Configuring Zoom with Azure
You can connect Zoom with Azure to use your company's Azure credentials to log in to your Zoom account via Single Sign-On (SSO). You can assign users Zoom licenses based on their group in Azure.
Note: As of September 8, 2023, customers are longer be able to create new JWT apps. Authentication for tokens created using the JWT app type will stop functioning on this day, so to prevent disruption we recommended migrating to OAuth authentication as soon as possible.
This article covers:
Prerequisites for configuring Zoom with Azure
- Zoom owner or admin privileges
- Business or Education account with approved Vanity URL
- An Azure AD subscription
- Azure admin privileges
Note: Without an approved associated domain, users will need to confirm to be provisioned on the account through an email automatically sent to them. Provisioning will take place without email confirmation for any users falling under an approved domain.
How to add Zoom from the Azure Gallery
Note: Screenshots in this article were taken using the default Azure theme. Your Azure portal will look slightly different if you changed the theme.
- Sign in to the Azure portal.
- Click the Azure Active Directory icon.
Note: It is not showing, you may find it under More Services.
- Click Enterprise Applications.
- Click All Applications.
- At the top of the window, click New Application.
- In the Add from Gallery window, search for Zoom.
- In the Telecommunications category, click Zoom.
- On the right side, click the Add button.
How to configure Single Sign-On with Azure
- Sign in to the Azure portal.
- Click Azure Active Directory.
- Click on Enterprise applications, then New Application.
- Search for the Zoom application and click on the Zoom tile.
- (Optional) On the left of the page under Name, you can rename the application as you wish.
Note: We highly recommend renaming the app to avoid confusion with other Zoom applications. - Click Create.
The overview page will appear once complete. - Click Set up single sign-on.
- Under Select a single sign-on method, select SAML.
- Click the edit icon for Basic SAML Configuration.
- Fill out the following fields:
- Click Save.
- To view the claims being passed by Azure, click the pencil icon in the Attributes & Claims section.
Note: You can make changes as needed by your organization. - Under SAML Signing Certificate, click Download next to Certificate (Base 64) and save it to your computer.
- Scroll to Set up Zoom and expand the Configuration URLs section.
- Open a new browser tab/window and sign in to the Zoom web portal.
- In Zoom, in the navigation menu, under Admin, click Advanced, then click Single Sign-On.
- In Azure, navigate under the Configuration URLs section, then do the following from Azure to Zoom:
- Copy the Login URL and paste it into the Sign-in page URL field in the SAML configuration page.
- (Optional) Copy the Logout URL and paste it into the Sign-out Page URL in the SAML Configuration page.
- Open the certificate you downloaded in a text editor. Copy the portion between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste it into the Identity provider certificate field in the SAML configuration page.
- Copy Azure Azure AD Identifier and paste it into the Issuer (IDP Entity ID) field in the SAML configuration page.
- In Zoom, for Service Provider (SP) Entity ID, select the version of your vanity URL without https, eg. yourvanityurl.zoom.us
- In Zoom, for Binding, select HTTP-Post.
- In Zoom, click Save Changes.
How to assign Azure users and groups to Zoom
- In the Azure portal, click Azure Active Directory.
- Click Enterprise Applications.
- Click the Zoom SAML application you created.
- Click the Assign users and groups tile.
- Click Add user/group.
- Click Users and groups.
- Search for the users or groups you want to add and click on them.
Selected users and groups will show up in the Selected items section. - At the bottom of the page, click the Select button when done adding users and groups.
- Under Select Role, click None Selected.
- Select the role type that you would like to designate for user licensing in Zoom.
Note: This role type selection only applies to the auto-provisioning process described below. Licensing assigned through SAML will need to be configured in Advanced SAML Mapping if you are not using Azure auto-provisioning.
- Basic: User is assigned a basic license.
- Corp: Legacy setting for On-Prem. Do not use.
- Licensed: User is assigned a meeting license.
- On-Prem: User is assigned an on-premise meeting license.
- Pro: Legacy setting for Licensed. Do not use.
- Click Select.
- Click Assign.
How to set up Group Mapping (Optional)
Azure is not configured to send groups to Zoom via SAML by default. Follow these steps if you want to configure groups to be sent to Zoom via SAML for Advanced SAML Mapping configuration.
- In the Azure portal, click Azure Active Directory.
- Click Enterprise Applications.
- Click the previously created Zoom app.
- Click Single sign-on or the Set up single sign on tile
- In the Attributes & Claims section, click Edit.
- Click Add a group claim
- In the Group Claims panel, do the following:
- Select the group types or roles you want to be passed via SAML.
- Source Attribute: Select the source attribute.
Note: Azure will pass the Object ID for the group by default. - (Optional) Advanced Options: Configure filters and customize group claims.
- Click Save.
- Log in to your Single Sign-On Configuration and refer to Advanced SAML Mapping for details on Advanced SAML Mapping in Zoom.
- To use the SAML Attribute for Groups, enter the following information:
- SAML Attribute: Enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
- SAML Value: Paste the Object ID for the group that is being passed by Azure.
- ResultingValue: Select the expected result value for group members.
(Optional) Mapping Basic Information
- Login to your Single Sign-On Configuration page in the Zoom web portal.
- Click SAML Response Mapping.
- The first section of this page covers Basic SAML Information Mapping. Add the Source Attribute listed below for the corresponding value.
(Optional) How to set up Auto Provisioning (SCIM) in Azure AD
Auto-provisioning allows the management of users within Zoom from Azure utilizing SCIM. SCIM is a subset of the Zoom APIs specific to user management.
If a user is added to Azure and/or assigned the Zoom app, they will be provisioned in Zoom automatically. If the user is unassigned or deactivated in Azure, they will be deactivated in Zoom as well.
Notes:
- An associated domain matching the user's email domain must be configured on the account in order for SCIM to create users.
- Users who already possess accounts in Zoom external to the organization, must be invited separately. SCIM functionality cannot modify these existing user accounts.
- Click the following link to enable OAuth support in Azure and sign in if you are not already signed in.
Note: OAuth will not be available if you do not use the above link.
- Click the Azure Active Directory icon. If it is not showing, you may find it under More Services in the left panel.
- Click Enterprise Applications.
- Click the Zoom application you created.
- Under Manage, click Provisioning.
- Click Get Started
- Under Provisioning Mode select Automatic.
- In the Provisioning page, expand Admin Credentials, and do the following:
- Sign in to the Zoom Web portal if you are not already signed in.
- Click Test Connection, to confirm that Azure is able to connect to Zoom via API.
Note: It may take a few minutes for Azure to save the settings on the back end. Until the settings are appropriately set on the back end, the test connection may return a test failure. Please wait a few minutes and attempt Test Connection again. - Click Save.
Note: for additional SCIM configuration options and guidance, submit a request to Zoom Support.