Support Center

Office 365 User Import, Provisioning, and Sync

JumpCloud offers out-of-box integration directly with Office 365 for the purpose of unifying identity between products. The functionality allows for:

  • Secure, persistent, connectivity between JumpCloud and Office 365
  • Import of pre-existing Office 365 Accounts into JumpCloud
  • Export (provisioning) of new accounts into Office 365
  • Continual synchronization from JumpCloud to Office 365
  • End-user self-service account management
JumpCloud's 'relationship' with Office 365 is to act as the authoritative source of identity, governing Office 365 User Accounts. This enables Office 365 to be another resource tied to JumpCloud's authoritative version of the employee's identity along with other resources such as the user's Mac, Windows and Linux systems, WiFi access, SAML and LDAP-backed web applications and more. 


Prerequisites:

  • An active Microsoft Office 365 domain 
  • A Global Administrator of your Office 365 domain to properly integrate JumpCloud and Office 365. A Global Administrator service account is recommended.
Note:

User accounts with Office 365 must not be enabled for multi-factor authentication.  This is currently unsupported with the JumpCloud Office 365 Directory integration.

 

1. Authentication and Integrating JumpCloud with Office 365

 

     a. Login to the JumpCloud Administrator Console, in the Directories object, select the Office 365 tab and choose the Authorize Office 365 Sync button. 



     b. JumpCloud will open a session for you to login to Microsoft Office Online. Login with a Global Administrator, preferably a service account. This account will maintain a persistent connection between JumpCloud and Office 365 in order to perform all synchronizations, imports, and exports.



     c. Microsoft will then display the items JumpCloud needs permissions to access and perform its integration duties. Select 'Accept' and upon validation, you will proceed automatically to Step 2 below:

 

 

2. Importing Office 365 User Accounts


     JumpCloud will immediately launch into an Import User session in a new tab. This tab can be closed if the user import will take place later. To continue importing users, select a user or users to import into JumpCloud, then select the "Import Users" button at the bottom when all selections have been made:

  • Successful import of an account will result in the following status:
  • An unsuccessful import, such as when the user is already registered in JumpCloud:


NOTE: When users are imported into JumpCloud, the Username field will be populated with the Alias attribute of the user in Office 365, and if unavailable will then source the username from the email address; removing the @domain.com portion.

 

3. Bind and activate users to Office 365
 

     After a successful import, return to the main Users list, the imported users will be set to an inactive state. At this point either:

     a. Manually activate the user by setting the password in the User details.  This allows the user to be active in the JumpCloud directory for use with other resources, and later bind with Office 365 for ongoing synchronization.

     - OR -

     b. Bind the user to Office 365 for self activation and ongoing synchronization with Office 365 immediately

There are two methods for binding the user to Office 365:
  • Direct - In the User Details section, select 'Office 365' on the Directories tab
  • Tags - In the Tags object, bind this user in the "Provisioning - Office 365 Tag." This process will send an email to the address associated with the user to self-activate their account by setting their own password. For this method, perform the following steps:


Direct binding via User Details

          i. With the users imported into JumpCloud, go to the User Details > Directories tab.
          ii. Select 'Office 365' in the list of Directories, then select 'save user'


          

Binding to Office 365 via Tags


          iii. Go to the Tags object and edit the "Provisioning - Office 365 Tag". This is a system generated tag, created when the Office 365 integration is activated.

 


          iv. On the Users tab, select the inactive users and save the tag

 


Once saved, either of these binding methods will cause a system generated email to be sent to the current email address of the user. The user will display as active in the console when they complete the process by setting their password.

 

4. Provisioning (exporting) New UserAccounts to Office 365


     a. Navigate to the Users list in the JumpCloud admin UI and select '+' to add a new user.
     b. Fill in the required User account information. In order for the new account to be provisioned in Office 365, the email must be that of the your domain and unique to your organization. 

