Actions, there are three available capabilities; CreateUpdate and Delete. You can choose which options you’d like.
    • Note: For Attribute Mappings, not all of the Azure AD attributes are available or supported within JumpCloud. 
  15. Click on an attribute to edit it. The attribute mapped to userName needs to be adjusted to satisfy JumpCloud’s attribute validation. We suggest userPrincipalName, the default mapping, be edited to adjust the source attribute to mailNickname, this is typically the first.lastname. Click Ok.
  16. The attribute, mail needs to be edited to adjust the source attribute to userPrincipalName. The primary email in JumpCloud is the work email which serves as the userPrincipalName in Azure AD. 
  17. From here, you can delete any attributes that you don’t want mapped. Take a look at the Attribute Mappings table below to see which attributes JumpCloud sends to Azure AD because not all attributes are supported. 
  18. Once the Attribute Mappings are set, click Save. You will be prompted to confirm you want to save your changes, click Yes
  19. Now, go back to the Provisioning dashboard > Settings section. There are options to Send email notifications if failures occur, in addition to Scope, which allows you to choose if you want to Sync all users and groups or only assigned users and groups
  20. Leave the Provisioning Status toggled On
  21. If any changes were made, click Save.
  22. Go back to the main dashboard > left navigation menu, click on Users and groups to assign users to the app. 
  23. Click Add user/group > Users > None Selected to select Users to add. Search for the users you want to add and click Select, then Assign.
    • Note: It takes ~40 minutes for users to be provisioned to JumpCloud. If you need to expedite this process, there is an option to Provision on demand.
      • From the Provisioning dashboard, click Provision on demand, search for the user that needs to be added, select them and click Provision. This will push the new user to JumpCloud immediately.
        • Notes:
          • The user is added in a Password Pending status. Azure AD doesn’t pass the user’s password to JumpCloud.
          • If changes are made to this user within JumpCloud, it won’t be reflected in Azure AD through this integration. 

JumpCloud Supported SCIM Attribute Mappings

The following table lists attributes that the JumpCloud SCIM client will accept from this integration. Learn about JumpCloud Properties and how they work with systemusers in our API.

Recommended Azure Attribute Mappings SCIM v2 Mapping JumpCloud Property JumpCloud UI JumpCloud Validation Type
mailNickname userName username required, no special characters, (max length 1024). note: email may not be used as username. Some integrations leverage the email substring for the username string
givenName name.givenName firstname First Name max length 1024 string
surname name.familyName lastname Last Name max length 1024
userPrincipalName emails: value (primary) email Company Email email, required, max length 1024 string
displayName displayName displayName Display Name - string

Switch([IsSoftDeleted], , "False", "True", "True", "False")


!suspended && !passwordExpired

N/A - boolean
- meta.created N/A N/A - string
- meta.lastModified N/A N/A - string
jobTitle title jobTitle Job Title - string


department Department - string
- locale location Location - string
- costCenter costCenter Cost Center - string
- userType employeeType Employee Type - string
- organization company Company - string


employeeIdentifier Employee ID - string

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case