cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling Jumpcloud SSO for Microsoft 365

Jhii
Novitiate II

Has anyone made this change? it seems like a big one and I'm not sure if it should be done or not.

I'm happy with Jumpcloud and it's pretty heavily configured now but I'm not sure if piping everything through Jumpcloud is going to be good.

 

Has anyone else done this? what has your experience been like?

1 ACCEPTED SOLUTION

JCDavid
Iron II
Iron II

The main thing is that it sounds more difficult than it really is. It's also reversible. There's a lot of info in the current KB (and even more in the new one). I'd defer to that and suggest that you check back for the update. It doesn't mention a few things that are head scratchers such as not disabling security defaults in AAD leads to dual MFA where the JC assertion gets passed to AAD (and then you're prompted again). You also can't run Microsoft's PS module to do this from Apple M1+ hardware. Support and pro services can also walk you through it.

Here's some up-to-date info you won't see in the KB just yet:

Important: Read SAML Configuration Notes and SSO with Microsoft 365 Considerations.

Prerequisites

  • NOTE: SSO from JumpCloud requires M365 immutable ID, which is obtained by using JumpCloud’s Cloud Directory sync and binding users to JumpCloud. You must perform this step prior to configuring JumpCloud SSO and enabling federation in AAD.
  • You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
  • Install these PowerShell Modules from a Windows X86 computer on which you are an administrator:
  • Verify you have “Global administrator” level access to the M365 tenant/organization
    • Go to (Azure Active Directory > Users > select the user > Assigned Roles. Your account should have “Global administrator” listed).
  • Modern Authentication must be enabled on the Microsoft 365 tenant.
    • MFA can not be enabled on the M365 tenant, either through conditional access or on a per-user basis.
      • Note: in M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login. 
  • Confirm  the following in Azure Active Directory > Custom Domain Names.
    •  
    • The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary/(Default).
  • The  .onmicrosoft.com domain or another domain you do want to federate is the Primary/ (Default) domain Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe.
  • Federation must be disabled on target domain. If you need to disable Federation, see Disabling Microsoft 365 Federation through PowerShell.

Important Considerations

  • Users who are not associated (bound) to the M365/Azure AD Cloud Directory Integration will NOT be able to login using SSO, because they will be missing the required M365 immutable ID.
  • You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
  •  In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login.
  • The default domain in M365 cannot be federated.

Single Sign On with Microsoft 365 Considerations

If you want to connect Microsoft 365 with JumpCloud using the SAML SSO connector, read about the setup considerations before you get started. 

After you review the considerations, see Single Sign On with Microsoft 365

General Considerations

  • See SAML Configuration Notes
  • SSO isn't available for users until they’re synced to Microsoft 365 during JumpCloud's integration with Microsoft 365. Learn how to integrate JumpCloud with Microsoft 365.
  • When SSO is enabled, all users in the email domain you’re configuring SSO for are affected. After SSO is enabled, users aren't able to log in to Microsoft 365 using password authentication.  
  • To successfully complete (SSO) integration between JumpCloud and Microsoft 365, you must use a Global Administrator account in Microsoft 365.
  • The default domain defined in Microsoft 365 must NOT be the domain used for SSO. This usually requires setting the *.onmicrosoft.com domain to default in the Microsoft 365 Portal.
  • At this time, JumpCloud doesn't support integration with GoDaddy's implementation of Microsoft 365. This version has limited identity management capabilities that require SSO login with GoDaddy's services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration.
  • Microsoft Applications: After a Microsoft 365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older “legacy” applications. 
  • See Configuring Microsoft 365 as a SAML SSO Service Provider.

AD Sync Considerations

  • SSO with existing AD Sync - If you want to use JumpCloud's SSO, but still use a local Active Directory to manage your Microsoft 365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available.

    Note: If AD Directory Sync is active for your organization, JumpCloud isn't able to update your users in Microsoft 365. SSO will still function based on users' JumpCloud log in.
  • If you are migrating your Microsoft 365 users from AD Sync to JumpCloud management, JumpCloud can't manage the users until Directory Sync is disabled.

Get-MsolCompanyInformation

  • Select the DirectorySynchronizationEnabled field.
  • To disable, run the command:

Set-MsolDirSyncEnabled -EnableDirSync $false

Note: This setting applies to all domains in your Microsoft 365 account, not just SSO domains

iOS Considerations

The iOS Mail client supports SSO.  If you want to use JumpCloud’s SSO with the iOS Mail client, make sure to follow the steps below during configuration.

  • On the device go to Settings > Mail > Accounts > Exchange
  • Enter your email address and a description and click "Next".
  • Click Sign In, this will trigger the Safari redirect to the JumpCloud User Portal.

View solution in original post

4 REPLIES 4

JCDavid
Iron II
Iron II

Hello. I've done it and recently helped to re-write our KB on it (it's not published yet). It's been configured for months and I've not run into any show-stoppers. That made it possible to manage devices et, al without that much effort. That's a big deal. Unifying identity and device management will enable your organization to reduce costs, improve operational efficiencies, strengthen cybersecurity, support workplace and digital transformation, and reduce the pressure on IT admins and security teams. What are your concerns? It sounds as if you haven't federated AAD using PS yet, but could?

Currently 365 is just setup as a 'cloud directory' in JC. I will look into federating AAD.

