Externally Managed Passwords

Externally managed passwords prevent password changes within JumpCloud, both by users and admins. When users password authority is set externally, they will no longer receive password expiration notifications and password expirations won’t apply to them.

Use this setting when a user’s password is being managed by an upstream integration or when they’re authenticating with an external Identity Provider (IdP).

Prerequisites

• The appropriate integration, like Active Directory or an IdP, is configured in JumpCloud OR an upstream SCIM/provisioning integration is configured.

Considerations

• Once this user setting is enabled, users will not be able to change their own password from their JumpCloud device tray application, User Portal, or any other password reset flow. Additionally, admins won’t be able to set user passwords from the Admin Portal.
• The Externally Managed Password setting requires that an integration be selected for the password authority. 
• If the user is associated to an Active Directory Integration, changes to the externally managed password may be overwritten on the next Active Directory Integration sync.

Setting the Password Authority for Users in the Admin Portal

To set the password authority for your users:

1. Log in to the JumpCloud admin portal. 
2. Go to USER MANAGEMENT > Users. 
3. Click on the user you want to set the password authority for. 
4. Click on the Details tab, then open the dropdown for User Security Settings and Permissions.
5. Under Externally Managed Password, select the Password Authority from the dropdown menu.
6. Click save user. They won’t be able to change their password through JumpCloud. If the Password Authority is integrated with JumpCloud, the user will be able to change their password in the upstream application and the password will be allowed to synced to JumpCloud.
7. The user will see a message in their user portal under Security > Password, that says Your password is externally managed and can’t be updated in JumpCloud.
8. This change will be updated and made visible in a few different places in the admin portal:
   • On the Users list page, under the Password Status column, the user’s password authority will be visible. It will say Password Externally Managed if their password authority is external. 
   • Once you click on a specific User and pull up their information page. Their password authority will also be listed directly under their profile > Security Status.

Default External Password Authority

You can restrict users from being able to change their passwords in JumpCloud by setting the password authority as an upstream integration, like Active Directory. 

To set the default external password authority from User Settings:

1. Log in to the JumpCloud admin portal. 
2. Go to USER MANAGEMENT > Users. 
3. In the top right corner, click Settings. 
4. Under Default External Password Authority, click the Password Authority dropdown menu and select which password authority you’d like to use (Active Directory, Federated Identity Provider, or SCIM Integration). 
5. Click Save, then you’ll be prompted to confirm your selection. 
6. Click Yes, Continue. 
7. You’ll see the updated password authority on the Users list page under the Password Status column. If the user’s password is externally managed, it will say “Managed by (name of password authority)” under the Password Status column.

Once the Default Password Authority is set, all new users will have this setting applied on creation when no other value is provided.

• Users created via integration (Cloud Directory, SCIM, etc.) will always be created with the selected Password Authority. 
• Users created via REST API will also always be created with the selected Password Authority unless a different (or is set to No) Password Authority is provided in the API call.
• Users created manually will have the Default Password Authority applied in the User Security Settings and Permissions section. This can be changed to a different (or is set to No) Password Authority.

Bulk Apply the External Password Authority

To bulk apply the default external password authority for users:

1. From the Users list, select the checkboxes next to all of the users you’d like to apply the password authority setting to. 
2. In the top right corner, click the More Actions dropdown menu, then select Set External Password Authority. 
3. On the next page, click the Password Authority dropdown menu and select which password authority you’d like to use (Active Directory, Federated Identity Provider, or SCIM Integration). 
4. Click Save. This will apply to all users selected moving forward. 
5. You’ll see the updated password authority on the Users list page under the Password Status column, and the Externally Managed Password column. If the user’s password is externally managed, it will say True (or False if not), and “Managed by (name of password authority)”.