{"id":91569,"date":"2023-06-27T13:04:05","date_gmt":"2023-06-27T17:04:05","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&p=91569"},"modified":"2024-11-25T11:30:09","modified_gmt":"2024-11-25T16:30:09","slug":"sso-with-m365","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/sso-with-m365","title":{"rendered":"SSO with Microsoft 365\/Entra ID"},"content":{"rendered":"\n
Use JumpCloud SAML Single Sign On (SSO) to connect Microsoft 365\/Entra ID (M365) with JumpCloud to give your users convenient but secure access with a single set of credentials. <\/p>\n\n\n\n
Read this article to learn how to setup JumpCloud’s SSO connector for M365.<\/p>\n\n\n\n
<\/p><\/div>
Read SAML Configuration Notes<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> On Windows, PowerShell 5.1 or higher must be used. PowerShell Core<\/a> has version 7+.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> If Entra Connect or Entra Connect Cloud Sync is active for your organization, JumpCloud won’t be able to update your users in M365. SSO will still function based on users’ JumpCloud logins.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n $OrgID = (Get-MgOrganization).id <\/p><\/div> It may take up to 20 minutes for the setting change to be applied.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> This setting applies to all<\/em> domains in your M365 account, not just SSO domains.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n The iOS Mail client supports SSO. If you want to use JumpCloud\u2019s SSO with the iOS Mail client:<\/p>\n\n\n\n <\/p><\/div> If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> The SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> Ensure that all users who will be using M365 SSO are associated<\/a> (bound) to your M365 Cloud Directory Integration instance. Users who are not associated (bound) to the M365 Cloud Directory Integration will NOT<\/strong> be able to login using SSO, because they will be missing the required M365 immutable ID.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n <\/p><\/div> The IdP Entity ID<\/strong> and Login URL<\/strong> fields must match the M365 domain that\u2019s to be SSO-enabled (federated) over to JumpCloud. These fields shouldn\u2019t be the default domain, (e.g., YOUR_DOMAIN.onmicrosoft.com<\/strong>).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\nPrerequisites<\/strong><\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Considerations<\/h2>\n\n\n\n
Important Considerations<\/strong><\/h3>\n\n\n\n
\n
General Considerations<\/strong><\/h3>\n\n\n\n
\n
\n
Entra Sync Considerations<\/strong><\/h3>\n\n\n\n
\n
\n
\n
\n
\n
$uri = “https:\/\/graph.microsoft.com\/beta\/organization\/$orgid”
$body = @’
{
“onPremisesSyncEnabled”: ‘false’
}
‘@
invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
<\/p>\n<\/div><\/div>\n\n\n\n\n
iOS Considerations<\/strong><\/h3>\n\n\n\n
\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
\n
\n
\n
\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure JumpCloud<\/strong><\/h3>\n\n\n\n
\n
\n
<\/li>\n<\/ul>\n<\/li>\n\n\n\n