{"id":91569,"date":"2023-06-27T13:04:05","date_gmt":"2023-06-27T17:04:05","guid":{"rendered":"https:\/\/jumpcloud.com\/?post_type=support&#038;p=91569"},"modified":"2024-07-16T12:22:18","modified_gmt":"2024-07-16T16:22:18","slug":"sso-with-m365","status":"publish","type":"support","link":"https:\/\/jumpcloud.com\/support\/sso-with-m365","title":{"rendered":"SSO with Microsoft 365\/Entra ID"},"content":{"rendered":"\n<p>Use JumpCloud SAML Single Sign On (SSO) to connect Microsoft 365\/Entra ID (M365) with JumpCloud to give your users convenient but secure access with a single set of credentials. <\/p>\n\n\n\n<p>Read this article to learn how to setup JumpCloud&#8217;s SSO connector for M365.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Read<a href=\"https:\/\/jumpcloud.com\/support\/saml-configuration-notes\"> SAML Configuration Notes<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-prerequisites\"><strong>Prerequisites<\/strong><\/h2>\n\n\n\n<ul>\n<li>All users who will be using M365 SSO must be <a href=\"https:\/\/jumpcloud.com\/support\/m365-sync#giving-jumpcloud-users-access-to-m365\">associated<\/a> (bound) to the M365 Cloud Directory Integration instance prior to configuring SSO and enabling federation in M365. Users who are not bound to the M365 Cloud Directory Integration will NOT be able to login using SSO, because they will be missing the required <a href=\"#to-configure-jumpcloud\">M365 immutable ID<\/a>.<\/li>\n\n\n\n<li>PowerShell is required to modify M365 Federation configurations:\n<ul>\n<li>&nbsp;<a href=\"https:\/\/github.com\/PowerShell\/PowerShell\">PowerShell Core<\/a> can be used on any computer (Windows, macOS, Linux) with the following required modules:\n<ul>\n<li><a href=\"https:\/\/www.powershellgallery.com\/packages\/MSOnline\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/microsoftgraph\/installation?view=graph-powershell-1.0\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/microsoftgraph\/installation?view=graph-powershell-1.0\">Microsoft Graph PowerShell Module<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.powershellgallery.com\/packages\/JumpCloud.Office365.SSO\/\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud.Office365.SSO<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.powershellgallery.com\/packages\/ExchangeOnlineManagement\/\" target=\"_blank\" rel=\"noreferrer noopener\">ExchangeOnlineManagement<\/a> (optional, when using M365 for hosted custom domain email for Exchange Online)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The M365 Cloud Directory integration allows you to create and manage M365 user identities directly from JumpCloud.&nbsp;See the following articles for more information:\n<ul>\n<li><a href=\"https:\/\/jumpcloud.com\/support\/m365-directory-integration-and-saml-connector\">Understand the Difference Between the Microsoft 365 Directory Integration and SAML Connector<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/m365-directory-integration-overview#m365-integration-scenarios\">Microsoft 365 Integration Scenarios<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/m365-directory-integration-overview#provisioning-new-m365-accounts\">Microsoft 365 User Import Provisioning<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/m365-sync#giving-jumpcloud-users-access-to-m365\">Giving JumpCloud Users Access to Microsoft 365<\/a>&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>On Windows, PowerShell 5.1 or higher must be used. <a href=\"https:\/\/github.com\/PowerShell\/PowerShell\">PowerShell Core<\/a> has version 7+.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>Verify you have \u201cGlobal administrator\u201d level access to your M365 tenant\/organization.\n<ul>\n<li>Go to <strong>Azure Active Directory &gt; Users &gt; select the user &gt; Assigned Roles<\/strong>. Your account should have \u201cGlobal administrator\u201d listed<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/enable-modern-authentication-for-m365\">Modern Authentication<\/a> must be enabled on the M365 tenant<\/li>\n\n\n\n<li>If MFA is enforced on end users in both environments, they will be prompted for MFA twice during the login process &#8211; once in JumpCloud and again in M365<\/li>\n\n\n\n<li>Confirm&nbsp;the following in <strong>Azure Active Directory &gt; Custom Domain Names<\/strong>\n<ul>\n<li>The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary\/(Default)<\/li>\n\n\n\n<li>The onmicrosoft.com default domain or another domain you do not want to federate is the Primary\/ (Default) domain. Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Federation must be disabled on the target domain. If you need to disable Federation, see <a href=\"https:\/\/jumpcloud.com\/support\/disable-m365-federation-with-powershell\">Disable Microsoft 365 Federation with PowerShell<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-considerations\">Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-important-considerations\"><strong>Important Considerations<\/strong><\/h3>\n\n\n\n<ul>\n<li>In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. If JumpCloud MFA is enabled while also having M365 MFA enabled, end users will encounter two separate MFA prompts during the same login. See <a href=\"#troubleshooting\">Troubleshooting<\/a> to disable these settings<\/li>\n\n\n\n<li>The default domain in M365 cannot be federated<\/li>\n\n\n\n<li>When SSO is enabled, <em>all<\/em> users in the email domain you\u2019re configuring SSO for are affected. After SSO is enabled, users aren&#8217;t able to log in to Microsoft 365 using password authentication<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-general-considerations\"><strong>General Considerations<\/strong><\/h3>\n\n\n\n<ul>\n<li>At this time, JumpCloud doesn&#8217;t support integration with GoDaddy&#8217;s implementation of M365. This version has limited identity management capabilities that require SSO login with GoDaddy&#8217;s services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration<\/li>\n\n\n\n<li>After a M365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older \u201clegacy\u201d applications. See the following articles for more information:\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/office365\/enterprise\/modern-auth-for-office-2013-and-2016?redirectSourcePath=%2Farticle%2F776c0036-66fd-41cb-8928-5495c0f9168a\" target=\"_blank\" rel=\"noreferrer noopener\">How modern authentication works for Office 2013, Office 2016, and Office 2019 client apps<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/enable-modern-authentication-for-m365\">Enable Modern Authentication for Microsoft 365<\/a>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-entra-sync-considerations\"><strong>Entra Sync Considerations<\/strong><\/h3>\n\n\n\n<ul>\n<li>SSO with existing Entra Connect or Entra Connect Cloud Sync &#8211; If you want to use JumpCloud&#8217;s SSO, but still use a local Active Directory to manage your M365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If&nbsp;Entra Connect or Entra Connect Cloud Sync is active for your organization, JumpCloud won&#8217;t be able to update your users in M365. SSO will still function based on users&#8217; JumpCloud logins.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>If you are migrating your M365 users from Entra Connect or Entra Connect Cloud Sync to JumpCloud management, JumpCloud can&#8217;t manage the users until Entra Connect or Entra Connect Cloud Sync is disabled\n<ul>\n<li>To disable directory sync:\n<ul>\n<li>Run PowerShell as administrator<\/li>\n\n\n\n<li><a href=\"#installing-microsoft-powershell-modules\">Install Powershell Modules<\/a> if you haven\u2019t already<\/li>\n\n\n\n<li>Run <kbd>Connect-MgGraph -TenantId \u201c\u201d -Scopes \u201cOrganization.ReadWrite.All, Directory.ReadWrite.All, Domain.ReadWrite.All, IdentityProvider.ReadWrite.All&#8221;<\/kbd>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/find-your-office-365-tenant-id\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/find-your-office-365-tenant-id\" target=\"_blank\" rel=\"noreferrer noopener\">Find your Microsoft 365 tenant ID<\/a>&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Run <kbd>Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled<\/kbd><\/li>\n\n\n\n<li>The value for <kbd>OnPremisesSyncEnabled<\/kbd> appears as <em>True<\/em> or <em>null<\/em> (empty), meaning <strong>True<\/strong> is enabled<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>To disable, run the following cmdlet:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p>$OrgID = (Get-MgOrganization).id<br>$uri = &#8220;https:\/\/graph.microsoft.com\/beta\/organization\/$orgid&#8221;<br>$body = @&#8217;<br>{<br>&#8220;onPremisesSyncEnabled&#8221;: &#8216;false&#8217;<br>}<br>&#8216;@<br>invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH<br><\/p>\n<\/div><\/div>\n\n\n\n<ul>\n<li>To verify the change, run <kbd>Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled<\/kbd><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>It may take up to 20 minutes for the setting change to be applied.