[IMPORTANT] Please note that this site will be disabled on October 31. In it's place, the new JumpCloud Help Center is live! Check it out here!

Support Center

Office 365 User Import, Provisioning, and Sync

JumpCloud offers direct integration with Microsoft® Office 365TM so you can manage Office 365 users from the JumpCloud administrator portal. The functionality allows for:

 
  • Secure, persistent connectivity between JumpCloud and Office 365.
  • Import of pre-existing Office 365 Accounts into JumpCloud.
  • Export (provisioning) of new accounts into Office 365.
  • Continual synchronization from JumpCloud to Office 365 accounts.
  • End-user self-service account management.  


Prerequisites:

  • An active Microsoft Office 365 domain. 
  • A user with the Global administrator role.
  • A Global administrator service account is recommended.
 

Note:

  • App passwords may be necessary to authenticate legacy endpoints where multi-factor authentication is configured within Office 365.
  • If a user is bound to Office 365 during the user creation process, and a password is set, the user is created in Office 365, however their password will need to be set a second time for it to synchronize with Office 365.

 

Authorize Office 365 sync
Import existing Office 365 users
Export Attributes to Office 365
Bind and Activate Users to Office 365 Direct Binding via User Details
Binding to Office 365 via Groups
Provisioning (Exporting) New User Accounts to Office 365
Enforcing Password Expiration
On-going User Account Management and Synchronization
Synchronization Maintenance

 

Authorize Office 365 sync

 

  1. Log into the JumpCloud Administrator Portal: https://console.jumpcloud.com/.
  2. Go to Directories > Office 365.
  3. Click Authorize Office 365 Sync.


  1.  JumpCloud will open a session for you to login to Microsoft Office Online. Log in with a Global administrator account. This account will maintain a persistent connection between JumpCloud and Office 365 to perform all synchronizations, imports, and exports.


  1.  Microsoft will display the items JumpCloud needs permissions to access and perform its integration duties. Click Accept.

 

Import existing Office 365 users


After Office 356 is authorized, a new tab opens and is populated with a list of existing active Office 365 users. This can be closed to import at a later time or you can continue importing users.
 

  1. Select one or more users to import.


  2. Click Import Users at the bottom of the list. 

    Successful import:


     

    Unsuccessful import:


     
  3. The Import Complete dialog shows the results of the import. If you close this dialog the tab closes.
  4. In the admin console, imported users are inactive until their registration is complete. 


NOTE: When users are imported into JumpCloud, the Username field is populated with the Alias attribute of the user in Office 365. If an alias is unavailable, the username is sourced with the email address. The @domain.com portion of the email address is not included.

Export Attributes to Office 365

How does attribute data flow between Office 365 and JumpCloud after integration?

Data flow for synced user attributes:

  • When you import a user from Office 365 - if data exists for a user’s attributes in Office 365 when they are imported, data is written to the equivalent user attributes in JumpCloud. ​
  • When you bind that user to Office 365 in JumpCloud - attributes in Office 365 are automatically overwritten with data from JumpCloud. Further, any subsequent changes made to the user’s attributes in JumpCloud are automatically pushed to the corresponding attributes in Office 365.
     
With the exception of several attributes that are selected by default, you can choose the user attributes you would like to export to Office 365. Selected attributes are automatically synced with Office 365. This means that after you export an attribute to Office 365, data for that attribute is sent from JumpCloud to Office 365. Likewise, if you choose to stop exporting data for an attribute, it is no longer synced with Office 365. Subsequent changes made to that attribute in JumpCloud are not exported to Office 365.

Important: Take caution when selecting attributes to export. After you select an attribute to export to Office 365 it is immediately overwritten with data from JumpCloud, and you could potentially lose data stored for that attribute in Office 365. See Attribute Data to learn about how attribute data is exported to Office 365.

Attributes that are always exported to Office 365:

  • Calculated: First Name + Last Name (Office 365 *Display Name)
  • Password
  • First name
  • Last name
  • Company Email
*​A user's first name and last name are exported together as Office 365's Display name field. If a user's first or last name is changed in JumpCloud, Office 365's Display name field updates with the new name value.

Attributes you can choose to export to Office 365:

  • Title
  • Department
  • Work Location
  • Work Phone
  • Work Street Address
  • Work City
  • Work State
  • Work Postal Code
  • Work Country
  • Work Cell
Attribute Data

The following table outlines how attribute data is exported from JumpCloud’s API to Office 365’s API. The attribute listed in the JumpCloud API Attribute Name column is exported to the attribute listed in the Office 365 API Attribute Name column.

Go here here for related API information.

JumpCloud API Attribute Name Office 365 API Attribute Name
Calculated: First Name + Last Name    displayName
firstname givenName
lastname surname
password password
email userPrincipalName
jobTitle jobTitle
department department
location officeLocation
phoneNumbers.work.number businessPhone
addresses.work.streetAddress streetAddress
addresses.work.locality city
addresses.work.region state
addresses.work.postalCode postalCode
addresses.work.country country
phoneNumbers.work.number mobilePhone
phoneNumbers.mobile.number mobilePhone

The following table outlines how attribute data is exported from JumpCloud’s UI to Office 365’s UI. The attribute listed in the JumpCloud UI Attribute Name column is exported to the attribute listed in the Office 365 UI Attribute Name column. Be aware that Office 365 and Azure AD use multiple UI labels for the same data. The following Office 365 UI Attribute names represent what is used when an administrator adds or edits details for a user in Office 365.

