Help Center Home > Active Directory > Configure Active Directory Integration (ADI)

Configure Active Directory Integration (ADI)

JumpCloud’s Active Directory Integration (ADI) is JumpCloud’s user identity and access management directory integration that enables the syncing of users, groups, and passwords between JumpCloud and on or off-premise AD. ADI can be used to extend AD to the Cloud, minimize the number of resources managed by AD, and migrate away from AD.

As covered in Get Started: Active Directory Integration, ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations, referred to as deployment configurations. These deployment configurations are determined by where you want to manage users, groups, and passwords and are flexible enough to support your specific use case, goals, and AD environment.

  1. Manage users, groups, and passwords in AD.
  2. Manage users and passwords in AD, JumpCloud, or both.
  3. Manage users, groups, and passwords in JumpCloud.

This article provides an overview of the benefits, example use cases, workflows, and implementation steps and a link to the step-by-step configuration article or each deployment configuration. It also outlines the prerequisites and considerations across all deployment configurations.

ADI Prerequisites

Before getting started with ADI, JumpCloud recommends going through this list and ensuring all items have been completed before continuing.

You will need:

  • AD Domain Admin credentials
  • Access to all Domain Controllers (DCs) or member servers in your AD domain
  • Network access to the internet from DCs or member servers and ability to communicate outbound (only) to console.jumpcloud.com over HTTPS port 443
    • The JumpCloud AD Import and Sync Agent services use SSL/TLS for all communication. If no network connectivity exists to JumpCloud, ADI will fail to connect and won't work properly
  • JumpCloud Organization for your company

Important:
  • We STRONGLY recommend installing and using LDAPS for ADI.
    • Configuring and using LDAPS on the Domain Controller to which the JumpCloud ADI agents will connect secures any sensitive information that is exchanged between the JumpCloud agents and the Domain Controller and protects against malicious users
  • Create a separate account for this integration
    • API tokens are specific to each Admin account. An integration admin account prevents the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted

System Requirements

  • 64-bit Windows Server (versions 2012, 2016, 2019, 2022)
    • Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the /msiexec parameter when running the agent installer
  • 15MB disk space
  • 10MB RAM

General Considerations

These considerations apply to all or most of the use case scenarios and configurations.

  • The user attributes that sync are:
    • First Name
    • Last Name
    • Username
    • Email
  • Non-standard ASCII characters are not supported in the Root User DN
  • When updating an existing agent installation, only minimal installation screens are shown
  • Demoting a DC installation to a member server or promoting a member server installation to a DC installation aren’t supported. The agent(s) must be uninstalled first and then installed on the other type of server
  • The passwords for the service accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons
  • As of ADI sync agent version 4.x and import agent 2.x, the following changes were made:
    • The default location for all agent related installation, configuration, and log files is C:\Program Files\JumpCloud\AD Integration\
    • All references to AD Bridge changed to AD Import
    • The ADI sync agent can be installed independently of the ADI import agent
    • The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts
    • The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts
  • The JumpCloud ADI import and sync agent services use TLS for all communication. If no network connectivity exists to JumpCloud, ADI won’t work properly

ADI Configurations

The table below provides an overview of the three (3) deployment configurations and main use cases. The sections that follow describe the capabilities, example use cases, benefits, workflow, and considerations for each configuration, as well as a link to the step-by-step guide. 

ADI Configuration Use case User and Group Authority Password authority Data sync direction Server type(s) on which agent(s) can be installed Install Import Agent Install Sync Agent
Manage users, groups and passwords in AD Extend AD Domain Controllers
Manage users and passwords in either system, or both Extend AD Domain Controllers, Member Servers
Minimize AD footprint Domain Controllers
Migrate away from AD Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in JumpCloud Minimize AD footprint Domain Controllers, Member Servers
Migrate away from AD Domain Controllers, Member Servers

Manage users, groups, and passwords in AD

This deployment configuration supports organizations looking to extend AD to the cloud for additional functionality with minimal changes to their existing AD environment.

Use Cases

  • Provide access to Cloud resources while keeping AD as the primary Identity Provider (the source of truth) for user data, passwords, and security groups 

  • Access to SaaS applications using industry standard protocols SAML 2.0 and OIDC for SSO, and SCIM for provisioning, syncing and deprovisioning. 

  • Access to Cloud RADIUS for Wifi and VPN

  • LDAP based user auth with MFA for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.

  • User provisioning, syncing,  deprovisioning and access control to other Cloud Directories such as  M365/ Entra ID and Google Workspace in real-time

  • Compliance - keep the password behind the AD firewall and still extend AD to cloud

  • Cross-platform device management - Support Windows, Linux, Mac, iOS, and Android devices

Benefits

  • Future Flexibility & Agility 

    • Once a user identity is in the Cloud, it can be extended more easily.  

    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory  Platform with minimal effort, no need to find another point solution.

  • Automated Offboarding 

    • Deactivating a user in AD will automatically suspend that user in JumpCloud within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.

  • User Device Choice 

    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.