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>This setting applies to <em>all<\/em> domains in your M365 account, not just SSO domains.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ios-considerations\"><strong>iOS Considerations<\/strong><\/h3>\n\n\n\n<p>The iOS Mail client supports SSO. If you want to use JumpCloud\u2019s SSO with the iOS Mail client:<\/p>\n\n\n\n<ul>\n<li>On the device, navigate to <strong>Settings &gt; Mail &gt; Accounts &gt; Exchange<\/strong><\/li>\n\n\n\n<li>Enter your email address and a description and click <strong>Next<\/strong><\/li>\n\n\n\n<li>Click <strong>Sign In<\/strong>, this will trigger the Safari redirect to the JumpCloud User Portal<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-creating-a-new-jumpcloud-application-integration\"><strong>Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n<ol>\n<li>Log in to the&nbsp;<a href=\"https:\/\/console.jumpcloud.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to\u00a0<strong>USER AUTHENTICATION\u00a0<\/strong>&gt;\u00a0<strong>SSO<\/strong> <strong>Applications<\/strong>.<\/li>\n\n\n\n<li>Click&nbsp;<strong>+&nbsp;Add New Application<\/strong>.<\/li>\n\n\n\n<li>Type the name of the application in the <strong>Search <\/strong>field and select it.<\/li>\n\n\n\n<li>Click <strong>Next<\/strong>.<\/li>\n\n\n\n<li>In the <strong>Display Label<\/strong>, type your name for the application. Optionally, you can enter a <strong>Description<\/strong>, adjust the User Portal Image and choose to hide or <strong>Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If this is a Bookmark Application, enter your sign-in URL in the <strong>Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"7\">\n<li>Optionally, expand <strong>Advanced Settings<\/strong> to specify a value for the<strong> SSO IdP URL<\/strong>. If no value is entered, it will default to <kbd>https:\/\/sso.jumpcloud.com\/saml2\/&lt;applicationname&gt;<\/kbd>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>The <strong>SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"8\">\n<li>Click <strong>Save Application<\/strong>.<\/li>\n\n\n\n<li>If successful, click:\n<ul>\n<li><strong>Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n<li><strong>Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>To configure JumpCloud<\/strong><\/h3>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>Ensure that all users who will be using M365 SSO are <a href=\"https:\/\/jumpcloud.com\/support\/m365-sync#giving-jumpcloud-users-access-to-m365\">associated<\/a> (bound) to your M365 Cloud Directory Integration instance. Users who are not associated (bound) to the M365 Cloud Directory Integration will <strong>NOT<\/strong> be able to login using SSO, because they will be missing the required M365 immutable ID.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>Log in to <a href=\"https:\/\/login.microsoftonline.com\/\">M365 \/ Entra ID<\/a>.<\/li>\n\n\n\n<li>Verify that all users you will use SSO have an immutable ID.\n<ul>\n<li>Navigate to <strong>Identity &gt;<\/strong> <strong>Users &gt; All users<\/strong> &gt; <strong>{individual user}<\/strong> &gt; <strong>Properties <\/strong><\/li>\n\n\n\n<li>Scroll down until you see the <strong>On-premises immutable ID<\/strong> field in the right column.<br> <img decoding=\"async\" width=\"702\" height=\"769\" class=\"wp-image-110670\" style=\"width: 600px\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png\" alt=\"\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png 702w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28-274x300.png 274w\" sizes=\"(max-width: 702px) 100vw, 702px\" \/><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\/login\/admin\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li><a href=\"#creating-a-new-jumpcloud-application-integration\">Create a new application<\/a>&nbsp;or select it from the&nbsp;<strong>Configured Application<\/strong>s list.