Integrating
JumpCloud uses an OAuth2 token for authorization, and TLS to secure and persist its connection with Microsoft 365 to perform our integration tasks.
Within the Microsoft 365 admin console, navigate to the admin center for Entra ID. From the Entra ID admin center dashboard, select the Users tab and then the Audit logs tab under Activity. All events occurring via the JumpCloud / Microsoft 365 OAuth connection are logged in these audit logs under the admin account used to authorize the OAuth connection in JumpCloud. It is best practice to create a dedicated Microsoft 365 admin account to authorize the JumpCloud / Microsoft 365 OAuth connection.
When the OAuth session is deactivated in JumpCloud, all users in Microsoft 365 will remain active and functioning. This is by design. Within JumpCloud, all user accounts will remain active as well when de-authorization with Microsoft 365 occurs. Note that when de-authorization occurs, all selected members bound to Microsoft 365 are un-selected. When and if the products are-reactivated, the admin will need to re-bind the users in the Microsoft 365 Directory to re-establish the connection and ownership-control of the accounts in Microsoft 365.
While this was previously not a supported configuration, use of the Active Directory Bridge can now indeed be used when either Google Apps or Microsoft 365 user provisioning are enabled.
JumpCloud can integrate with multiple Microsoft 365 tenants, but JumpCloud users are only able to integrate with one M365 tenant based on their email address. JumpCloud does not support binding users to multiple M365 tenants.
At this time, JumpCloud can not import user profile pictures or avatars into JumpCloud's user accounts.
At this time, JumpCloud does not support integration with GoDaddy's implementation of Microsoft 365. This version has more limited management capabilities that require SSO login with GoDaddy's services in order to operate appropriately. Because of these requirements, we are inhibited from making changes to the identity with the integration.
Prior to 1 January 2013, generic MX records such as mail.global.frontbridge.com could be used for email. After 15 July 2014, if they weren't updated, service disruption may be experienced. See the Microsoft Communities article for more information.
The Microsoft 365 and Google Workspace Directory integrations can be used together to successfully synchronize both service providers with JumpCloud. The directory integrations utilize the user's email address as the unique identifier for synchronization. Due to this architecture, your domain records may need to be mapped so that the same email address is used between all service providers. For more information refer to the follow vendor-specific documentation:
Are your new JumpCloud users not getting their Welcome emails? Microsoft 365 may be blocking your emails from JumpCloud because of the pre-inbox filters you’re using. Try adding an allow-list entry in Microsoft 365 for the jumpcloud.com domain. Learn how to securely add a sender to an allow list in Microsoft 365 in Step 7 of Microsoft’s Configure your spam filter policies article.
Importing
Upon import, you will see a failure for this user to import, as an account with the same email already exists.
JumpCloud's Microsoft 365 synchronization UI displays all of your Microsoft 365 users, regardless of whether they were previously imported. We will provide filtering mechanisms and improved workflow in the future.
At this time, only user accounts and security groups are supported between JumpCloud and Microsoft 365.
No. Once the Global Administrator credentials have been authenticated, the connection to Microsoft 365, regardless of Administrator, can perform importation and provisioning tasks.
Please see the attributes table in Sync User Attributes with M365.
Provisioning
While an admin can prevent a welcome email from being delivered to the end user when creating the account, binding the user to Microsoft 365 will send an email to the employee. We recommend educating the employee base first before adding them to Microsoft 365.
Not right away. It takes a few minutes for the JumpCloud user to be provisioned in M365. Once that is done, their license will need to be added manually for them. The user will then need to reset their password through JumpCloud so their JumpCloud and M365 passwords will be in sync.
Yes, Directory Insights will show only the successful events referenced in the table below.
DI Event | Description |
---|---|
user_create_provision | Logged when a user is created in M365. |
user_update_provision | Logged when one or more user attributes are updated in M365. |
user_password_update_provision | Logged when a user’s password is updated in M365. |
user_deprovision | Logged when user is deactivated in M365 due to the user being suspended or having access to the integration revoked in JumpCloud. |
Synchronization
The administrator can unbind the user from the Microsoft 365 in JumpCloud which will trigger the user in Microsoft 365 to be set as "block sign-in." Re-binding the user will un-block the User in Microsoft 365.
The user remains unchanged in JumpCloud. If you wish to remove the user from JumpCloud, these actions must be performed manually in the JumpCloud console.
Should the user need to be re-provisioned from JumpCloud to Microsoft 365, Microsoft 365 will often require up to 24 hours until they release the email address to be used again. You may re-bind the user at that time to re-deploy the account back to Microsoft 365.
Credentials
Microsoft's maximum password length is 256 characters, so this shouldn't be a problem. You can read Password policies and account restrictions in Microsoft Entra ID for more specifics. Please note that JumpCloud password changes will not take effect on an Microsoft 365 if fewer than 8 or greater than 16 characters, and will result in error.
JumpCloud's password complexity will govern the password being used to sign into Microsoft 365, just as with any other resource the user is connected to. JumpCloud will not prevent a user from changing their password in their Microsoft 365 account to a non-compliant password. JumpCloud will, however, overwrite the non-compliant password in Microsoft 365 with the compliant JumpCloud password.
The user’s Microsoft 365 account is suspended and they cannot authenticate and they cannot receive emails. Resetting the user’s password in JumpCloud will re-activate the user’s Microsoft 365 account.
The employee can change their password from Microsoft 365's password change system; however, this will not update to the JumpCloud organization. The user's account in JumpCloud is only updated when an admin makes a manual update or change to the user account in JumpCloud. If the account is not updated in JumpCloud, the unchanged version of the password will overwrite the modified one in Microsoft 365 and will log the user out of the Microsoft 365 session.
Microsoft currently doesn't offer the ability in their console or API to block users from changing their JumpCloud password in these services. This is a problem because password sync issues occur between JumpCloud and Entra ID/M365 when a user resets their JumpCloud password directly in these services.
Recommendations:
We recommend installing a URL redirection browser extension, and configuring it to redirect users to change their password in the JumpCloud User Portal.
Browser Extension Configuration Notes
- Redirect users away from this URL:
- Direct users to change their password here:
Yes, JumpCloud's Microsoft 365 Directory Integration can work in parallel with Microsoft 365 MFA.
Users are prompted to update their Microsoft 365 password. If the password is updated in Microsoft 365, JumpCloud's version of the password overwrites the Microsoft 365 password. The user is then logged out of their Microsoft 365 session and the user will have to enter their JumpCloud credentials. To avoid this, we recommend setting the Microsoft 365 password expiration setting to match or be greater than JumpCloud's setting.