Anything I should be aware of before I flip the switch? 

Another other thing I'd suggest is to grab a domain for a few bucks and add it to AAD. Then, practice with it first.

JCDavid
Iron II
Iron II

The main thing is that it sounds more difficult than it really is. It's also reversible. There's a lot of info in the current KB (and even more in the new one). I'd defer to that and suggest that you check back for the update. It doesn't mention a few things that are head scratchers such as not disabling security defaults in AAD leads to dual MFA where the JC assertion gets passed to AAD (and then you're prompted again). You also can't run Microsoft's PS module to do this from Apple M1+ hardware. Support and pro services can also walk you through it.

Here's some up-to-date info you won't see in the KB just yet:

Important: Read SAML Configuration Notes and SSO with Microsoft 365 Considerations.

Prerequisites

  • NOTE: SSO from JumpCloud requires M365 immutable ID, which is obtained by using JumpCloud’s Cloud Directory sync and binding users to JumpCloud. You must perform this step prior to configuring JumpCloud SSO and enabling federation in AAD.
  • You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
  • Install these PowerShell Modules from a Windows X86 computer on which you are an administrator:
  • Verify you have “Global administrator” level access to the M365 tenant/organization
    • Go to (Azure Active Directory > Users > select the user > Assigned Roles. Your account should have “Global administrator” listed).
  • Modern Authentication must be enabled on the Microsoft 365 tenant.
    • MFA can not be enabled on the M365 tenant, either through conditional access or on a per-user basis.
      • Note: in M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login. 
  • Confirm  the following in Azure Active Directory > Custom Domain Names.
    •  
    • The domain you would like to federate (e.g., YOUR_DOMAIN.com) is listed, verified, and not the Primary/(Default).
  • The  .onmicrosoft.com domain or another domain you do want to federate is the Primary/ (Default) domain Set up a global admin account in your default domain (for example, admin@YOUR_DOMAIN.onmicrosoft.com) so that there is an admin account that can sign in outside of SSO as a failsafe.
  • Federation must be disabled on target domain. If you need to disable Federation, see Disabling Microsoft 365 Federation through PowerShell.

Important Considerations

  • Users who are not associated (bound) to the M365/Azure AD Cloud Directory Integration will NOT be able to login using SSO, because they will be missing the required M365 immutable ID.
  • You must run PowerShell as an administrator on a Windows X86 computer. The PowerShell commands required will not work on another operating system such as Linux or MacOS.
  •  In M365, MFA is automatically turned on when security defaults are enabled, regardless of your other MFA settings. JumpCloud MFA being enabled while also having M365 MFA enabled will result in end users encountering two separate MFA prompts during the same login.
  • The default domain in M365 cannot be federated.

Single Sign On with Microsoft 365 Considerations

If you want to connect Microsoft 365 with JumpCloud using the SAML SSO connector, read about the setup considerations before you get started. 

After you review the considerations, see Single Sign On with Microsoft 365

General Considerations

  • See SAML Configuration Notes
  • SSO isn't available for users until they’re synced to Microsoft 365 during JumpCloud's integration with Microsoft 365. Learn how to integrate JumpCloud with Microsoft 365.
  • When SSO is enabled, all users in the email domain you’re configuring SSO for are affected. After SSO is enabled, users aren't able to log in to Microsoft 365 using password authentication.  
  • To successfully complete (SSO) integration between JumpCloud and Microsoft 365, you must use a Global Administrator account in Microsoft 365.
  • The default domain defined in Microsoft 365 must NOT be the domain used for SSO. This usually requires setting the *.onmicrosoft.com domain to default in the Microsoft 365 Portal.
  • At this time, JumpCloud doesn't support integration with GoDaddy's implementation of Microsoft 365. This version has limited identity management capabilities that require SSO login with GoDaddy's services to operate appropriately. Because of these requirements, we are prohibited from making changes to identities with the GoDaddy integration.
  • Microsoft Applications: After a Microsoft 365 domain is federated, the Microsoft applications your employees use to access their email may work differently, especially older “legacy” applications. 
  • See Configuring Microsoft 365 as a SAML SSO Service Provider.

AD Sync Considerations

  • SSO with existing AD Sync - If you want to use JumpCloud's SSO, but still use a local Active Directory to manage your Microsoft 365 users, you must import your users into JumpCloud using the Directories tool before SSO becomes available.

    Note: If AD Directory Sync is active for your organization, JumpCloud isn't able to update your users in Microsoft 365. SSO will still function based on users' JumpCloud log in.
  • If you are migrating your Microsoft 365 users from AD Sync to JumpCloud management, JumpCloud can't manage the users until Directory Sync is disabled.

Get-MsolCompanyInformation

  • Select the DirectorySynchronizationEnabled field.
  • To disable, run the command:

Set-MsolDirSyncEnabled -EnableDirSync $false

Note: This setting applies to all domains in your Microsoft 365 account, not just SSO domains

iOS Considerations

The iOS Mail client supports SSO.  If you want to use JumpCloud’s SSO with the iOS Mail client, make sure to follow the steps below during configuration.

  • On the device go to Settings > Mail > Accounts > Exchange
  • Enter your email address and a description and click "Next".
  • Click Sign In, this will trigger the Safari redirect to the JumpCloud User Portal.