<\/li>\n\n\n\n<li>Select the <strong>SSO <\/strong>tab. <\/li>\n\n\n\n<li>Replace instances of <strong>YOUR_DOMAIN<\/strong> in the <strong>IdP Entity ID<\/strong> and <strong>Login URL<\/strong> fields with the name of the domain you will be federating.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>The <strong>IdP Entity ID<\/strong> and <strong>Login URL<\/strong> fields must match the M365 domain that\u2019s to be SSO-enabled (federated) over to JumpCloud. <strong>These fields shouldn\u2019t be the default domain, (e.g., YOUR_DOMAIN.onmicrosoft.com<\/strong>).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"954\" height=\"761\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6ca30612.png\" alt=\"\" class=\"wp-image-110682\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6ca30612.png 954w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6ca30612-300x239.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6ca30612-768x613.png 768w\" sizes=\"(max-width: 954px) 100vw, 954px\" \/><\/figure>\n\n\n\n<ol start=\"4\">\n<li>Add any desired additional attributes.<\/li>\n\n\n\n<li>Click <strong>save<\/strong>.<\/li>\n\n\n\n<li>Find&nbsp;Microsoft 365 in the <strong>Configured Applications<\/strong> list and click anywhere in the row to reopen the application configuration panel.<\/li>\n\n\n\n<li>Select the&nbsp;<strong>SSO&nbsp;<\/strong>tab and click&nbsp;<strong>Export Metadata<\/strong>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>The <strong>JumpCloud-office365-metadata.xml<\/strong> file will download to your local <strong>Downloads <\/strong>folder.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>To regenerate your Microsoft 365 IdP certificate<\/strong><\/h4>\n\n\n\n<p>You can <a href=\"https:\/\/jumpcloud.com\/support\/manage-application-idp-certificate-and-key-pairs#regenerating-a-certificate\">regenerate<\/a> your M365 IdP certificate at any time.<\/p>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Before you begin this process, you will need access to your M365 tenant using an account that isn\u2019t bound by the SSO login process. As stated earlier in the article, this would be a global admin account in your M365 tenant that\u2019s part of a domain that isn\u2019t federated (typically something like admin@YOUR_DOMAIN.onmicrosoft.com).<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card warning\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Warning:<\/strong> \n<p>The certificate regeneration process will break SSO logins until complete. You should notify the rest of your infrastructure team about the outage. This should be done during off hours to reduce the chance of a login issue for your users.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol>\n<li>After <a href=\"https:\/\/jumpcloud.com\/support\/manage-application-idp-certificate-and-key-pairs#regenerating-a-certificate\">regenerating<\/a> the certificate, you must export a new metadata file:\n<ul>\n<li>In the&nbsp;<strong>SSO&nbsp;<\/strong>tab, click&nbsp;<strong>Export Metadata<\/strong>.<\/li>\n\n\n\n<li>The new metadata file will download to your local <strong>Downloads <\/strong>folder.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Disable the current configuration:<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Disable-JumpCloud.Office365.SSO -XMLFilePath .\\<kbd>JumpCloud-office365-metadata<\/kbd>.xml<\/kbd>.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>M365 will not recognize the new metadata file until the current configuration is disabled.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ol start=\"3\">\n<li>Upload the new metadata file:<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Enable-JumpCloud.Office365.SSO -XMLFilePath .\\JumpCloud-office365-metadata.xml<\/kbd><\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If you need a more advanced configuration, see <a href=\"https:\/\/jumpcloud.com\/support\/sso-with-m365-alternative-manual-service-provider-set-up-method\">SSO with Microsoft 365 &#8211; Alternative Manual Service Provider Set Up Method<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>To configure Microsoft<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"installing-microsoft-powershell-modules\"><strong>Installing Microsoft Powershell Modules<\/strong><\/h4>\n\n\n\n<ol>\n<li>Run PowerShell as an administrator.&nbsp;<\/li>\n\n\n\n<li>Install the Microsoft.Graph Module for Windows PowerShell (as referenced in the Prerequisites section):\n<ul>\n<li>Run <kbd>Install-Module PowershellGet<\/kbd>.<\/li>\n\n\n\n<li>Answer Y to install the NuGet Provider.<\/li>\n\n\n\n<li>Answer A to Answer Yes to All to install from PSGallery.<\/li>\n\n\n\n<li>Run <kbd>Install-Module Microsoft.Graph<\/kbd><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Modify the PowerShell execution policy to Remote Signed:\n<ul>\n<li>Run <kbd>Set-ExecutionPolicy RemoteSigned<\/kbd><\/li>\n\n\n\n<li>Answer <kbd>A<\/kbd> to confirm the change to the Execution Policy.<\/li>\n\n\n\n<li>Enter your M365 Global Administrator credentials.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Install the Microsoft Exchange Online Management module (as referenced in the Prerequisites section):\n<ul>\n<li>Run <kbd>Install-Module ExchangeOnlineManagement<\/kbd><\/li>\n\n\n\n<li>Answer<kbd> A<\/kbd> to Answer Yes to All to install from PSGallery.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Connecting to the M365 Tenant<\/strong><\/h4>\n\n\n\n<ol>\n<li>Connect to the M365 \/Entra ID tenant:<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Connect-MGGraph -Scopes &#8220;Domain.ReadWrite.All&#8221;, &#8220;Directory.AccessAsUser.All&#8221;, &#8220;Organization.ReadWrite.All&#8221;, &#8220;Directory.ReadWrite.All&#8221;<\/kbd><\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card tip\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Tip:<\/strong> \n<p>For more information, see <a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/find-your-office-365-tenant-id\" target=\"_blank\" rel=\"noreferrer noopener\">Find your Microsoft 365 tenant ID<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Connecting to Exchange<\/strong><\/h4>\n\n\n\n<ol>\n<li>Connect to Microsoft Exchange:\n<ul>\n<li>Run <kbd>Connect-ExchangeOnline<\/kbd>.<\/li>\n\n\n\n<li>Enter your M365 Global Administrator credentials.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>To enable federation in M365<\/strong><\/h3>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>If you would like to test SSO on a staging domain before federating your production domain, see <a href=\"https:\/\/jumpcloud.com\/support\/test-m365-sso-for-named-accounts\">Testing M365 SSO for named accounts<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<p>To enable SSO, enable federation between your JumpCloud organization and your M365 tenant. The next steps will verify your current configuration and enable this federation. This step will make JumpCloud your IdP, but some settings will remain within Azure and M365, such as the option to remain logged in. You may set app specific <a href=\"https:\/\/jumpcloud.com\/support\/get-started-conditional-access-policies\">conditional access<\/a> policies in JumpCloud that will obligate users to authenticate through MFA or using modern authentication.<\/p>\n\n\n\n<ol>\n<li>Verify the current authentication method of your M365 domains:\n<ul>\n<li>Run <kbd>Get-MgDomain |&nbsp; Select Id, AuthenticationType<\/kbd>\n<ul>\n<li>For domains that list the authentication type as Managed, SSO is disabled.<\/li>\n\n\n\n<li>For domains that list the authentication type as Federated, SSO is enabled.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you have not, install Microsoft\u2019s <a href=\"https:\/\/www.powershellgallery.com\/packages\/JumpCloud.Office365.SSO\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud SSO PowerShell Module<\/a> (as referenced in the Prerequisites section):\n<ul>\n<li>Run <kbd>Install-Module -Name JumpCloud.Office365.SSO<\/kbd>.<\/li>\n\n\n\n<li>Answer <kbd>A<\/kbd> to Answer Yes to All to install from PSGallery.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Verify the current JumpCloud federation status of your M365 domain:\n<ul>\n<li>Run <kbd>Show-JumpCloud.Office365.SSO<\/kbd> to show the current status of JumpCloud SSO Federation for a specific domain.<\/li>\n\n\n\n<li>At the Domain: prompt, enter your domain name.<\/li>\n\n\n\n<li>The result returns the JumpCloud federation status for the domain provided.