SSO with Microsoft 365 – Alternative Manual Service Provider Set Up Method

If you need a more advanced configuration when you set up Single Sign On (SSO) for Microsoft 365 in JumpCloud, you can use the commands provided in this article with the Microsoft Graph PowerShell SDK.


Make sure modern authentication is enabled for the Microsoft 365 Tenant. Learn more in Enable Modern Authentication for Microsoft 365.

Running the command

  1. On a Microsoft Windows X86-based computer, run PowerShell as an administrator. 
  2. Install the Microsoft.Graph Module for Windows PowerShell, if it is not already installed:
    • Run Install-Module PowershellGet
    • Answer Y to install the NuGet Provider
    • Answer A to Answer Yes to All to install from PSGallery.
    • Run Install-Module Microsoft.Graph
  3. Modify the PowerShell execution policy:
    • Set the Execution Policy to Remote Signed by running Set-ExecutionPolicy RemoteSigned
    • Answer A to confirm the change to the Execution Policy.
    • Enter your M365 Global Administrator credentials.
  4. Connect to the Microsoft Graph with the required scopes:

Connect-MgGraph -TenantId "" -Scopes "Organization.ReadWrite.All, Directory.ReadWrite.All, Domain.ReadWrite.All"


For more information - see Find your Office 365 Tenant 

  1. Define your Microsoft 365 Domain:


  1. Define the idpUrl, this is the same value as the IDP URL in the connector, default value shown:


  1. Define the SSO metadata URI:
    • Log in to the JumpCloud Admin Portal
    • Navigate to the SSO Applications tab
    • Find and select Microsoft 365
    • Select the SSO tab and click Copy Metadata URL
    • Return to your  Powershell window
    • $metadataUri = <value copied from JumpCloud Admin Portal>
  2. Define a logout URL:


  1. Define the public cert.


This variable can't contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and can't contain spaces or newlines.


Export the metadata file from your JumpCloud SSO configuration and copy the certificate string between

<ds:X509Certificate> and </ds:X509Certificate>




  1. Define the Issuer URI, this must be the same value as the IDP Entity ID previously defined:


  1. Run the following to enable SSO for the defined domain:

New-MgDomainFederationConfiguration -DomainId $domain -DisplayName “JumpCloud” -MetadataExchangeUri $metadataUri -IssuerUri $issuerUri -SignOutUri $logoutUrl -PassiveSignInUri $idpUrl --ActiveSignInUri $idpUrl -SigningCertificate $certificate -PreferredAuthenticationProtocol saml -FederatedIdpMfaBehavior “acceptIfMfaDoneByFederatedIdp” | Format-List

Now that you’ve configured the service provider, read SSO with Microsoft 365/Entra ID to learn how to authorize user access and validate authentication workflows. 

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case