Jumpcloud allows for M365 SSO to authenticate users into M365 via Jumpcloud. However, due to limitations with M365 once M365 SSO is enabled, all users in the federated domain must start using Jumpcloud immediately. This article describes a method to enable M365 SSO for named accounts. This allows admins to test M365 SSO with their production accounts without affecting the wider user population.
Prerequisites
- You have reviewed the following articles:
- You have a Custom Domain name verified with M365 that is not your production domain (referred to as a staging domain in this article).
Creating and Verifying a Staging Domain
- As mentioned in the Prerequisites section, a verified custom domain name is needed which is not the production domain:
- For example - The company Rickie uses rickie-demo.co.uk as their M365 production domain. All users authenticate to M365 using their email address of [email protected]
- Within M365, the company Rickie has verified another custom domain named rickie-staging.co.uk which is not in use by their users. Rickie-staging.co.uk will be used for federation.
- This can be verified in Azure by navigation to Azure Active Directory -> Custom Domain Names
Any purchased domain name can be used for the purpose of this article. It just needs to be a MS verified custom domain name which is not in use by users within the organization.
Creating an M365/Entra ID Cloud Directory in Jumpcloud
SSO from JumpCloud only works with users that are directly imported from M365 Synced Directory. Otherwise, immutable ID cannot be achieved. The immutableID is used in our M365 prebuilt SSO connector as the nameID and is used as a unique identifier in each SAML assertion. The M365 directory should sync with JumpCloud. Import your users to SSO and bind those users to the M365 directory and M365 SAML application. In that way, the immutable ID can be provided.
Follow the steps in this article to create the M365/Entra ID Cloud Directory.
Please note this should be integrated with the production domain. Using the domain names in the above example the Cloud Directory will be integrated with the rickie-demo.co.uk domain.
Configuring SSO with M365
Follow the steps in this article to federate the M365 staging domain with Jumpcloud.
Federation should be carried out with the staging domain not the production domain.
Using the domain names in the above example Federation will configured for rickie-staging.co.uk AND NOT rickie-demo.co.uk (domain suffix for user logins)
Naming Accounts for Federation Using Aliasing
For any production accounts you would like to test Jumpcloud SSO with:
- Login to Microsoft 365 admin Centre.
- Navigate to Users.
- Select the user account you would like to test Jumpcloud SSO with.
- Select Manage Username and email.
- Add an alias to the account using the same username but with the staging domain.
- Select Add and Save Changes.
Testing SSO
- Navigate to the Microsoft Portal and sign in with the alias created.
- You will be redirected to Jumpcloud.
- Authenticate to Jumpcloud using primary username.
- You are now logged into M365 using your prod credentials.