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"580\" height=\"99\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/enter-jumpcloud-domain.jpg\" alt=\"\" class=\"wp-image-95993\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/enter-jumpcloud-domain.jpg 580w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/enter-jumpcloud-domain-300x51.jpg 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"573\" height=\"105\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result.jpg\" alt=\"\" class=\"wp-image-95994\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result.jpg 573w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result-300x55.jpg 300w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"582\" height=\"146\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result-1.jpg\" alt=\"\" class=\"wp-image-95996\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result-1.jpg 582w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/jumpcloud-federation-status-result-1-300x75.jpg 300w\" sizes=\"(max-width: 582px) 100vw, 582px\" \/><\/figure>\n\n\n\n<ol start=\"4\">\n<li>Enable Single Sign On (SSO):<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Enable-JumpCloud.Office365.SSO -XMLFilePath .\\JumpCloud-office365-metadata.xml<\/kbd><\/p>\n<\/div><\/div>\n\n\n\n<ol start=\"5\">\n<li> Verify the change:<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Show-JumpCloud.Office365.SSO<\/kbd><\/p>\n<\/div><\/div>\n\n\n\n<ol start=\"6\">\n<li>Disconnect from the Graph connection:<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-code-block code-block\"><div class=\"code-block-snippet is-type-body-default\">\n<p><kbd>Disconnect-MGGraph<\/kbd><\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"authorizing-user-sso-access\"><strong>Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n<p>Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the <strong>Application Configuration<\/strong> panel or from the <strong>Groups Configuration<\/strong> panel.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/console.jumpcloud.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to <strong>USER AUTHENTICATION &gt; SSO<\/strong> <strong>Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n<li>Select the <strong>User Groups<\/strong> tab. If you need to create a new group of users, see <a href=\"https:\/\/jumpcloud.com\/support\/get-started-user-groups\">Get Started: User Groups<\/a>.<\/li>\n\n\n\n<li>Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n<li>Click <strong>save<\/strong>.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>To learn how to authorize user access from the&nbsp;<strong>Groups Configuration<\/strong>&nbsp;panel, see&nbsp;<a href=\"https:\/\/jumpcloud.com\/support\/authorize-users-to-an-sso-application#user-groups-configuration-panel\">Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"validating-sso-authentication-workflows\"><strong>Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-idp-initiated-user-workflow\"><strong>IdP-initiated<\/strong> <strong>user workflow<\/strong><\/h3>\n\n\n\n<ul>\n<li>Access the <a href=\"https:\/\/console.jumpcloud.com\/userconsole#\/\">JumpCloud User Console<\/a><\/li>\n\n\n\n<li>Go to\u00a0<strong>Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n<li>JumpCloud asserts the user&#8217;s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sp-initiated-user-workflow\"><strong>SP-initiated<\/strong> <strong>user workflow<\/strong><\/h3>\n\n\n\n<ul>\n<li>Go\u00a0to the SP application login &#8211; generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card note\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Note:<\/strong> \n<p>This varies by SP.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<ul>\n<li>Login redirects the user to JumpCloud where the user enters their JumpCloud credentials<\/li>\n\n\n\n<li>After the user is logged in successfully, they are redirected\u00a0back to the SP and automatically logged in<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Disabling M365 SSO<\/strong><\/h2>\n\n\n\n<ol>\n<li>Run PowerShell as an administrator.<\/li>\n\n\n\n<li><a href=\"https:\/\/jumpcloud.com\/support\/sso-with-m365#to-configure-microsoft\">Install Powershell Modules<\/a> if you haven\u2019t already.<\/li>\n\n\n\n<li>Change the directory of your PowerShell session to the location of the JumpCloud metadata file downloaded in <a href=\"#to-configure-jumpcloud\">To configure JumpCloud<\/a>. For example, replace &lt;User&gt; with the active username: cd \u201cC:\\Users\\&lt;User&gt;\\Downloads\u201d.