This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

New Device Onboarding Experience with EntraID Identity Federation

shawnsong
Rising Star III
Rising Star III

‎06-19-2024 02:53 AM - edited ‎06-20-2024 10:57 PM

Hi Folks,

Last time I shared a post about integrating JumpCloud’s UEM capabilities with an Okta environment by setting up the identity federation, shall we do one for EntraID?

Sure we do 😁, I will follow the same formula as well.  

Let’s dive in!

Considerations & Prerequisites

  • (Recommended) Setting up cloud directory integration will allow performing the user management tasks, such as updating user attributes, creating new users, suspending users, and changing passwords in JumpCloud.
  • I will focus on the scenario of syncing the password from EntraID to the device,hence in this case JumpCloud must act as a password authority in this setup - users need to reset their passwords in order to kick-off the password sync. 
  • Ensure the JumpCloud agent is installed on all devices. (Apple MDM is optional at this stage for macOS).
  • Set the default user state like this:shawnsong_2-1718778963872.png
  • Configure EntraID SCIM provisioning to JumpCloud. 
  • Establish an EntraID identity federation with JumpCloud. 
  • (Optional) Create a user group to host the EntraID federation users. You can automate the group memberships via JumpCloud’s Dynamic Groups feature like this:shawnsong_7-1718779043530.png

     

  • Last but not least, create a routing policy to direct the in-scope users. 

Now it’s all set, let’s dive into a few scenarios to see how it looks from a user perspective. 

 

Scenario 1 - Onboarding a new user

First, create a new user in Azure AD

  • Make sure the account is enabled, and set a non-temporary password.shawnsong_9-1718779107264.png
  • (Optional) Do a custom attribute-mapping in EntraID if you want to stick with the `CostCenter` value for dynamic groups.shawnsong_10-1718779271639.pngshawnsong_11-1718779301405.png
  • Now, allow the users to set their password via a JumpCloud activation email:
    • You can do it in bulk like this:shawnsong_13-1718779381314.pngshawnsong_14-1718779419919.png
    • Now we are all set, and the user should have a green checkmark like this indicating we are good to go!shawnsong_15-1718779465327.png
    • If you have setup JumpCloud <> EntraID directory integration as suggested, JumpCloud will sync the user password not only to the device, but also back to EntraID moving forward. User passwords are consistently aligned and managed from this point. 

 

 

Next, User self-provisioning on the device.

MacOS


Windows

 

Scenario 2 - Taking over the existing user on the device.

(Piggy-backing the same steps from my Okta post, they are exactly the same.)

  • Full steps and details you may find here. In our case, just edit the provisioned user like this:shawnsong_16-1718779621704.png
  • Then, binding the user to device, Okta password will be channeled to the device via JumpCloud Password Sync:shawnsong_17-1718779665016.png

     

 

Scenario 3 - When users change their password on device.

In this setup, users will be able to leverage on the native JumpCloud app (available on both Mac & Win) to change their passwords on device, and the new password will sync seamlessly between the device and EntraID.  

  • On Windows, after the password change, users can seamlessly stick with the same Windows Hello PIN (or biometric) for login.shawnsong_19-1718779708915.png

  • On MacOS, user will need to input the previous password in order to regain access to keychain:

    shawnsong_22-1718779786179.png

 

Scenario 4 - Suspending the user.

When it comes to offboarding the user, you can suspend the user (or delete which is not recommended for the first action.) on JumpCloud admin console. shawnsong_23-1718779827813.png

shawnsong_24-1718779864512.png

  • The user session will be ended from the device instantly, the account will be disabled (not deleted). 
  • On Windows, you won’t be able to see the user at the login screen
  • On MacOS, it looks like this. shawnsong_25-1718779909175.png
  • And on Windows, it will look like this:shawnsong_27-1718779940873.png

 

That’s it (for now)! Thanks for reading this far as always, and feel free to comment below if you have any questions/feedback. 

Catch up on the next one 😀!

 

0 Kudos
0 REPLIES 0
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.