JumpCloud offers out-of-box integration directly with Office 365 for the purpose of unifying identity between products. The functionality allows for:
- Import of pre-existing Office 365 Accounts into JumpCloud
- Export (provisioning) of new accounts into Office 365
- Continual synchronization from JumpCloud to Office 365 Accounts
- End-user self-service account management
JumpCloud's 'relationship' with Office 365 is to act as the authoritative source of identity, governing Office 365 User Accounts. This enables Office 365 to be another resource tied to JumpCloud's authoritative version of the employee's identity along with other resources such as the user's Mac, Windows and Linux systems, WiFi access, SAML and LDAP-backed web applications and more.
- An active Microsoft Office 365 domain
- A Global Administrator of your Office 365 domain to properly integrate JumpCloud and Office 365. A Global Administrator service account is recommended.
- User accounts with Office 365 must not be enabled for multi-factor authentication. This is currently unsupported with the JumpCloud Office 365 Directory integration.
- If a user is bound to Office 365 during the user creation process and a password is set, the user will be created in Office 365 however their password will need to be set a second time for it to synchronize with Office 365.
Direct Binding via User Details
Binding to Office 365 via Groups
Provisioning (Exporting) New User Accounts to Office 365
Enforcing Password Expiration
On-going User Account Management and Synchronization
1. Login to the JumpCloud Administrator Console, in the Directories object, select the Office 365 tab and choose the Authorize Office 365 Sync button.
2. JumpCloud will open a session for you to login to Microsoft Office Online. Login with a Global Administrator, preferably a service account. This account will maintain a persistent connection between JumpCloud and Office 365 in order to perform all synchronizations, imports, and exports.
3. Microsoft will then display the items JumpCloud needs permissions to access and perform its integration duties. Select 'Accept' and upon validation, you will proceed automatically to Step 2 below:
JumpCloud will immediately launch into an Import User session in a new tab. This tab can be closed if the user import will take place later. To continue importing users, select a user or users to import into JumpCloud, then select the "Import Users" button at the bottom when all selections have been made:
Successful import of an account will result in the following status:
An unsuccessful import, such as when the user is already registered in JumpCloud:
NOTE: When users are imported into JumpCloud, the Username field will be populated with the Alias attribute of the user in Office 365, and if unavailable will then source the username from the email address; removing the @domain.com portion.
After a successful import, return to the main Users list, the imported users will be set to an inactive state. At this point either:
a. Manually activate the user by setting the password in the User details. This allows the user to be active in the JumpCloud directory for use with other resources, and later bind with Office 365 for ongoing synchronization.
- OR -
b. Bind the user to Office 365 for self activation and ongoing synchronization with Office 365 immediately
There are two methods for binding the user to Office 365:
- Direct - In the User Details section, select 'Office 365' on the Directories tab
- Tags - In the Tags object, bind this user in the "Provisioning - Office 365 Tag." This process will send an email to the address associated with the user to self-activate their account by setting their own password. For this method, perform the following steps:
Direct Binding via User Details
1. With the users imported into JumpCloud, go to the User Details > Directories tab.
2. Select 'Office 365' in the list of Directories, then select 'save user'
Binding to Office 365 via Groups
For information on binding a user to Office 365 using Groups, you may refer to Binding Users to Resources
a. Navigate to the Users list in the JumpCloud admin UI and select '+' to add a new user.
b. Fill in the required User account information. In order for the new account to be provisioned in Office 365, the email must be that of the your domain and unique to your organization.
When adding users who are new to JumpCloud, and new to Office 365 (for example, new hires), you must follow the below sequence of steps:
- Add the new user to JumpCloud, setting a default password (use this step if Office 365 is also managing email chores i.e. JumpCloud cannot send them an email, as they do not yet have a Office 365 email account). Further, if you don't specify a password when creating the user, JumpCloud will no longer be able to send emails to that user going forward, and you'll have to contact JumpCloud support to unlock the user's email.
- Add the new user to Office 365 by selecting 'Office 365' under 'Directories' in the User Details section or via the Provisioning-Office 365 tag.
- Set a new password on the user account - this pushes the password to Office 365, and any future password updates will automatically be pushed to Office 365. If you do not complete this step, your users will not be able to login to their Office 365 account.
: The above steps and their sequence are critical to proper operation of the Office 365 Integration with JumpCloud when provisioning new users at this time.
c. With the verified account now created, proceed to the Provisioning - Office 365 Tag and select this user and 'Save':
When returning to the Office 365 administrator dashboard, you will see the account listed in the user's list. At this point all necessary licensing assignments, etc, can take place within Microsoft's administrator dashboard.
NOTE: It may take up to 60 seconds for Office 365 to complete its account creation process
Once the account synchronization has been established between JumpCloud and Office 365, you must perform the following steps to ensure that JumpCloud remains the master for password expiration for users in Office 365:
1. Navigate to the Office 365 administrator dashboard and select Security & privacy under the Settings option in the Office 365 administrator navigation menu.
2. Continue to select Edit in the top-right of the Password policy panel.
3. Within the Password policy dialogue window, turn the default Off toggle for Set user passwords to never expire to On.
NOTE: You will notice that when you toggle this setting to On, a popup will appear adjacent to this setting declaring 'If you turn this on, passwords will never expire for any user in your organization. We don't recommend this as it's a security risk.' You may disregard this warning as password expiration settings for users in Office 365 will now be dictated through JumpCloud.
With the accounts synchronized between JumpCloud and Office 365, changes which occur to the account on JumpCloud will propagate immediately to the linked Office 365 account. Those changes occur in the following ways:
Administrative and User changes to the user's profile synched with Office 365 identities which include:
First and Last Name
NOTE: While the username portion of the email can be changed (e.g., <username>@yourdomain.com), any modification the domain portion of the mail (e.g., @mydomain.com) will have no effect on Office 365 if the accounts are already in Sync. Office 365 will simply ignore any inbound attempts to modify the domain section of the email. In these situations, any other data changes (e.g. First Name) will also be ignored.
NOTE: A wider array of user profile attributes will be able to be synched in future releases.
Import Office 365 Users: Launches the import wizard. This can be run as many times as needed and allows you to choose which users you wish to import.
Reactivate Office 365 Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persistent connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the ‘un-selection’ of any currently bound JumpCloud users. We recommend configuring this sync with a service account as any password change to the account used to configure the sync will deactivate the connection. The OAuth 2.0 token generated during this process has a 90-day expiration period; we will send an email notification reminder to reactivate this connector 1-week prior to expiration.
Deactivate Office 365: This will break the synchronization with Office365, then unbind any JumpCloud users whose accounts were synced to Office365 via the directories tab. Office365 accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function.
Getting Started: Office 365 Integration | JumpCloud Tutorial