Enable Microsoft 365/Entra ID WS-Federation

Use JumpCloud as your Identity Provider (IdP) for Microsoft-dependent users by configuring Web Services Federation (WS-Fed). Although WS-Fed is a Single Sign-On protocol similar to SAML SSO, it provides support for:

• Windows Add Work Account AAD Join (for Office apps or JC MDM)
• Select Office apps (web and clients)
• Windows onboarding Out-of-Box (OOBE) AAD Join

Read this article to learn how to setup WS-Fed.

Prerequisites

• A JumpCloud administrator account
• JumpCloud SSO Package or higher or SSO à la carte option
• An active and authorized M365 domain
  • Imported users must be created with a connected domain to map Immutable ID
• A user with the Global administrator role in M365 and a Microsoft P1 license
• Microsoft Graph PowerShell

Considerations

• When users are federating as part of an OOBE flow, authentication will fail if requiring Device Trust 

Adding a new M365 Application

1. Log in to the JumpCloud Admin Portal.
2. Navigate to USER AUTHENTICATION > SSO Applications. 
3. Configure SSO with Microsoft 365/Entra ID and ensure the IdP Entity ID is the name of the domain you want to federate.
4. Select the newly created application and copy the application ID from its URL.

Federating the Domain

1. If not installed, install Microsoft Graph PowerShell.
2. Run Get-MsolDomain to see list of domains (domain will show as managed).
3. If necessary, log into your MS Tenant.
4. In a new tab, copy and paste the following URL:

5. Replace :appID with the Application ID copied in the previous section and hit Enter
6. Copy the output
7. In Powershell, paste the command that was generated and hit Enter.
8. If successful, it will take you back to the prompt.
9. Verify the domain is federated by rerunning Get-MsolDomain to see list of domains (domain will now show as federated).

Logging into the Federated Domain

1. Log in as a user to the JumpCloud User Portal.
2. Click I understand at the Password Update Notice.
3. In the User Portal, select the Microsoft 365 tile and sign in.
4. If successful, you will be taken to your M365 portal.