JumpCloud Community

The main thing is that it sounds more difficult than it really is. It's also reversible. There's a lot of info in the current KB (and even more in the new one). I'd defer to that and suggest that you check back for the update. It doesn't mention a few things that are head scratchers such as not disabling security defaults in AAD leads to dual MFA where the JC assertion gets passed to AAD (and then you're prompted again). You also can't run Microsoft's PS module to do this from Apple M1+ hardware. Support and pro services can also walk you through it.

Here's some up-to-date info you won't see in the KB just yet:

Important: Read SAML Configuration Notes and SSO with Microsoft 365 Considerations.

Prerequisites

• Before you begin, in your JumpCloud admin portal configure  your Microsoft 365 Directory Integration, which allows you to create and manage Microsoft 365 user identities directly in JumpCloud (follow instructions in this document Authorize Office 365 Sync).
• You must first configure an M365/Azure AD Cloud Directory Integration to obtain the M365 immutable ID, which is required for SSO from JumpCloud (follow instructions in the Authorize Office 365 Sync support article).
• The Cloud Directory integration allows you to create and manage Microsoft 365 user identities directly from JumpCloud.  Learn more:
• Microsoft 365 Integration vs Microsoft 365 SAML Connector
• Microsoft 365 Integration Scenarios
• Microsoft 365 User Import Provisioning and Sync
• Binding JumpCloud Users to Microsoft 365 
• Confirm that all users who will be using JumpCloud SSO are associated (bound) to the M365/Azure AD Cloud Directory Integration instance prior to configuring JumpCloud SSO and enabling federation in Azure AD.
• Users who are not associated (bound) to the Cloud Directory Integration will NOT be able to login using SSO.

• NOTE: SSO from JumpCloud requires M365 immutable ID, which is obtained by using JumpCloud’s Cloud Directory sync and binding users to JumpCloud. You must perform this step prior to configuring JumpCloud SSO and enabling federation in AAD.

• You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
• Install these PowerShell Modules from a Windows X86 computer on which you are an administrator:
• MSOnline
• JumpCloud.Office365.SSO
• ExchangeOnlineManagement (optional, when using AzureAD / M365 for hosted custom domain email for Exchange Online)
• NOTE: The PowerShell commands required will not work on another operating system such as Linux or MacOS.
• Verify you have “Global administrator” level access to the M365 tenant/organization
• Go to (Azure Active Directory > Users > select the user > Assigned Roles. Your account should have “Global administrator” listed).
• Modern Authentication must be enabled on the Microsoft 365 tenant.
• MFA can not be enabled on the M365 tenant, either through conditional access or on a per-user basis.
• Note: in M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login. 
• Confirm  the following in Azure Active Directory > Custom Domain Names.
•  
• The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary/(Default).
• The  .onmicrosoft.com domain or another domain you do want to federate is the Primary/ (Default) domain Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe.
• Federation must be disabled on target domain. If you need to disable Federation, see Disabling Microsoft 365 Federation through PowerShell.

Important Considerations

• Users who are not associated (bound) to the M365/Azure AD Cloud Directory Integration will NOT be able to login using SSO, because they will be missing the required M365 immutable ID.
• You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
•  In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login.
• The default domain in M365 cannot be federated.

Single Sign On with Microsoft 365 Considerations

If you want to connect Microsoft 365 with JumpCloud using the SAML SSO connector, read about the setup considerations before you get started. 

After you review the considerations, see Single Sign On with Microsoft 365. 

General Considerations

• See SAML Configuration Notes. 
• SSO isn't available for users until they’re synced to Microsoft 365 during JumpCloud's integration with Microsoft 365. Learn how to integrate JumpCloud with Microsoft 365.
• When SSO is enabled, all users in the email domain you’re configuring SSO for are affected. After SSO is enabled, users aren't able to log in to Microsoft 365 using password authentication.  
• To successfully complete (SSO) integration between JumpCloud and Microsoft 365, you must use a Global Administrator account in Microsoft 365.
• The default domain defined in Microsoft 365 must NOT be the domain used for SSO. This usually requires setting the *.onmicrosoft.com domain to default in the Microsoft 365 Portal.
• At this time, JumpCloud doesn't support integration with GoDaddy's implementation of Microsoft 365. This version has limited identity management capabilities that require SSO login with GoDaddy's services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration.
• Microsoft Applications: After a Microsoft 365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older “legacy” applications. 
• Read about modern authentication with Office 2013 and 2016.
• Learn about Enabling Modern Authentication for Microsoft 365. 
• See Configuring Microsoft 365 as a SAML SSO Service Provider.

AD Sync Considerations

• SSO with existing AD Sync - If you want to use JumpCloud's SSO, but still use a local Active Directory to manage your Microsoft 365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available.
  
  Note: If AD Directory Sync is active for your organization, JumpCloud isn't able to update your users in Microsoft 365. SSO will still function based on users' JumpCloud log in.
• If you are migrating your Microsoft 365 users from AD Sync to JumpCloud management, JumpCloud can't manage the users until Directory Sync is disabled.
• To disable directory sync:
• Install the Azure Active Directory Module for Windows PowerShell
• Run the the Azure Active Directory PowerShell command: 

Get-MsolCompanyInformation

• Select the DirectorySynchronizationEnabled field.
• To disable, run the command:

Set-MsolDirSyncEnabled -EnableDirSync $false

Note: This setting applies to all domains in your Microsoft 365 account, not just SSO domains

iOS Considerations

The iOS Mail client supports SSO.  If you want to use JumpCloud’s SSO with the iOS Mail client, make sure to follow the steps below during configuration.

• On the device go to Settings > Mail > Accounts > Exchange
• Enter your email address and a description and click "Next".
• Click Sign In, this will trigger the Safari redirect to the JumpCloud User Portal.