JumpCloud UI Attribute Name   Office 365 UI Attribute Name
Calculated: First Name + Last Name Display name
First Name First name
Last Name Last name
Password Password
Company Email Email
Job Title Job title
Department  Department 
Location  Office
Work Phone Office Phone
Work Street Address Street Address
Work City City
Work State State or province
Work Postal Code ZIP or postal code
Work Country Country or region
Work Cell  Office phone

Bind and Activate Users to Office 365
 

     After a successful import, return to the Users list. The imported users are set to an inactive state. At this point, you can either:

     a. Manually activate the user by setting the password in their user details. This allows the user to be active in the JumpCloud directory for use with other resources, and later bind with Office 365 for ongoing synchronization.

     - OR -

     b. Bind the user to Office 365 for self-activation and ongoing synchronization with Office 365 immediately.

There are two methods for binding the user to Office 365:

  • Direct - directly bind a user to Office 365.
  • Groups - bind multiple users by adding them to a group that is bound to Office 365.

Perform the following steps for binding an individual user: 


Direct Binding from User Details

          1. From the Users list, select a user to view their details, then go to the User Details Directories tab.
           2. In the list of directories, select Office 365, then click save user.


          


Binding to Office 365 from Groups


For information on binding a user to Office 365 using JumpCloud groups, see Binding Users to Resources.

 

Provisioning (Exporting) New User Accounts to Office 365


     a. In the JumpCloud admin portal, go to the Users list and click + to add a new user.
     b. Enter the required user account information. For the new account to be provisioned in Office 365, the email must be that of the primary domain mapped within Office 365, and unique to your organization. 

When adding users who are new to JumpCloud, and new to Office 365, do the following steps:

  1. Add the new user to JumpCloud, setting a default password. Use this step if Office 365 is also managing email chores. In this case, JumpCloud can't send them an email, because they don't have an Office 365 email account yet. Also, if you don't specify a password when you create the user, JumpCloud won't be able to send emails to that user going forward, and you'll have to contact JumpCloud support to unlock the user's email.
  2. Add the new user to Office 365 by selecting Office 365 from the User Details Directories tab.
  3. Set a new password on the user account - this pushes the password to Office 365, and any future password updates will automatically be pushed to Office 365. If you don't complete this step, your users won't able to log in to their Office 365 account.

Important: The previous steps and their sequence are critical to successfully integrating Office 365 with JumpCloud when you provision Office 365 to new JumpCloud users.


     c. With the verified account now created, go to the Office 365 Group, select this user, then click save user



When you return to the Office 365 administrator dashboard, you will see the account listed in the user's list. At this point, all necessary licensing assignments, etc. can take place in Microsoft's administrator dashboard.


NOTE: It may take up to 60 seconds for Office 365 to complete its account creation process

 

Enforcing Password Expiration


After the account synchronization has been established between JumpCloud and Office 365, perform the following steps to ensure that JumpCloud remains the master for password expiration for users in Office 365: 

1. Go to the Office 365 administrator dashboard and go to SettingsSecurity & privacy in the Office 365 administrator navigation menu.



2. Click Edit in the Password policy panel.



3. In the Password policy panel, toggle the Set user passwords to never expire option to On, then click Save



On-going User Account Management and Synchronization

With the accounts synchronized between JumpCloud and Office 365, changes which occur to the account on JumpCloud will propagate immediately to the linked Office 365 account. Those changes occur in the following ways:

Administrative and User changes to the user's profile synched with Office 365 identities which include:

  • First and Last Name
    Note that changes made to either a user's first or last name also update the calculated field that maps to Office 365's Display Name field.
  • Password
  • Email Address

NOTE: While the username portion of the email can be changed (<username>@yourdomain.com), any modification the domain portion of the mail (@mydomain.com) will have no effect on Office 365 if the accounts are already in sync. Office 365 will simply ignore any inbound attempts to modify the domain section of the email. In these situations, any other data changes (e.g. First Name) will also be ignored.

NOTE: A wider array of user profile attributes will be able to be synched in future releases. 

 

Disabling Office 365 Accounts


JumpCloud will also provide the ability to remotely disable Office 365 accounts from JumpCloud's admin console. To disable a user, perform the following steps:
     a. In the user's User Details Directories tab, clear the Office 365 group OR in the Provisioning - Office 365 group details, remove the user you want to disable and save the group. This action will disable the account almost immediately. 
     b. Within the Office 365 admin dashboard, the user will then be set to a "Sign-in blocked" state. This can be edited in Office 365 but will be immediately over-written by JumpCloud, re-setting the user's status to "blocked."


Synchronization Maintenance

Import Office 365 Users: Launches the import wizard. This can be run as many times as needed and allows you to choose which users you wish to import.

Reactivate Office 365 Sync: This enables an administrator to refresh tokens of privileged user accounts who are maintaining the persistent connection between JumpCloud and the service through OAuth 2.0. This will also help to resolve connection issues and will not result in the removal or clearing of any currently bound JumpCloud users. We recommend configuring this sync with a service account as any password change to the account used to configure the sync will deactivate the connection. The OAuth 2.0 token generated during this process has a 90-day expiration period; we will send an email notification reminder to reactivate this connector 1-week prior to expiration.

Deactivate Office 365: This will break the synchronization with Office365, then unbind any JumpCloud users whose accounts were synced to Office365 via the directories tab. Office365 accounts will not be affected when performing this step. Do not use this unless you intend to no longer use the synchronization function.


Getting Started: Office 365 Integration | JumpCloud Tutorial



 

 

Last Updated: May 03, 2019 02:00PM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete