Configure Active Directory Integration (ADI)

The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations. The configurations are determined by where you want to manage users, groups, and passwords.

  1. Manage users, groups, and passwords in AD.
  2. Manage users and passwords in either system, or both.
  3. Manage users, groups, and passwords in JumpCloud.

These configurations are flexible enough to support your specific use case, goals, and AD environment.

This article outlines the prerequisites and considerations across all configurations and an overview of each of the configurations, which includes a link to the article that provides the step-by-step guide for installing that specific configuration.

ADI Prerequisites

Before getting started with the ADI, JumpCloud recommends going through this list and ensuring all items have been marked complete before continuing.

  • AD Domain Admin credentials.
  • Access to all Domain Controllers (DCs) or member servers in your AD domain.
  • DCs or member servers have networking access to the internet and are able to communicate outbound (only) to console.jumpcloud.com over HTTPS port 443. The JumpCloud AD Import and Sync Agent services use SSL/TLS for all communication. If no network connectivity exists to JumpCloud, the ADI will fail to connect and not work properly.
  • JumpCloud Organization for your company.
  • A dedicated Administrator account in JumpCloud that is solely used for the ADI.
  • We STRONGLY recommend installing and using LDAPS for the ADI.

Important:
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.

System Requirements

  • 64-bit Windows Server (versions 2012, 2016, 2019, 2022)
    • Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022.
  • 15MB disk space
  • 10MB RAM

General Considerations

  • These considerations apply to all or most of the use case scenarios and configurations.
  • The user attributes that sync are:
    • First Name
    • Last Name
    • Username
    • Email
  • Non-standard ASCII characters are not supported in the Root User DN. 
  • When updating an existing agent installation, only minimal installation screens are shown.
    • Upgrade Installation notes
    • Only minimal screens shown
    • Directory for where the installation should occur
    • Finish screen
  • Demoting a DC installation to a member server and promoting a member server installation to a DC aren’t supported. The agent(s) must be uninstalled first and then installed on the other type of server.
  • The passwords for the server accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons.
  • As of ADI sync agent version 4.x and import agent 2.x, the following changes were made:
    • The default location for all agent related installation, configuration, and log files is C:\Program Files\JumpCloud\AD Integration\.
    • All references to AD Bridge changed to AD Import.
    • The ADI sync agent can be installed independently of the ADI import agent.
    • The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts.
    • The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts.
  • The JumpCloud ADI import and sync agent services use TLS for all communication. If no network connectivity exists to JumpCloud, the ADI won’t work properly. 

ADI Configurations

JumpCloud’s ADI can be configured in three (3) primary ways to support a variety of use cases. The table below provides an overview of the three configurations and available use cases. The sections that follow describe the capabilities, example use cases, benefits, workflow, and considerations for each configuration and include a link to the step-by-step guide. 

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in JumpCloud Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Manage users, groups, and passwords in AD

This configuration supports organizations looking to extend AD to the cloud for additional functionality with minimal changes to their existing AD environment.

Important Considerations

  • The import agent must be installed on all Domain Controllers.
  • Downtime will need to be scheduled because the installation requires a server reboot.
  • Changing passwords in JumpCloud is not possible with this use case.
  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Groups sync automatically from JumpCloud to AD when one or more sync agents are installed. This sync cannot be disabled.
  • Importing privileged user accounts, such as Domain Admins, into JumpCloud from AD isn’t supported.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Configuration

  • Use ADI import agent only.
  • Install import agent on all domain controllers (DCs).
  • Add users and security groups under the ADI security group in AD.

Use Cases

  • Keep AD as the Primary Identity Provider (the source of truth) for user data, passwords, and security groups and provide access to Cloud resources.
  • Manage users’ passwords in AD only.
  • Extend user access to the Cloud for one or more of the following:
    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 
    • Access to Cloud RADIUS for Wifi and VPN
    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.
    • User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/Entra ID and Google Workspace in real-time
  • Add support for a mixed OS device fleet

Workflow Details

Data syncs one-way from AD to JumpCloud
Passwords managed solely in AD.
Users created, updated, and deactivated solely in AD.
Security groups created and managed solely in AD
Groups membership managed solely in AD.

Benefits

  • Future Flexibility & Agility
    • Once a user identity is in the Cloud, it can be extended more easily.
    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory Platform with minimal effort, no need to find another point solution.
  • Automated Offboarding
    • Deactivating a user in AD will automatically suspended that user in JumpCloud within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.
  • Easy deployment of non-Windows devices to users.
    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.

AD Import only – single domain workflow

AD Import only – multiple domain workflow

Manage users and passwords in either system, or both

This configuration provides the greatest flexibility. Users, passwords, and groups can be managed in AD, JumpCloud, or both.

Important Considerations

  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.
  • If passwords are being managed in AD, an import agent must be installed on all Domain Controllers and downtime will need to be scheduled, because the installation requires a server reboot.
  • If passwords are being managed in JumpCloud, the import agent can be installed on a member server(s).
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Importing privileged user accounts, such as Domain Admins, into JumpCloud from AD or managing them in AD from JumpCloud isn’t supported.
  • The AD sync agent does not need to be installed on all servers.
  • Connect Keys are one-time use keys required for installing the sync agent on a new AD server.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Configuration

  • Use both the ADI import agent and ADI sync agent.
  • Install agents on either domain controllers (DCs) or member servers.
  • Add users and security groups under the ADI security group in AD to sync from AD to JumpCloud.
  • Assign users and user groups to the AD instance in JumpCloud to sync from JumpCloud to AD.

Important:

To sync passwords from AD to JumpCloud the import agent must be installed on all DCs.

Use Cases

  • Allow users to change passwords in JumpCloud, from JumpCloud managed device, and within AD.
  • Enable JumpCloud and AD to share responsibility over the user identities.
  • Add support for a mixed OS fleet and non-AD bound devices
  • Extend user access to the Cloud for one or more of the following:
    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 
    • Access to Cloud RADIUS for Wifi and VPN.
    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.
    • User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ Entra ID and Google Workspace in real-time.
  • Add support for a mixed OS fleet.
  • Maintain an AD footprint but only for mission critical Windows servers, such as:
    • Business critical applications that must stay on-prem.
    • File and printer servers that cannot go away.
    • Domain Controllers, but likely fewer DC’s in fewer locations.
  • Manage profiles in one system and passwords in the other
    • Manage passwords in JumpCloud to control credentials for Cloud resources and manage user profiles in AD to propagate the same information across all Microsoft solutions.
    • Manage passwords in AD for compliance purposes and manage profiles in JumpCloud to propagate to SaaS apps and other Cloud resources.
  • Import users from Cloud solutions that are not compatible with AD, such as an HRIS system
    • Import users into JumpCloud and then sync those users from JumpCloud into AD.
  • Migrate away from AD completely.

Workflow Details

Data syncs bidirectionally between JumpCloud and AD
Passwords managed in either system or both
Users created, updated, and deactivated in either system or both
User (security) groups created and managed in either system or both
Group membership managed in either system or both

Benefits

  • Future Flexibility & Agility
    • Once a user identity is in the Cloud, it can be extended more easily.
    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory Platform with minimal effort, no need to find another point solution.
  • Automated Offboarding
    • Deactivating a user in AD will automatically suspend that user in JumpCloud within 60 seconds, resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.
  • Easy deployment of non-Windows devices to users.
    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.
  • Simplified end-user computer management
    • Remove the need for AD Domain Controller connectivity for all end-user computers.
  • Users managed in the Cloud
    • You can create, suspend, manage users, passwords, and security group membership for JumpCloud. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.

Two-way Sync – Single Domain Workflow

Two-way Sync – Multiple Domain Workflow

Manage user, groups, passwords in JumpCloud

This configuration supports organizations looking to minimize their AD footprint or migrate away from AD completely.

Important Considerations

  • The AD sync agent does not need to be installed on all servers.
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Managing privileged user accounts, such as Domain Admins, in AD from JumpCloud isn’t supported.
  • Connect Keys are one-time use keys required for installing the sync agent on a new AD server.
  • Groups sync automatically from JumpCloud to AD when one or more sync agents are installed. This sync cannot be disabled.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Configuration

  • Use ADI sync agent only.
  • Install agents on either domain controllers (DCs) or member servers.
  • Assign users and user groups to the AD instance in JumpCloud.

Use Cases

  • Use JumpCloud as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources.
  • You want users to only change passwords from the JumpCloud Use Portal or JumpCloud managed devices. 
  • Extend user access to the Cloud for one or more of the following:
    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 
    • Access to Cloud RADIUS for Wifi and VPN.
    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.
    • User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/Entra ID and Google Workspace in real-time.
  • Add support for a mixed OS fleet.
  • Maintain an AD footprint but only for mission critical Windows servers, such as:
    • Business critical applications that must stay on-prem.
    • File and printer servers that cannot go away.
    • Domain Controllers, but likely fewer DC’s in fewer locations.
  • Import users from Cloud solutions that are not compatible with AD, such as an HRIS system:
    • Import users into JumpCloud and then sync those users from JumpCloud into AD.
  • You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD.

Workflow Details

Data syncs one-way from JumpCloud to AD
Passwords managed solely in JumpCloud
Users created, updated, and deactivated solely in JumpCloud
User (security) groups created and managed solely in JumpCloud
Group membership managed solely in JumpCloud

Benefits

  • Future Flexibility & Agility
    • Once a user identity is in the Cloud, it can be extended more easily.
    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory Platform with minimal effort, no need to find another point solution.
  • Automated Offboarding
    • Deactivating a user in AD will automatically suspended that user in JumpCloud within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.
  • Easy deployment of non-Windows devices to users.
    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.
  • Simplified end-user computer management
    • Remove the need for AD Domain Controller connectivity for all end-user computers. 
  • Users managed in the Cloud
    • You can create, suspend, manage users, passwords, and security group membership for JumpCloud. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.
  • Migration path

JumpCloud Sync Only – Single Domain Workflow

JumpCloud Sync Only – Multiple Domain Workflow

Migrate Windows Devices from AD-member to JumpCloud-managed

If your company is looking to migrate off of your AD domain to JumpCloud, we recommend leveraging our Active Directory Migration Utility (ADMU) to migrate Windows devices from AD-bound to JumpCloud-managed.

Important Considerations

  • Utilizing the ADMU does not require the Active Directory Integration.
    • If you’re looking to migrate user identities off of AD and into JumpCloud, and your company is going to migrate off of AD in phases, we recommend to implementing both JumpCloud’s ADI and the ADMU.
  • You can run ADMU locally on the device or remotely using JumpCloud Commands.

Configuration

See GitHub Wiki Page: JumpCloud ADMU for step-by-step instructions.

Use Cases

  • You want to convert AD-member Windows devices to JumpCloud-managed.
  • You are ultimately looking to migrate entirely off of AD.
  • You want JumpCloud to become the Primary IdP for all user identities.

Workflow Details

  1. User Identities can be imported in any of the following methods: Microsoft365, Google Workspace, JumpCloud ADI, CSV Import, or Manually created.
  2. ADMU tool is run on the AD-member Windows Device, which will convert it from an AD-member device to a local WORKGROUP device, as well as convert an AD User Account to a Local User Account.
  3. The ADMU tool can automatically bind a JumpCloud user to the converted user mentioned in the previous step.

Benefits

  • Automation of device migration.

Ready to Configure?

Check out the step-by-step configuration guide that aligns with your use case:

Want additional assistance from JumpCloud? 

If you’re having issues with getting JumpCloud’s ADI working, try Troubleshoot: ADI.

JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Want more information?

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case