SSO with Microsoft 365/Entra ID

Connect Microsoft 365/Entra ID (M365) with JumpCloud to give your users convenient but secure access with a single set of credentials.

Use this guide to learn how to configure JumpCloud's SAML Single Sign On (SSO) connector for M365.

Prerequisites

Note:

The required PowerShell commands will not work on other non-Windows operating system, such as Linux or MacOS.

Important:

PowerShell 5.1 or higher must be used, up to PowerShell 6. PowerShell 7 isn't supported by the Azure Active Directory Module.

  • Verify you have “Global administrator” level access to your M365 tenant/organization.
    • Go to Azure Active Directory > Users > select the user > Assigned Roles. Your account should have “Global administrator” listed.
  • Modern Authentication must be enabled on the M365 tenant.
  • MFA cannot be enabled on the M365 tenant, either through conditional access or on a per-user basis. If not disabled, users will have two separate MFA prompts in the same login.
  • Confirm the following in Azure Active Directory > Custom Domain Names.
    • The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary/(Default).
    • The onmicrosoft.com default domain or another domain you do not want to federate is the Primary/ (Default) domain. Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe.
  • Federation must be disabled on the target domain. If you need to disable Federation, see Disable Microsoft 365 Federation with PowerShell.

Important Considerations

  • In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. If JumpCloud MFA is enabled while also having M365 MFA enabled, end users will encounter two separate MFA prompts during the same login.
  • The default domain in M365 cannot be federated.
  • When SSO is enabled, all users in the email domain you’re configuring SSO for are affected. After SSO is enabled, users aren’t able to log in to Microsoft 365 using password authentication.

General Considerations

  • At this time, JumpCloud doesn’t support integration with GoDaddy’s implementation of M365. This version has limited identity management capabilities that require SSO login with GoDaddy’s services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration.
  • After a M365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older “legacy” applications. See the following articles for more information:

Entra Sync Considerations

  • SSO with existing Entra Connect or Entra Connect Cloud Sync – If you want to use JumpCloud’s SSO, but still use a local Active Directory to manage your M365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available.

Note:

If Entra Connect or Entra Connect Cloud Sync is active for your organization, JumpCloud won't be able to update your users in M365. SSO will still function based on users' JumpCloud logins.

  • If you are migrating your M365 users from Entra Connect or Entra Connect Cloud Sync to JumpCloud management, JumpCloud can’t manage the users until Entra Connect or Entra Connect Cloud Sync is disabled.

Warning:

This setting applies to all domains in your M365 account, not just SSO domains.

iOS Considerations

The iOS Mail client supports SSO. If you want to use JumpCloud’s SSO with the iOS Mail client:

  • On the device, go to Settings > Mail > Accounts > Exchange.
  • Enter your email address and a description and click Next.
  • Click Sign In, this will trigger the Safari redirect to the JumpCloud User Portal.

Creating a new JumpCloud Application Integration

  1. Log in to the JumpCloud Admin Portal.
  2. Navigate to USER AUTHENTICATION SSO Applications.
  3. Click + Add New Application.
  4. Type the name of the application in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

Note:

If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.

  1. Click Save Application.
  2. If successful, click:
    • Configure Application and go to the next section.
    • Close to configure your new application at a later time.

Configuring the SSO Integration

To configure JumpCloud

  1. Create a new application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. Replace instances of YOUR_DOMAIN in the IdP Entity ID and Login URL fields with the name of the domain you will be federating.

Important:

The IdP Entity ID and Login URL fields must match the M365 domain that’s to be SSO-enabled (federated) over to JumpCloud. These fields shouldn’t be the default domain, (e.g., YOUR_DOMAIN.onmicrosoft.com).

  1. In the IDP URL field, either leave the default value or enter a plaintext string unique to this connector.
  1. Add any desired additional attributes.
  2. Click save.
  3. Find Microsoft 365 in the Configured Applications list and click anywhere in the row to reopen the application configuration panel.
  4. Select the SSO tab and click Export Metadata.

Tip:

The JumpCloud-office365-metadata.xml file will download to your local Downloads folder.

To regenerate your Microsoft 365 IdP certificate

You can regenerate your M365 IdP certificate at any time.

Important:

Before you begin this process, you will need access to your M365 tenant using an account that isn’t bound by the SSO login process. As stated earlier in the article, this would be a global admin account in your M365 tenant that’s part of a domain that isn’t federated (typically something like admin@YOUR_DOMAIN.onmicrosoft.com).

Warning:

The certificate regeneration process will break SSO logins until complete. You should notify the rest of your infrastructure team about the outage. This should be done during off hours to reduce the chance of a login issue for your users.

  1. After regenerating the certificate, you must export a new metadata file:
    • In the SSO tab, click Export Metadata.
    • The new metadata file will download to your local Downloads folder.
  2. Disable the current configuration:
    • Run Disable-JumpCloud.Office365.SSO -XMLFilePath .\JumpCloud-office365-metadata.xml.

Important:

M365 will not recognize the new metadata file until the current configuration is disabled.

  1. Upload the new metadata file:
    • Run Enable-JumpCloud.Office365.SSO -XMLFilePath .\JumpCloud-office365-metadata.xml.

Note:

If you need a more advanced configuration, see SSO with Microsoft 365 - Alternative Manual Service Provider Set Up Method.

To configure Microsoft

Installing Microsoft Powershell Modules

  1. On a Microsoft Windows X86-based computer, run PowerShell as an administrator. 
  2. Install the Microsoft Azure Active Directory Module for Windows PowerShell (as referenced in the Prerequisites section):
    • Run Install-Module MSOnline.
    • Answer Y to install the NuGet Provider.
    • Answer A to Answer Yes to All to install from PSGallery.
  3. Connect to the M365 ID tenant:
    • Run Connect-MSOLService.
    • Enter your M365 Global Administrator credentials.
  4. Install the Microsoft Exchange Online Management module (as referenced in the Prerequisites section):
    • Run Install-Module ExchangeOnlineManagement.
    • Answer A to Answer Yes to All to install from PSGallery.
  5. Modify the PowerShell execution policy:
    • Set the Execution Policy to Remote Signed by run Set-ExecutionPolicy RemoteSigned.
    • Answer A to confirm the change to the Execution Policy.
  6. Connect to Microsoft Exchange:
    • Run Connect-ExchangeOnline.
    • Enter your M365 Global Administrator credentials.

To enable federation in M365

To enable SSO, enable federation between your JumpCloud organization and your M365 tenant. The next steps will verify your current configuration and enable this federation. This step will make JumpCloud your IdP, but some settings will remain within Azure and M365, such as the option to remain logged in. You may set app specific conditional access policies in JumpCloud that will obligate users to authenticate through MFA or using modern authentication.

  1. Verify the current authentication method of your M365 domains:
    • Run Get-MSOLDomain.
      • For domains that list the authentication method as Managed, SSO is disabled.
      • For domains that list the authentication method as Federated, SSO is enabled.
  2. If you have not, install Microsoft’s JumpCloud SSO PowerShell Module (as referenced in the Prerequisites section):
    • Run Install-Module -Name JumpCloud.Office365.SSO.
    • Answer A to Answer Yes to All to install from PSGallery.
  3. Verify the current JumpCloud federation status of your M365 domain:
    • Run Show-JumpCloud.Office365.SSO to show the current status of JumpCloud SSO Federation for a specific domain.
    • At the Domain: prompt, enter your domain name.
    • The result returns the JumpCloud federation status for the domain provided.
  1. To enable Single Sign On (SSO), run Enable-JumpCloud.Office365.SSO -XMLFilePath .\JumpCloud-office365-metadata.xml.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO authentication workflow(s)

IdP Initiated

  • Access the JumpCloud User Console.
  • Select the application’s tile.
  • The application will launch and login the user.

SP Initiated

  • Navigate to your Service Provider application URL.
  • You will be redirected to log in to the JumpCloud User Portal.
  • The browser will be redirected back to the application and be automatically logged in.

Disabling M365 SSO

  1. Change the directory of your PowerShell session to the location of the JumpCloud metadata file downloaded in To configure JumpCloud. For example, replace <User> with the active username: cd “C:\Users\<User>\Downloads”.
  2. Run Disable-JumpCloud.Office365.SSO -XMLFilePath .\JumpCloud-office365-metadata.xml.

Important:

Per Microsoft documentation, it may take up to 2 hours for the sign-in process to be updated, and in some extreme cases up to 24 hours.

To delete the application

  1. Log in to the JumpCloud Admin Portal.
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you’d like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case