Configuring Zoom with Microsoft Entra (previously known as Azure)

You can connect Zoom with Microsoft Entra to use your company's Microsoft Entra credentials to log in to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses based on their group in Microsoft Entra.

Note: As of September 8, 2023, customers are longer be able to create new JWT apps. Authentication for tokens created using the JWT app type will stop functioning on this day, so to prevent disruption we recommended migrating to OAuth authentication as soon as possible.

Requirements for configuring Zoom with Microsoft Entra

Zoom account owner or admin privileges
Business or Education account with approved Vanity URL
A Microsoft Entra ID subscription
Microsoft Entra admin privileges

Note: Without an approved associated domain, users will need to confirm to be provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.

How to add Zoom from the Microsoft Entra application gallery
How to configure Single Sign-On with Microsoft Entra
How to configure Multiple vanity URLs & IDPs SSO
How to assign Microsoft Entra users and groups to Zoom
How to set up Group Mapping (Optional)
(Optional) Mapping Basic Information
(Optional) How to set up Auto Provisioning (SCIM) in Microsoft Entra ID

How to add Zoom from the Microsoft Entra application gallery

Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > Enterprise applications > All applications.
Search for and click Zoom.
Cick Add.

How to configure Single Sign-On with Microsoft Entra

Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > Enterprise applications > All applications.
Search for the Zoom application and click on the Zoom tile.
(Optional) On the left of the page under Name, you can rename the application as you wish.
Note: We highly recommend renaming the app to avoid confusion with other Zoom applications.
Click Create.
The overview page will appear once complete.
Click Set up single sign-on.
Under Select a single sign-on method, select SAML.
Click the edit icon for Basic SAML Configuration.
Fill out the following fields:
- For Identifier (Entity ID), enter your vanity URL without https://.
  Eg. [yourvanityurl].zoom.us
- For Reply URL, enter https://[yourvanityurl].zoom.us/saml/SSO
- For Sign on URL, enter https:// followed by your Vanity URL.
  Eg. https://[yourvanityurl].zoom.us
Click Save.
To view the claims being passed by Microsoft Entra, click the pencil icon in the Attributes & Claims section.
Note: You can make changes as needed by your organization.
Under SAML Signing Certificate, click Download next to Certificate (Base 64) and save it to your computer.
Scroll to Set up Zoom and expand the Configuration URLs section.
Open a new browser tab/window and sign in to the Zoom web portal.
In Zoom, in the navigation menu, under Admin, click Advanced, then click Single Sign-On.
In Microsoft Entra, navigate under the Configuration URLs section, then do the following from Microsoft Entra to Zoom:
- Copy the Login URL and paste it into the Sign-in page URL field in the SAML configuration page.
- (Optional) Copy the Logout URL and paste it into the Sign-out Page URL in the SAML Configuration page.
- Open the certificate you downloaded in a text editor. Copy the portion between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----and paste it into the Identity provider certificate field in the SAML configuration page.
- Copy Microsoft Entra ID and paste it into the Issuer (IDP Entity ID) field in the SAML configuration page.
In Zoom, for Service Provider (SP) Entity ID, select the version of your vanity URL without https, eg. yourvanityurl.zoom.us
In Zoom, for Binding, select HTTP-Post.
In Zoom, click Save Changes.

How to configure Multiple vanity URLs & IDPs SSO

Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > Enterprise applications > All applications.
Search for the Zoom application and click on the Zoom tile.
(Optional) On the left of the page under Name, you can rename the application as you wish.
Note: We highly recommend renaming the app to avoid confusion with other Zoom applications.
Click Create.
The overview page will appear once complete.
Click Single sign-on.
Under Select a single sign-on method, select SAML.
Click the edit icon for Basic SAML Configuration.
Fill out the following fields:
- For Identifier (Entity ID), enter the https://zoom.us/sp/{unique id}
- For Reply URL, enter https://zoom.us/saml2/sso/{unique id}
- For Sign on URL, enter https:// followed by your Vanity URL.
  Eg. https://[yourvanityurl].zoom.us
Under SAML Signing Certificate, click Download next to Certificate (Base 64) and save it to your computer.
Scroll to Set up Zoom and expand the Configuration URLs section.
Open a new browser tab/window and sign in to the Zoom web portal.
In Zoom, in the navigation menu, under Admin, click Advanced, then click Single Sign-On.
Click Add SSO configuration
In Microsoft Entra, navigate under the Configuration URLs section, then do the following from Microsoft Entra to Zoom:
- Copy the Login URL and paste it into the Sign-in page URL field in the SAML configuration page.
- (Optional) Copy the Logout URL and paste it into the Sign-out Page URL in the SAML Configuration page.
- Open the certificate you downloaded in a text editor. Copy the portion between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----and paste it into the Identity provider certificate field in the SAML configuration page.
- Copy Microsoft Entra ID and paste it into the Issuer (IDP Entity ID) field in the SAML configuration page.
In Zoom, for Service Provider (SP) Entity ID, the format is https://zoom.us/sp/{unique id}. After saving the SAML configuration, the id will be generated
In Zoom, for Binding, select HTTP-Post.
In Zoom, click Save Changes.
Download the Zoom SP metadata from https://[yourvanityurl].zoom.us/saml/metadata/sp?samlAppId={unique id}. The unique ID is the ending part of the SP entity ID
Go back to the SAML configration page in Microsoft Entra
Click the edit icon for Basic SAML Configuration.
Fill out the following fields:
- For Identifier (Entity ID), copy it from the Zoom SP metadata
- For Reply URL, replace placeholder {unique id} with unique id in SP metadata
- For Sign on URL, enter https:// followed by your Vanity URL.
  Eg. https://[yourvanityurl].zoom.us
Click Save.
To view the claims being passed by Microsoft Entra, click the pencil icon in the Attributes & Claims section.
Note: You can make changes as needed by your organization.

