- Secure, persistent connectivity between JumpCloud and Office 365.
- Import of pre-existing Office 365 Accounts into JumpCloud.
- Export (provisioning) of new accounts into Office 365.
- Continual synchronization from JumpCloud to Office 365 accounts.
- End-user self-service account management.
- An active Microsoft Office 365 domain.
- A user with the Global administrator role.
- A Global administrator service account is recommended.
- App passwords may be necessary to authenticate legacy endpoints where multi-factor authentication is configured within Office 365.
- If a user is bound to Office 365 during the user creation process, and a password is set, the user is created in Office 365, however their password will need to be set a second time for it to synchronize with Office 365.
Authorize Office 365 sync
Import existing Office 365 users
Export Attributes to Office 365
Bind and Activate Users to Office 365 Direct Binding via User Details
Binding to Office 365 via Groups
Provisioning (Exporting) New User Accounts to Office 365
Enforcing Password Expiration
On-going User Account Management and Synchronization
- Log into the JumpCloud Administrator Portal: https://console.jumpcloud.com/.
- Go to Directories > Office 365.
- Click Authorize Office 365 Sync.
- JumpCloud will open a session for you to login to Microsoft Office Online. Log in with a Global administrator account. This account will maintain a persistent connection between JumpCloud and Office 365 to perform all synchronizations, imports, and exports.
- Microsoft will display the items JumpCloud needs permissions to access and perform its integration duties. Click Accept.
After Office 356 is authorized, a new tab opens and is populated with a list of existing active Office 365 users. This can be closed to import at a later time or you can continue importing users.
- Select one or more users to import.
- Click Import Users at the bottom of the list.
- The Import Complete dialog shows the results of the import. If you close this dialog the tab closes.
- In the admin console, imported users are inactive until their registration is complete.
NOTE: When users are imported into JumpCloud, the Username field is populated with the Alias attribute of the user in Office 365. If an alias is unavailable, the username is sourced with the email address. The @domain.com portion of the email address is not included.
Export Attributes to Office 365
How does attribute data flow between Office 365 and JumpCloud after integration?
Data flow for synced user attributes:
- When you import a user from Office 365 - if data exists for a user’s attributes in Office 365 when they are imported, data is written to the equivalent user attributes in JumpCloud.
- When you bind that user to Office 365 in JumpCloud - attributes in Office 365 are automatically overwritten with data from JumpCloud. Further, any subsequent changes made to the user’s attributes in JumpCloud are automatically pushed to the corresponding attributes in Office 365.
Important: Take caution when selecting attributes to export. After you select an attribute to export to Office 365 it is immediately overwritten with data from JumpCloud, and you could potentially lose data stored for that attribute in Office 365. See Attribute Data to learn about how attribute data is exported to Office 365.
Attributes that are always exported to Office 365:
- First name
- Last name
- Company Email
Attributes you can choose to export to Office 365:
- Work Location
- Work Phone
- Work Street Address
- Work City
- Work State
- Work Postal Code
- Work Country
- Work Cell
The following table outlines how attribute data is exported from JumpCloud’s API to Office 365’s API. The attribute listed in the JumpCloud API Attribute Name column is exported to the attribute listed in the Office 365 API Attribute Name column.
Go here here for related API information.
|JumpCloud API Attribute Name||Office 365 API Attribute Name|
The following table outlines how attribute data is exported from JumpCloud’s UI to Office 365’s UI. The attribute listed in the JumpCloud UI Attribute Name column is exported to the attribute listed in the Office 365 UI Attribute Name column. Be aware that Office 365 and Azure AD use multiple UI labels for the same data. The following Office 365 UI Attribute names represent what is used when an administrator adds or edits details for a user in Office 365.
|JumpCloud UI Attribute Name||Office 365 UI Attribute Name|
|First Name||First name|
|Last Name||Last name|
|Job Title||Job title|
|Work Phone||Office Phone|
|Work Street Address||Street Address|
|Work State||State or province|
|Work Postal Code||ZIP or postal code|
|Work Country||Country or region|
|Work Cell||Office phone|
After a successful import, return to the Users list. The imported users are set to an inactive state. At this point, you can either:
a. Manually activate the user by setting the password in their user details. This allows the user to be active in the JumpCloud directory for use with other resources, and later bind with Office 365 for ongoing synchronization.
- OR -
b. Bind the user to Office 365 for self-activation and ongoing synchronization with Office 365 immediately.
There are two methods for binding the user to Office 365:
- Direct - directly bind a user to Office 365.
- Groups - bind multiple users by adding them to a group that is bound to Office 365.
Perform the following steps for binding an individual user:
Direct Binding from User Details
1. From the Users list, select a user to view their details, then go to the User Details Directories tab.
2. In the list of directories, select Office 365, then click save user.
Binding to Office 365 from Groups
For information on binding a user to Office 365 using JumpCloud groups, see Binding Users to Resources.
a. In the JumpCloud admin portal, go to the Users list and click + to add a new user.
b. Enter the required user account information. For the new account to be provisioned in Office 365, the email must be that of the primary domain mapped within Office 365, and unique to your organization.
When adding users who are new to JumpCloud, and new to Office 365, do the following steps:
- Add the new user to JumpCloud, setting a default password. Use this step if Office 365 is also managing email chores. In this case, JumpCloud can't send them an email, because they don't have an Office 365 email account yet. Also, if you don't specify a password when you create the user, JumpCloud won't be able to send emails to that user going forward, and you'll have to contact JumpCloud support to unlock the user's email.
- Add the new user to Office 365 by selecting Office 365 from the User Details Directories tab.
- Set a new password on the user account - this pushes the password to Office 365, and any future password updates will automatically be pushed to Office 365. If you don't complete this step, your users won't able to log in to their Office 365 account.
: The previous steps and their sequence are critical to successfully integrating Office 365 with JumpCloud when you provision Office 365 to new JumpCloud users.
c. With the verified account now created, go to the Office 365 Group, select this user, then click save user.
When you return to the Office 365 administrator dashboard, you will see the account listed in the user's list. At this point, all necessary licensing assignments, etc. can take place in Microsoft's administrator dashboard.
NOTE: It may take up to 60 seconds for Office 365 to complete its account creation process
After the account synchronization has been established between JumpCloud and Office 365, perform the following steps to ensure that JumpCloud remains the master for password expiration for users in Office 365:
1. Go to the Office 365 administrator dashboard and go to Settings > Security & privacy in the Office 365 administrator navigation menu.
2. Click Edit in the Password policy panel.
3. In the Password policy panel, toggle the Set user passwords to never expire option to On, then click Save.
With the accounts synchronized between JumpCloud and Office 365, changes which occur to the account on JumpCloud will propagate immediately to the linked Office 365 account. Those changes occur in the following ways:
Administrative and User changes to the user's profile synched with Office 365 identities which include:
- First and Last Name
- Email Address
NOTE: While the username portion of the email can be changed (<username>@yourdomain.com), any modification the domain portion of the mail (@mydomain.com) will have no effect on Office 365 if the accounts are already in sync. Office 365 will simply ignore any inbound attempts to modify the domain section of the email. In these situations, any other data changes (e.g. First Name) will also be ignored.
NOTE: A wider array of user profile attributes will be able to be synched in future releases.
Import Office 365 Users: Launches the import wizard. This can be run as many times as needed and allows you to choose which users you wish to import.
Reactivate Office 365 Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persistent connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the removal or clearing of any currently bound JumpCloud users. We recommend configuring this sync with a service account as any password change to the account used to configure the sync will deactivate the connection. The OAuth 2.0 token generated during this process has a 90-day expiration period; we will send an email notification reminder to reactivate this connector 1-week prior to expiration.
Deactivate Office 365: This will break the synchronization with Office365, then unbind any JumpCloud users whose accounts were synced to Office365 via the directories tab. Office365 accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function.
Getting Started: Office 365 Integration | JumpCloud Tutorial