When adding users who are new to JumpCloud, and new to Office 365 (for example, new hires), you must follow the below sequence of steps:
  1. Add the new user to JumpCloud, setting a default password (use this step if Office 365 is also managing email chores i.e. JumpCloud cannot send them an email, as they do not yet have a Office 365 email account). Further, if you don't specify a password when creating the user, JumpCloud will no longer be able to send emails to that user going forward, and you'll have to contact JumpCloud support to unlock the user's email.
  2. Add the new user to Office 365 by selecting 'Office 365' under 'Directories' in the User Details section or via the Provisioning-Office 365 tag.
  3. Set a new password on the user account - this pushes the password to Office 365, and any future password updates will automatically be pushed to Office 365. If you do not complete this step, your users will not be able to login to their Office 365 account.
NOTE: The above steps and their sequence are critical to proper operation of the Office 365 Integration with JumpCloud when provisioning new users at this time.

     c. With the verified account now created, proceed to the Provisioning - Office 365 Tag and select this user and 'Save': 



When returning to the Office 365 administrator dashboard, you will see the account listed in the user's list. At this point all necessary licensing assignments, etc, can take place within Microsoft's administrator dashboard.


NOTE: It may take up to 60 seconds for Office 365 to complete its account creation process

 

5. Enforcing Password Expiration

Once the account synchronization has been established between JumpCloud and Office 365, you must perform the following steps to ensure that JumpCloud remains the master for password expiration for users in Office 365: 

1. Navigate to the Office 365 administrator dashboard and select Security & privacy under the Settings option in the Office 365 administrator navigation menu.
2. Continue to select Edit in the top-right of the Password policy panel.

3. Within the Password policy dialogue window, turn the default Off toggle for Set user passwords to never expire to On. 


NOTE: You will notice that when you toggle this setting to On, a popup will appear adjacent to this setting declaring 'If you turn this on, passwords will never expire for any user in your organization. We don't recommend this as it's a security risk.' You may disregard this warning as password expiration settings for users in Office 365 will now be dictated through JumpCloud. 


6. On-going User Account Management and Synchronization

With the accounts synchronized between JumpCloud and Office 365, changes which occur to the account on JumpCloud will propagate immediately to the linked Office 365 account. Those changes occur in the following ways:

Administrative and User changes to the user's profile synched with Office 365 identities which include:
  • First and Last Name
  • Password
  • Email Address
NOTE: While the username portion of the email can be changed (e.g., <username>@yourdomain.com), any modification the domain portion of the mail (e.g., @mydomain.com) will have no effect on Office 365 if the accounts are already in Sync. Office 365 will simply ignore any inbound attempts to modify the domain section of the email. In these situations, any other data changes (e.g. First Name) will also be ignored.

NOTE: A wider array of user profile attributes will be able to be synched in future releases. 

 

7. Disabling Office 365 Accounts


JumpCloud will also provide the ability to remotely disable Office 365 accounts from JumpCloud's admin console. To disable a user, perform the following steps:
     a. In the "User Details" section for the user, de-select the 'Office 365' tag in Directories OR in the "Provisioning - Office 365" Tag, de-select the user you wish to disable and save the Tag. This action will disable the account nearly immediately. 
     b. Within the Office 365 admin dashboard, the user will then be set to a "Sign-in blocked" state. This can be edited in Office 365 but will be immediately over-written by JumpCloud, re-setting the user's status to "blocked."


Synchronization Maintenance

Import Office 365 Users: Launches the import wizard. This can be run as many times as needed and allows you to choose which users you wish to import.

Reactivate Office 365 Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persistent connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the ‘un-selection’ of any currently bound JumpCloud users. We recommend configuring this sync with a service account as any password change to the account used to configure the sync will deactivate the connection. The OAuth 2.0 token generated during this process has a 90-day expiration period; we will send an email notification reminder to reactivate this connector 1-week prior to expiration.

Deactivate Office 365: This will break the synchronization with Office365, then unbind any JumpCloud users whose accounts were synced to Office365 via the directories tab. Office365 accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function.


Getting Started: Office 365 Integration | JumpCloud Tutorial

 

Last Updated: Aug 02, 2017 03:24PM MDT

Related Articles
31b11a79e2c94470a66430cfe6d3eecd@jumpcloud.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete