Contact Us
Help Center Home > Apps and Integrations > Active Directory Integration (ADI) Release Notes 2025

Active Directory Integration (ADI) Release Notes 2025

Interested in previous years' release notes? See ADI Release Notes 2023 and ADI Release Notes 2024. Alternately, see JumpCloud's Feature Release Notes.

2025-08-12 ADI Release Notes

This release includes a fix for the ADI Service to ensure the import agent’s status is always accurately reflected in the Admin Portal after an upgrade. 

ADI Service

Bug Fixes

Corrected Agent Status After Upgrade: Fixed an issue where the Admin Portal would incorrectly show the AD Import Agent as "inactive" and list the old version number after it was upgraded. The service now properly detects agent upgrades, ensuring the status and version are always displayed correctly in the console.

2025-08-05 ADI Release Notes

This release includes a fix for the ADI Service to ensure the AD Import Agent always appears in your admin console.

ADI Service

Bug Fixes

Resolved Missing Import Agent in Recreated ADI Domains: Fixed an issue where the AD Import Agent would not appear in the JumpCloud admin portal if the ADI domain was recreated without first uninstalling the agent.

Tip:

Already have this issue?
If your import agent is currently running but is not visible in your console, you must manually reconnect it to JumpCloud by updating its connect key.

You have two options:

  1. Reinstall the Agent:
    • Get the new connect key from your active ADI instance in the JumpCloud admin portal by selecting Install New Agent and click Download Import Agent.
    • Uninstall and then reinstall the AD Import Agent on your server using the new key.
  2. Update the Registry: Get the new connect key from your active ADI instance in the JumpCloud admin portal by selecting Install New Agent and click Download Import Agent.
    • Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\AD Integration Sync Agent in the Registry Editor.
    • Update the connect_key value.
    • Restart the "JumpCloud AD Integration Sync Agent" service.

2025-08-04 ADI Release Notes

This release focuses on enhanced configuration options, improved group and user synchronization, and critical bug fixes. These changes provide you more control, better reliability, and a smoother experience when managing identities between Active Directory (AD) and JumpCloud.

Admin Portal

Import Agent Download Window

  • Content simplified and aligned with the sync agent download content. Removed obsolete installation requirements:
    • Organization ID
    • API key

Sync Agent Download Window

  • Connect key is now provided in a new base64-encoded format

Warning:

Sync agents older than version 4.34.0 do not support the new, longer connect key during installation. Attempting to enter it will result in its truncation due to a 50-character limit. For these older versions, you must manually enter the connect key after installation by doing the following:

  1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\JumpCloud\AD Integration Sync Agent\connect_key in the Registry Editor.
  2. Paste the entire base64 Connect Key value.
  3. Restart the "JumpCloud AD Integration Sync Agent" service.

ADI Service

Bug Fixes

  • Resolved race conditions affecting user and group updates during two-way sync
  • Addressed an issue that caused excessive error accumulation in log files

Enhancements

  • Added support for sending user delete actions and additional user and group disassociation actions from JumpCloud to AD.

AD Import Agent v3.55.0

Installer UX Enhancements

  • Removed installation steps related to the organization ID and API key, which are no longer required.
  • Added a prompt for the integration deployment configuration which controls which other installer screens are shown, along with the content of those screens . The values are AD -> JumpCloud (One-way) or AD <->JumpCloud (Two-Way).
  • Added new screens that allow you to set new and existing configuration values (specifically account lockout sync and sync additional attributes) during installation and upgrades, reducing the need for manual edits to the configuration files.

Import agent configuration enhancements

  • Removed the JCAPI JSON object from the jcadimportagent.config.json file
  • Account Lockout Status Sync:  Added SyncAccountLockedOutStatus to control when the locked-out status (locked or unlocked) is synced from AD to JumpCloud.

User and Group syncing enhancements

  • Account Lockout Status Sync: Configurable enhancement allowing the detection and syncing of the locked-out status from AD to JumpCloud. This is configurable with the new SyncAccountLockedOutStatus setting.

General Enhancements

  • Updated Code Signing Authority: Agent is now digitally signed directly by 'JumpCloud Inc.', replacing the previous Digicert-issued certificate. If your organization uses security software with publisher-based rules (such as AppLocker), you may need to update your policies to trust the new signer.
  • More Complete User unbind Action: The unbind setting for both the UserDissociationAction and UserDisableAction settings has been enhanced. It now clears all “external*” fields from the user’s record and removes the user from any JumpCloud groups that connected them to the AD Integration (indirect associations).
  • Enhanced Logging: 
    • Improved logging for user dissociation actions and made error messages clearer, especially 'No Such Object' errors.
    • Added error logging when a new user creation fails due to a username conflict with an existing JumpCloud organization user.
  • General System Enhancements:
    • Minor improvements to security, platform architecture, and overall performance.

Bug Fixes

  • Improved New User Sync Reliability: Fixed an issue where the check to determine if a new Active Directory user already existed in JumpCloud could sometimes fail, leading to inconsistent user creation. The AD Import agent now more reliably creates new AD users in JumpCloud.
  • Resolved Sync for Password Expiration Status: In two-way sync deployments, we resolved a timing issue that could cause a user's password status to remain "expired" in JumpCloud even after they had successfully updated it in Active Directory.
  • Reduced Unnecessary Update Requests:
    • The agent will no longer send unnecessary update requests to JumpCloud for newly created AD users who are required to change their password on their next login and also had the external_password_expiration_date is empty in JumpCloud.
    • Eliminated unnecessary user update requests that occurred when the UserExpireAction setting was changed to "maintain" in the agent's configuration file.
  • Reduced Log Noise: "Entry Already Exists" errors that could occur during two-way sync are now logged as informational messages rather than errors, making the logs cleaner and more actionable.
  • Improved Filtering for Inactive AD Users: Resolved an issue where user accounts in Active Directory that were both disabled and had an expired password could be incorrectly imported and created in JumpCloud. The import logic has been enhanced to correctly identify these inactive accounts, ensuring only active AD users are provisioned in JumpCloud.
  • Resolved DN Configuration Retention Issue: Resolved an issue in the installer where the Distinguished Name (DN) for the import security group could be unintentionally erased from the configuration file. This occurred specifically when selecting a two-way sync deployment and indicating that the sync agent was not yet installed.
  • Corrected Agent Certificate Verification: Fixed a certificate verification issue by ensuring the import agent is properly signed with JumpCloud's production key. This confirms the agent's authenticity and resolves potential installation or runtime errors related to certificate checks.
  • Improved performance and reliability at scale: Resolved a critical issue where the DC would crash when there was a high volume of update transactions .

AD Sync Agent v4.62.0

Sync agent installer enhancements

  • Connect key base64 encoded format:
    • Increased the connect key field size limit enabling the use of the new base64 encoded sync agent connect key format.
  • UX Enhancements:
    • Added a prompt for reviewing your existing configuration settings.
    • Added a prompt for the integration deployment configuration which controls which other installer screens are shown, along with the content of those screens. The values are:
      • AD -> JumpCloud (One-way)
      • AD <->JumpCloud (Two-Way)
    • Added new screens that allow you to set new and existing configuration values (specifically deployment configuration type, sync group, user and group disconnection actions, account lockout sync, ) during installation and upgrades, reducing the need for manual edits to the configuration files.

Sync agent configuration enhancements

These settings are available in the config.json configuration file and through new screens in the AD Sync Agent installer.

  • Configurable AD Sync Group: Added sync_group for specifying a parent Active Directory Security Group (SG) under which all new AD groups created by the sync agent will automatically become nested members. The Distinguished Name (DN) of this parent SG must be provided during installation. 

Note:

This setting specifically organizes the nesting parent for new AD groups created by the sync agent. The actual user accounts and group objects will continue to be created under the "User Root DN" (e.g., an organizational unit) specified during the sync agent installation.

  • Advanced User Dissociation Management: Added user_disconnection_action setting to define what occurs in AD when users are deleted or completely disconnected from ADI in JumpCloud admin portal. The values supported are 'Remove', 'Disable’ (Default), or 'Retain'.
  • Advanced Security Group Membership Dissociation Management: Added membership_disconnection setting to control what happens to a user’s JumpCloud-managed AD security group membership when the user is disconnected from ADI in the JumpCloud admin portal. The values are 'Remove (Default)' or 'Retain'.
  • Advanced Group Dissociation Management: Added group_disconnection_action setting to control what happens when a group is disconnected from ADI in the JumpCloud admin portal. The values are 'Remove' or 'Retain (Default)'.
  • Account Unlock Status Sync:  Added SyncAccountLockedOutStatus to control when the unlock status is synced from JumpCloud to AD, while also preventing accidental unlocks during user updates. The values are ‘true’ or 'false (Default)'.

Note:

AD does not allow the locked status to be set programmatically.

  • Advanced Security Group Syncing: Added group_membership_sync_type to control how users are synced to nested AD security groups. The values are:
    • Minimal (Inheritance): Users are added only to the most specific (leaf) AD group; parent group memberships are inherited within AD. This is the default in a 2-way sync deployment configuration.
    • Match (Mirroring): Users are added to all corresponding AD groups, precisely replicating their JumpCloud group memberships in AD. This is the default in a JumpCloud to AD one-way sync deployment configuration.

User and Group syncing enhancements

  • New Account Unlock Status Sync: Configurable enhancement allowing the unlock status to sync from JumpCloud to AD, while also preventing accidental unlocks during user updates. 
  • Enhanced Group Sync Management: 
    • ​​Designated AD Sync Group: All JumpCloud-managed AD groups will be created and organized under the dedicated parent security group in AD, making it easier to identify which AD security groups are managed by JumpCloud in a one-way sync or by or co-managed with AD in a two-way sync, and giving you better control over your AD structure.
    • Resilient Sync for Relocated Groups: ADI-connected group memberships remain synced from JumpCloud to AD even if those groups are manually moved outside of the designated sync group in AD.
    • Targeted AD Group Management: JumpCloud will only manage group memberships in AD for those groups explicitly connected to your ADI instance in the JumpCloud admin portal. No changes will be made to other AD groups, providing improved safety and predictability.
    • Nested Group Sync Control: User memberships in nested AD security groups will sync according to the new group_membership_sync_type setting. Previously, users synced only to the deepest leaf group.

General Enhancements

  • Automatic Default Settings: Default values are used for the new configuration settings if they are not present in the config file, ensuring continuous operation.
  • Sync Root Group Deletion Guard: Active prevention of the deletion of the Active Directory security group specified as the sync_root_group_dn in your configuration, ensuring crucial integration stability.
  • Configuration Logging on Agent Start:To improve diagnostics and transparency, the ADI agent now logs the following:
    • Info logs in the gRPC log file when default values are automatically applied for any new settings not found in your config.json file.
    • Clear errors logged to the Windows Event Viewer if invalid values are provided for new sync agent configuration settings (e.g., "could not load agent configuration: invalid user_disconnection_action: disabled").
  • Updated Code Signing Authority: Agent is now digitally signed directly by 'JumpCloud Inc.', replacing the previous Digicert-issued certificate. If your organization uses security software with publisher-based rules (such as AppLocker), you may need to update your policies to trust the new signer.
  • General System Enhancements: Minor improvements to security, platform architecture, and overall performance.