<\/li>\n\n\n\n<li>Run <kbd>Disable-JumpCloud.Office365.SSO -XMLFilePath .\\JumpCloud-office365-metadata.xml<\/kbd>.<\/li>\n<\/ol>\n\n\n\n<div class=\"wp-block-cgb-notification-card-wysiwyg notification-card important\"><div class=\"notification-card-content\"><div class=\"notification-card-icon\"><p><img decoding=\"async\" src=\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\" \/><\/p><\/div><div class=\"notification-card-copy is-type-body-default\"><div><strong class=\"notification-card-type\">Important:<\/strong> \n<p>Per Microsoft documentation, it may take up to 2 hours for the sign-in process to be updated, and in some extreme cases up to 24 hours.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"deleting-the-application\"><strong><strong>To delete<\/strong><\/strong> <strong>the application<\/strong><\/h3>\n\n\n\n<ol>\n<li>Log in to the <a href=\"https:\/\/console.jumpcloud.com\" target=\"_blank\" rel=\"noreferrer noopener\">JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n<li>Go to&nbsp;<strong>USER AUTHENTICATION &gt; <strong>SSO<\/strong> <strong>Applications<\/strong><\/strong>.<\/li>\n\n\n\n<li>Search for the application that you\u2019d like to delete.<\/li>\n\n\n\n<li>Check the box next to the application to select it.<\/li>\n\n\n\n<li>Click&nbsp;<strong>Delete.<\/strong><\/li>\n\n\n\n<li>Enter the number of the applications you are deleting<\/li>\n\n\n\n<li>Click&nbsp;<strong>Delete Application<\/strong>.<\/li>\n\n\n\n<li>If successful, you will see an application deletion confirmation notification.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Troubleshooting<\/strong><\/h2>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#i_am_getting_a_powershell_entityid_error_when_trying_to_save_my_sso_configuration_\" data-action=\"collapse\">I am getting a Powershell EntityID error when trying to save my SSO configuration.<\/a><div id=\"i_am_getting_a_powershell_entityid_error_when_trying_to_save_my_sso_configuration_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"103\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/05\/image-3-1024x103.png\" alt=\"\" class=\"wp-image-110686\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/05\/image-3-1024x103.png 1024w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/05\/image-3-300x30.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/05\/image-3-768x77.png 768w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/05\/image-3.png 1168w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Check your <strong>IdP Entity ID<\/strong>. It must be in either a <kbd>https:\/\/domain.com<\/kbd> format <strong>or<\/strong> <kbd>urn:uri:domain.com<\/kbd> format. Change the value to the correct format and try to save the configuration again.<\/p>\n<\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-cgb-accordion-faq-wysiwyg gutenberg-accordion\"><a class=\"gutenberg-accordion-header is-type-title-default has-text-night-blue\" href=\"#why_are_my_users_getting_two_separate_mfa_prompts_\" data-action=\"collapse\">Why are my users getting two separate MFA prompts?<\/a><div id=\"why_are_my_users_getting_two_separate_mfa_prompts_\" class=\"gutenberg-accordion-content-container is-collapsible\"><div class=\"gutenberg-accordion-content\">\n<p>Cause: <\/p>\n\n\n\n<p>When setting up SSO Federation with M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings.<\/p>\n\n\n\n<p>Resolution:<\/p>\n\n\n\n<p>Use the following steps to Disable MFA security defaults:<\/p>\n\n\n\n<ol start=\"1\">\n<li>Sign in to the&nbsp;<a href=\"https:\/\/entra.microsoft.com\/\">Microsoft Entra admin center<\/a>&nbsp;as at least a&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/role-based-access-control\/permissions-reference#security-administrator\">Security Administrator<\/a>.<\/li>\n\n\n\n<li>Browse to\u202f<strong>Identity<\/strong>\u202f&gt;&nbsp;<strong>Overview<\/strong>&nbsp;&gt;&nbsp;<strong>Properties<\/strong>.<\/li>\n\n\n\n<li>Select&nbsp;<strong>Manage security defaults<\/strong>.<\/li>\n\n\n\n<li>Set&nbsp;<strong>Security defaults<\/strong>&nbsp;to&nbsp;<strong>disable<\/strong>.