How to assign Microsoft Entra users and groups to Zoom

Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > Enterprise applications.
Click the Zoom SAML application you created.
Click the Assign users and groups tile.
Click Add user/group.
Click Users and groups.
Search for the users or groups you want to add and click on them.
Selected users and groups will show up in the Selected items section.
At the bottom of the page, click the Select button when done adding users and groups.
Under Select Role, click None Selected.
Select the role type that you would like to designate for user licensing in Zoom.
Note: This role type selection only applies to the auto-provisioning process described below. Licensing assigned through SAML will need to be configured in Advanced SAML Mapping if you are not using Microsoft auto-provisioning.
- Basic: User is assigned a basic license.
- Corp: Legacy setting for On-Prem. Do not use.
- Licensed: User is assigned a meeting license.
- On-Prem: User is assigned an on-premise meeting license.
- Pro: Legacy setting for Licensed. Do not use.
Click Select.
Click Assign.

How to set up Group Mapping (Optional)

Microsoft Entra is not configured to send groups to Zoom via SAML by default. Follow these steps if you want to configure groups to be sent to Zoom via SAML for Advanced SAML Mapping configuration.

Sign in to the Microsoft Entra admin center.
Browse to Identity > Applications > Enterprise applications.
Click the Zoom SAML application you created.
Click Single sign-on or the Set up single sign on tile.
In the Attributes & Claims section, click Edit.
Click Add a group claim.
In the Group Claims panel, do the following:
- Select the group types or roles you want to be passed via SAML.
- Source Attribute: Select the source attribute.
  Note: Microsoft Entra will pass the Object ID for the group by default.
- (Optional) Advanced Options: Configure filters and customize group claims.
Click Save.
Sign in to your Single Sign-On Configuration and refer to Advanced SAML Mapping for details on Advanced SAML Mapping in Zoom.
To use the SAML Attribute for Groups, enter the following information:
- SAML Attribute: Enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
- SAML Value: Paste the Object ID for the group that is being passed by Microsoft Entra.
- ResultingValue: Select the expected result value for group members.

(Optional) Mapping Basic Information

Sign in to your Single Sign-On Configuration page in the Zoom web portal.
Click SAML Response Mapping.
The first section of this page covers Basic SAML Information Mapping. Add the Source Attribute listed below for the corresponding value.

Name	Source Attribute
Email Address	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Phone Number	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/phone
Department	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department

(Optional) How to set up Auto Provisioning (SCIM) in Microsoft Entra ID

Auto-provisioning allows the management of users within Zoom from Microsoft Entra utilizing SCIM. SCIM is a subset of the Zoom APIs specific to user management.

If a user is added to Microsoft Entra and/or assigned the Zoom app, they will be provisioned in Zoom automatically. If the user is unassigned or deactivated in Microsoft Entra, they will be deactivated in Zoom as well.

Notes:

An associated domain matching the user's email domain must be configured on the account in order for SCIM to create users.
Users who already possess accounts in Zoom external to the organization, must be invited separately. SCIM functionality cannot modify these existing user accounts.

Click the following link to enable OAuth support in Microsoft Entra and sign in if you are not already signed in.
Note: OAuth will not be available if you do not use the above link.
Browse to Identity > Applications > Enterprise applications.
Click the Zoom application you created.
Under Manage, click Provisioning.
Click Get Started.
Under Provisioning Mode select Automatic.
In the Provisioning page, expand Admin Credentials, and do the following:
- Authentication Method: Select OAuth2 Authorization Code Grant.
- Tenant URL: Enter https://api.zoom.us/scim
- Click Authorize
Sign in to the Zoom Web portal if you are not already signed in.
Click Test Connection, to confirm that Microsoft Entra is able to connect to Zoom via API.
Note: It may take a few minutes for Microsoft Entra to save the settings on the back end. Until the settings are appropriately set on the back end, the test connection may return a test failure. Please wait a few minutes and attempt Test Connection again.
Click Save.
Note: for additional SCIM configuration options and guidance, submit a request to Zoom Support.