Bug Fixes

  • Resolved nested group sync behavior inconsistencies where the following would occur:
    • Users were unexpectedly removed from parent groups in a nested group structure in AD
    • User group membership additions and removals to ADI-connected groups in JumpCloud were inconsistently reflected in AD.
  • Membership Sync Fix for Group Names with Parentheses: Fixed a bug where user memberships would not sync correctly if the name of an AD sync group or its nested child groups contained parentheses (e.g., CN=JumpCloud(Domain)). The sync agent now properly handles these special characters during synchronization.
  • Corrected Agent Certificate Verification: Fixed a certificate verification issue by ensuring the sync agent is properly signed with JumpCloud's production key. This confirms the agent's authenticity and resolves potential installation or runtime errors related to certificate checks.

2025-06-24 ADI Release Notes

This release introduces an important enhancement for agent health status notifications and includes targeted bug fixes for the ADI service to improve stability and data consistency.

ADI Service

Enhancements

  • Deactivated Agent Notifications: To prevent unintended service disruptions, JumpCloud will now automatically send an email notification to all administrators in your organization if the last active ADI import or sync agent becomes deactivated. This ensures you can take immediate action if the deactivation was not intentional.

Bug Fixes

  • Improved Service Call Efficiency: Resolved an issue where the service would continuously retry failed user creation and user updates for errors that could not be fixed by a retry. The service is now more efficient and will not attempt redundant retries for these types of failures.
  • Corrected Password Sync Behavior for New AD Users: Fixed a critical issue where the initial system-generated password for a new AD user was incorrectly syncing back to JumpCloud, overwriting that user's active JumpCloud password. The sync process now correctly handles these initial passwords without impacting the user's existing JumpCloud credentials.

Resolved Data Persistence for Staged Users: Corrected a bug that prevented user information for accounts in a "staged" user state from being saved correctly in the ADI service database. This fix ensures data integrity for all user states within the service.

2025-05-12 ADI Release Notes

ADI Service

Bug Fix

  • Addressed a validation failure that occurred when the "Default External Password Authority" was configured as "Active Directory." The validation incorrectly triggered a "SystemUserModel validation error," preventing successful user imports from AD to JumpCloud.

2025-04-09 ADI Release Notes

Admin Portal

Bug Fix

  • Addressed an issue that prevented import agents from appearing in the Domain Agents list within the Admin Portal when the DN was entered in uppercase in JumpCloud during the integration setup process.

2025-02-12 ADI Release Notes

AD Import Agent v3.26.0

Bug Fixes

  • Addressed an issue preventing some users from being created in JumpCloud due to a username conflict and inability to obtain the required id. The username conflict is now logged as an error and the logic has been updated to utilize id rather than username once a new user is created. 

General Enhancements

  • Updated the client configuration defaults to ensure that conflicting values are not defined
  • Removed unnecessary values from the client configuration. The server_name is now only required if it differs from the target host
  • Minor security and performance enhancements

2025-01-07 ADI Release Notes

AD Import Agent v3.20.0

New Functionality

  • Suspended AD users are not created in JumpCloud
  • JumpCloud_AD_Import.log includes the user information for failed events
  • More of the logs are in JumpCloud_AD_Import_Grpc.log.
    • When troubleshooting review both JumpCloud_AD_Import.log and JumpCloud_AD_Import_Grpc.log
  • Any exceptions that result in the JumpCloud AD Integration Import Agent (JCADImportAgent) service restarting will be logged as a windows event and viewable in the Event Viewer

Bug Fixes

  • Duplicate users are no longer created in AD when multiple import agents are installed and active and all AD DCs are not yet in sync (replication has not completed)
  • Users are no longer immediately deleted after being added to JumpCloud when multiple import agents are installed and active and all AD DCs are not yet in sync (replication has not completed)

ADI Service

  • When multiple AD import agents are installed, one is designated as the primary agent by the ADI service for all user, group, and password related actions (directives) performed by the import agent, in addition to the delegated authentication actions. If the primary import agent becomes unavailable, another active import agent is automatically designated as the primary
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case