Enable Microsoft 365/Entra ID WS-Federation

Use JumpCloud as your Identity Provider (IdP) for Microsoft-dependent users by configuring Web Services Federation (WS-Fed). Although WS-Fed is a Single Sign-On protocol similar to SAML SSO, it provides support for:

  • Windows Add Work Account AAD Join (for Office apps or JC MDM)
  • Select Office apps (web and clients)
  • Windows onboarding Out-of-Box (OOBE) AAD Join

Read this article to learn how to setup WS-Fed.



  • When users are federating as part of an OOBE flow, authentication will fail if requiring Device Trust 

Adding a new M365 Application


Skip this section if you have already configured SSO with Microsoft 365/Entra ID

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to USER AUTHENTICATION > SSO Applications
  3. Configure SSO with Microsoft 365/Entra ID and ensure the IdP Entity ID is the name of the domain you want to federate.
  4. Select the newly created application and copy the application ID from its URL.


To find the application ID, open the application in the JumpCloud Admin Portal. If the URL is https://console.jumpcloud.com/#/applications/663a8fb979aa83c58df6081e/details, the application ID is 663a8fb979aa83c58df6081e.

Federating the Domain

  1. If not installed, install Microsoft Graph PowerShell.
  2. Run Get-MsolDomain to see list of domains (domain will show as managed).
  3. If necessary, log into your MS Tenant.
  4. In a new tab, copy and paste the following URL:


  1. Replace :appID with the Application ID copied in the previous section and hit Enter
  2. Copy the output
  3. In Powershell, paste the command that was generated and hit Enter.
  4. If successful, it will take you back to the prompt.
  5. Verify the domain is federated by rerunning Get-MsolDomain to see list of domains (domain will now show as federated).

Logging into the Federated Domain

  1. Log in as a user to the JumpCloud User Portal.
  2. Click I understand at the Password Update Notice.
  3. In the User Portal, select the Microsoft 365 tile and sign in.
  4. If successful, you will be taken to your M365 portal.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case