<\/li>\n\n\n\n<li>Select&nbsp;<strong>Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" width=\"1006\" height=\"806\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_4ff6777.png\" alt=\"\" class=\"wp-image-113054\" style=\"width:739px;height:auto\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_4ff6777.png 1006w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_4ff6777-300x240.png 300w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_4ff6777-768x615.png 768w\" sizes=\"(max-width: 1006px) 100vw, 1006px\" \/><\/figure>\n<\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Use JumpCloud SAML Single Sign On (SSO) to connect Microsoft 365\/Entra ID (M365) with JumpCloud to give your users convenient [&hellip;]<\/p>\n","protected":false},"author":205,"featured_media":0,"template":"","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"support_category":[2855,2954,2998,2991,2902],"support_tag":[],"coauthors":[2839],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SSO with Microsoft 365\/Entra ID - JumpCloud<\/title>\n<meta name=\"description\" content=\"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/support\/sso-with-m365\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSO with Microsoft 365\/Entra ID\" \/>\n<meta property=\"og:description\" content=\"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/support\/sso-with-m365\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-16T16:22:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data2\" content=\"joyjaswinski\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365\",\"url\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365\",\"name\":\"SSO with Microsoft 365\/Entra ID - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png\",\"datePublished\":\"2023-06-27T17:04:05+00:00\",\"dateModified\":\"2024-07-16T16:22:18+00:00\",\"description\":\"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/support\/sso-with-m365\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png\",\"width\":702,\"height\":769},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/support\/sso-with-m365#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support\",\"item\":\"https:\/\/jumpcloud.com\/support\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SSO with Microsoft 365\/Entra ID\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SSO with Microsoft 365\/Entra ID - JumpCloud","description":"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/support\/sso-with-m365","og_locale":"en_US","og_type":"article","og_title":"SSO with Microsoft 365\/Entra ID","og_description":"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.","og_url":"https:\/\/jumpcloud.com\/support\/sso-with-m365","og_site_name":"JumpCloud","article_modified_time":"2024-07-16T16:22:18+00:00","og_image":[{"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes","Written by":"joyjaswinski"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365","url":"https:\/\/jumpcloud.com\/support\/sso-with-m365","name":"SSO with Microsoft 365\/Entra ID - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png","datePublished":"2023-06-27T17:04:05+00:00","dateModified":"2024-07-16T16:22:18+00:00","description":"Create a M365\/Entra ID integration using SSO to give users secure access with their JumpCloud credentials.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/support\/sso-with-m365"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/06\/Snag_6c837c28.png","width":702,"height":769},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/support\/sso-with-m365#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Support","item":"https:\/\/jumpcloud.com\/support"},{"@type":"ListItem","position":3,"name":"SSO with Microsoft 365\/Entra ID"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/91569"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/support"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/205"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/91569\/revisions"}],"predecessor-version":[{"id":113057,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support\/91569\/revisions\/113057"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=91569"}],"wp:term":[{"taxonomy":"support_category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_category?post=91569"},{"taxonomy":"support_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/support_tag?post=91569"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=91569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}