- \n
- You will need to reactivate the sync<\/a> integration if any of the following occur:\n
- \n
- The token has expired<\/li>\n\n\n\n
- The token has become invalid<\/li>\n\n\n\n
- The global admin account used to authorize the integration is disabled\/has sign-in blocked<\/li>\n\n\n\n
- The person who configured the integration has left the organization or has changed roles <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Reactivating an integration does not disconnect users or groups from the M365\/Entra ID integration. It creates a new access token for the integration<\/li>\n<\/ul>\n\n\n\n
Adding and authorizing an M365\/Entra ID Sync Integration<\/strong><\/h2>\n\n\n\n
Creating an integration between JumpCloud and M365\/Entra ID starts with adding the M365\/Entra ID integration in the Cloud Directories page of the Admin Portal. Once added, you authorize M365\/Entra ID Directory synchronization. After you authorize sync, you must validate your password expiration setting in Microsoft.<\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nDon\u2019t authorize the same M365\/Entra ID domain in multiple M365\/Entra ID directory sync instances. If you do, users that are given access to multiple M356\/Entra ID directory instances that are connected to the same domain could be suspended if you remove access\u00a0from one of the instances. You can avoid this by deactivating sync for all but one M365\/Entra ID directory sync instances for a single domain. Be aware that after you deactivate sync for an M365\/Entra ID directory instance, that sync integration is permanently deleted and cannot be recovered.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To add and authorize M365 Sync integration in JumpCloud<\/strong><\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to Directory Integrations <\/strong>> Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Click ( +<\/strong> ).<\/li>\n\n\n\n
- Select M365\/Azure AD. <\/strong><\/li>\n\n\n\n
- Give the directory a unique name. <\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nYou\u2019ll receive an error and won\u2019t be able to proceed if:<\/p>\n\n\n\n
- \n
- You use invalid characters.<\/li>\n\n\n\n
- You don\u2019t specify a unique name for the directory.<\/li>\n\n\n\n
- The name is more than 255 characters.<\/li>\n\n\n\n
- The name only contains whitespace.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click authorize sync<\/strong>.<\/li>\n\n\n\n
- JumpCloud opens a session for you to log in to Microsoft Online – log in with an administrator account.\u00a0<\/li>\n\n\n\n
- Optionally, choose whether to stay signed in. Click No<\/strong> or Yes<\/strong>. <\/li>\n\n\n\n
- Microsoft shows the items JumpCloud needs permissions to access. Click Accept<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Validating the Password Expiration Setting in Microsoft<\/strong><\/h3>\n\n\n\n
After account synchronization is established between JumpCloud and M365\/Entra ID, perform the following steps to make sure JumpCloud is the authority for password expiration for users in M365\/Entra ID.<\/p>\n\n\n\n
To check Microsoft’s password expiration setting<\/strong><\/h4>\n\n\n\n
- \n
- In the M365 admin center, navigate to\u00a0Settings<\/strong>\u00a0>\u00a0Org<\/strong>\u00a0Settings<\/strong> >\u00a0Security & privacy<\/strong>.<\/li>\n\n\n\n
- Select Password expiration policy<\/strong>.<\/li>\n\n\n\n
- Ensure that Set passwords to never expire<\/strong> (recommended)<\/strong> is selected.<\/li>\n<\/ol>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/MS-password-expiration-policy-1024x856.jpg\")
<\/figure>\n\n\n\n- \n
- Click Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Importing M365 Users<\/strong><\/h2>\n\n\n\n
After you authorize sync with Microsoft, a modal opens with a list of existing active Microsoft user accounts.<\/p>\n\n\n\n
You can close this tab to import accounts at a later time, or you can continue importing accounts now.<\/p>\n\n\n\n
For more information and instructions for manually importing users, see Sync Users and Groups to Microsoft 365 \/ Entra ID<\/a>. <\/p>\n\n\n\n
For more information about importing and syncing users from M365\/Entra ID in real-time using a SCIM integration, see Configure Real-time User Provisioning from Entra ID.<\/a><\/p>\n\n\n\n
M365\/Entra ID<\/strong> Synchronization Configuration and Maintenance<\/strong><\/h2>\n\n\n\n
There are a few more steps to complete the M365\/Entra ID Cloud Directory Synchronization Integration setup. <\/p>\n\n\n\n
- \n
- Enabling Management of Security Groups and Memberships<\/a><\/li>\n\n\n\n
- Managing Domains<\/a><\/li>\n\n\n\n
- Configuring Attribute Mapping and Settings<\/a><\/li>\n<\/ul>\n\n\n\n
Enabling Management of Security Groups and Memberships<\/strong><\/h3>\n\n\n\n
Simplify access control using group management from JumpCloud. Create and update group names and membership in M365\/Entra ID from JumpCloud.<\/p>\n\n\n\n
To enable security groups and membership management<\/strong><\/h4>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Click the M365\/Entra ID directory instance in which you want to create and manage the group(s).<\/li>\n\n\n\n
- Check the box for Enable management of Security Groups and memberships in M365\/Azure AD.<\/strong><\/li>\n\n\n\n
- Click save.<\/strong><\/li>\n\n\n\n
- From the User Groups tab, select the groups you want to manage.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To disable security groups and membership management<\/strong><\/h4>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Click the M365\/Entra ID directory instance in which you want to create and manage the group(s).<\/li>\n\n\n\n
- Uncheck the box for Enable management of Security Groups and memberships in M365\/Azure AD.<\/strong><\/li>\n\n\n\n
- In the confirmation modal, click continue<\/strong><\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nDisabling group management will leave the groups as-is in M365\/Entra ID and stops managing membership.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Managing Domain(s)<\/strong><\/h3>\n\n\n\n
Specify one or more domains as part of the integration configuration to have more granular control over which user accounts sync and how the translation rule for the email to User Principal Name (UPN) mapping is applied. There are three (3) possible configurations: no domains, a list of one or more domains but no default, and a list of one or more domains with one of those domains used as a default for the UPN translation rule. Each configuration is described in more detail below.<\/p>\n\n\n\n
- \n
- If no domains are configured, the user\u2019s mapped email (company or alternate) is not checked and sent as is.\u00a0The user syncs as long as their email domain matches one of the verified domains in the M365\/Entra ID instance<\/li>\n\n\n\n
- If one or more domains is configured and No default. Only users with matching domains sync <\/strong>is selected, the user\u2019s mapped email default (company or alternate) is checked against the domains listed. Only users with matching email domains are synced<\/li>\n\n\n\n
- If one or more domains is configured and one of the domains is selected to Use as default<\/strong>, the user\u2019s mapped email default (company or alternate) is checked against the domains listed:\n
- \n
- If the domain matches one of the domains in the list, the email address is sent as is<\/li>\n\n\n\n
- If the domain does not match one of the domains in the list, the email value sent as the UPN wll be the username portion of the source email address (Company or Alternate Email) and the default domain<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Examples of how domains are used by the integration.<\/p>\n\n\n\n
\n\n
- If one or more domains is configured and one of the domains is selected to Use as default<\/strong>, the user\u2019s mapped email default (company or alternate) is checked against the domains listed:\n
- Go to Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Go to Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Managing Domains<\/a><\/li>\n\n\n\n
- Enabling Management of Security Groups and Memberships<\/a><\/li>\n\n\n\n
- Select Password expiration policy<\/strong>.<\/li>\n\n\n\n
- Click authorize sync<\/strong>.<\/li>\n\n\n\n
- Go to Directory Integrations <\/strong>> Cloud Directories<\/strong>.<\/li>\n\n\n\n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n