Microsoft 365 Directory Integration Overview

JumpCloud offers direct integration with Microsoft® 365™ (M365) so you can manage M365 users from the JumpCloud Admin Portal. Their passwords are synced with their JumpCloud password the first time they log in to their JumpCloud User Portal after they’re associated with M365.

Integrating M365 with JumpCloud

Benefits

This integration with JumpCloud allows for:

  • Secure, persistent connectivity between JumpCloud and M365
  • Importing pre-existing M365 accounts into JumpCloud
  • Exporting (provisioning) new accounts into M365 from JumpCloud
  • Continual synchronization from JumpCloud to M365 accounts
  • End user self-service account management from the JumpCloud User Portal  
  • Security Assertion Markup Language (SAML) Single Sign-on (SSO) users can log in to JumpCloud and M365 with the same set of credentials

Considerations

Warning:
  • Don’t authorize/create multiple instances of a cloud directory integration to the same M365 domain. If you do, users bound to multiple M365/Entra ID instances could be suspended in your M365/Entra ID directory if you unbind that user from one of the instances. You can avoid this by deactivating sync for multiple M365/Entra ID directory instances for the same domain.
  • Be aware that after you deactivate sync for a M365/Entra ID instance and domain, all information specific to that M365/Entra ID directory integration in the JumpCloud Admin Portal will be permanently deleted and cannot be recovered by simply reactivating sync.
  • App passwords may be necessary to authenticate legacy endpoints where multi-factor authentication (MFA) is configured in M365
  • JumpCloud user accounts are synced with their M365 user account based on the primary email address used in M365
  • If multiple M365 tenants are configured for JumpCloud's Directory Sync and a JumpCloud user is bound to more than one M365 tenant, only the M365 tenant with the JumpCloud user's matching M365 primary email address will be synced
  • At this time, JumpCloud doesn't support integration with GoDaddy's implementation of M365. This version has limited identity management capabilities that require SSO login with GoDaddy's services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration
  • Don't import users that you don't intend to manage with JumpCloud. You have 48 hours to remove unwanted users and to contact your Technical Account Manager to avoid being charged for any users you remove after import 
  • If the password takeover functionality has been disabled for your JumpCloud organization, then the password only syncs when the user or admin changes it. In addition, active users with passwords will receive password reset emails from each Cloud Directory to which the user is associated
  • M365/Entra ID group management is only supported for security groups at this time

Prerequisites

  • An active M365 domain
  • A user with the following administrator roles in M365:
    • Privileged role administrator
    • Groups administrator
    • Users administrator
  • We also recommend that you have a Global administrator service account

M365 Integration Scenarios

You can integrate M365 with JumpCloud in the following two ways:

  1. Taking over existing M365 accounts
  2. Provisioning new M365 accounts

Taking Over Existing M365 Accounts

When you import existing M365 accounts and bind them to the M365 directory you’ve enabled for sync, JumpCloud “takes over” the accounts and becomes the manager and password authority for those accounts. 

Provisioning New M365 Accounts

Account provisioning involves creating and maintaining user accounts and their attributes. New M365 accounts can be provisioned in M365 or in JumpCloud.

M365-Initiated Provisioning

When an account is created in M365, a temporary password can be sent to an alternate email address, which lets users gain access to their account. 

When you create a user account in M365, users are provisioned in the following way:

  1. Import the user into JumpCloud.
  2. Bind the user to the M365 directory.
  3. The user resets their password in the JumpCloud User Portal.
  4. Account synchronization is complete.

JumpCloud-Initiated Provisioning

When you create new users in JumpCloud that don’t exist in Microsoft, JumpCloud creates user accounts (provisions) with the JumpCloud user’s credentials and attributes. For the new account to be provisioned to M365, the account must have an email address of the primary M365 domain that is synced with JumpCloud. This is useful if your organization intends to use JumpCloud to manage your M365 deployment.

When creating an account in JumpCloud, an activation email can be sent to an alternate email address. Alternatively, admins can set a temporary password during creation.

To send an activation email to an alternate email address:

  1. Add the new user to JumpCloud.
    1. Bind the user to the M365 directory.
    2. Leave Specify initial password unchecked.
    3. After saving the user, you will be prompted to send the activation email.
  2. The user will click the link in the activation email that was sent to the address you provided in step 1b and set their password.
  3. The user logs in to the JumpCloud User Portal with the password they set in step 2.
  4. Account synchronization is complete.

To set a temporary password for the user during creation:

  1. Log in the JumpCloud Admin Portal.
  2. Go to User Management > Users.
  3. Click ( ), then select Manual user entry.
  4. Specify details for the user, making sure to set the following attributes as follows:
    1. The Company Email address you specify for the user is on the domain of the M365 directory you want to provision the user to.
    2. For Password Settings, select Specify initial password, and then specify the user’s initial password.
  5. Select the Directories tab, then select the M365 directory that matches the Company Email address you specified for the user.
  6. Click save user. The user’s account, including the initial password you set, are provisioned to M365. It may take up to 60 seconds for the user account to be created in Microsoft.

Note:

When you go to your M365 administrator dashboard, you'll see the new user in the user's list. You can now manage licensing and permissions for the user from Microsoft. Keep in mind that it may take up to a minute for M365 to create the account. 

User Flows

After you connect a user to an M365 directory, the flow differs slightly for staged and active users:

Staged User Flow

  • Staged user without a password: After you bind a staged user without a password to an external directory and then change their user state to active, you can choose to send the user an Activation email that tells them how to register their account. After the user registers their account, creates an account password, and logs in to their JumpCloud User Portal, their password is synced to the directories they’re associated with. 
  • Staged user with a password: After you bind a staged user with a password to an external directory and then change their user state to active, you can choose to send the user a Welcome email that tells them to log in to the User Portal. After they log in to their JumpCloud User Portal, their password is synced to the directories they’re associated with.
  • Staged user access in M365: When binding a Staged user to M365, if JumpCloud does not find an existing M365 user to sync, the user will be created in an Active state with a randomized password. This will allow the user account to receive emails, but no login will be possible. However, if JumpCloud finds that the user already exists in M365, JumpCloud will NOT dispatch a password. This means the user may continue to login to their existing M365 account if it already exists. In either case, once the user logs in to JumpCloud’s User Portal for the first time, the password will be synced to M365.

Active User Flow

  • Active user with a password: After you bind an active user with a password to an external directory, the user receives an email that informs them about that directory to which they’ve been added, and notifies them to synchronize their password by logging into their JumpCloud User Portal. When the user logs in, they see a modal informing them that their password has been updated.
  • Active user without a password: After you bind an active user without a password to an external directory, the user’s password will be synchronized once a password is set by you or the user, and the user logs in to their JumpCloud User Portal.

Additional Resources

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case