Workflow Details

 

Data syncs one-way from AD to JumpCloud

Passwords managed solely in AD

Users created, updated, and deactivated solely in AD

Security groups created and managed solely in AD

Group membership managed solely in AD

Configuration

 

Read Configure ADI: Manage users, groups, and passwords in AD for step-by-step instructions

 

Use ADI import agent only

Install import agent on two or more member serviers or all domain controllers (DCs)

Add users and security groups under the ADI security group in AD

Important Considerations:

  • Import agents can be installed on member servers or DCs.
  • Delegated log in authentication to AD will be used when import agents are installed on member servers.
  • Syncing the password from AD to JumpCloud requires the import agent to be installed on all DCs. Scheduled downtime is also required. Each server must be rebooted to complete the import agent installation.
  • Changing passwords in JumpCloud is not possible with this deployment configuration.
  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.
  • Password complexity requirements in AD and JumpCloud should be the same or closely aligned to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Importing privileged user accounts, such as Domain Admins, into JumpCloud from AD isn’t supported.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
  • Connect Keys are one-time use keys required for installing the import agent on a new AD server. Warning: Connect keys are only valid for 7 days if not used.

AD Import only – single domain workflow

AD Import only – multiple domain workflow

Manage users and passwords in AD, JumpCloud, or both

This deployment configuration supports organizations looking to minimize the number of resources managed by AD and organizations that want to eventually migrate away from AD. This configuration provides the greatest flexibility. Users, passwords, and groups can be managed in AD, JumpCloud, or both.

 

Use cases

  • Allow users to change passwords in JumpCloud, from a JumpCloud managed device, and from AD.

  • Enable JumpCloud and AD to share responsibility over the user identities.

  • Add support for a mixed OS fleet and non-AD bound devices

  • Extend user access to the Cloud for one or more of the following:

    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 

    • Access to Cloud RADIUS for Wifi and VPN

    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.

    • User provisioning, syncing,  deprovisioning and access control to other Cloud Directories such as  M365/ EntraID / AzureAD and Google Workspace in real-time

  • Maintain an AD footprint but only for mission critical Windows servers, such as:

    • Business critical applications that must stay on-prem.

    • File and printer servers that cannot go away.

    • Domain Controllers, but likely fewer DC’s in fewer locations.

  • Manage profiles in one system and passwords in the other

    • Manage passwords in JumpCloud to control credentials for Cloud resources and manage user profiles in AD to propagate the same information across all Microsoft solutions

    • Manage passwords in AD for compliance purposes and manage profiles in JumpCloud to propagate to SaaS apps and other Cloud resources

  • Import users from Cloud solutions that are not compatible with AD, such as an HRIS system

    • Import users into JumpCloud and then sync those users from JumpCloud into AD.

  • Migrate away from AD completely

 

Benefits

  • Future Flexibility & Agility 

    • Once a user identity is in the Cloud, it can be extended more easily.  

    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory  Platform with minimal effort, no need to find another point solution.

  • Automated Offboarding 

    • Deactivating a user in AD will automatically suspended that user in JumpCloud within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.

  • Easy deployment of non-Windows devices to users

    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.

  • Simplified end-user computer management

    • Remove the need for AD Domain Controller connectivity for all end-user computers 

  • Users managed in the Cloud 

    • You can create, suspend, manage users, passwords, and security group membership for JumpCloud.  This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.

 

Workflow Details

  Data syncs bidirectionally between JumpCloud and AD

 

Passwords managed in either system or both

 

Users created, updated, and deactivated in either system or both

 

User (security) groups created and managed in either system or both

 

Group membership managed in either system or both

 

Configuration

Read Configure ADI: Manage users, groups  and passwords in AD, JumpCloud, or both for step-by-step instructions

 

 Use both the ADI import agent and ADI sync agent.

 

Install agents on either domain controllers (DCs) or member servers.  

Important: To sync passwords from AD to JumpCloud the import agent must be installed on all DCs.

 

  

  • Add users and security groups under the ADI security group in AD to sync from AD to JumpCloud

  • Assign users and user groups to the AD instance in JumpCloud to sync from JumpCloud to AD.

Important Considerations:

  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.
  • If passwords need to be synced from AD to JumpCloud, an import agent must be installed on all Domain Controllers and downtime will need to be scheduled, because the installation requires a server reboot.
  • If passwords are being managed in JumpCloud or authentication is being delegated to AD, the import agent can be installed on a member server(s).
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Importing privileged user accounts, such as Domain Admins, into JumpCloud from AD or managing them in AD from JumpCloud isn’t supported.
  • The AD sync agent does not need to be installed on all servers.
  • Connect Keys are one-time use keys required for installing an agent on a new AD server. Warning:  Connect keys are only valid for 7 days.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
  •  

Two-way Sync – Single Domain Workflow

Two-way Sync – Multiple Domain Workflow

Manage user, groups, passwords in JumpCloud

This configuration supports organizations looking to migrate away from AD completely and organizations that have already significantly reduced the resources being manged by AD. 

 

Use Cases

  • Use JumpCloud as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources.

  • You only want users to change passwords from the JumpCloud User Portal or JumpCloud managed devices 

  • Extend user access to the Cloud for one or more of the following:

    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 

    • Access to Cloud RADIUS for Wifi and VPN

    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.

    • User provisioning, syncing,  deprovisioning and access control to other Cloud Directories such as  M365/ EntraID / AzureAD and Google Workspace in real-time

  • Add support for non-Windows devices: Linux, Mac, iOS, and Android

  • Maintain an AD footprint but only for mission critical Windows servers, such as:

    • Business critical applications that must stay on-prem.

    • File and printer servers that cannot go away.

    • Domain Controllers, but likely fewer DC’s in fewer locations.

  • Import users from Cloud solutions that are not compatible with AD, such as an HRIS system

    • Import users into JumpCloud and then sync those users from JumpCloud into AD.

  • You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD.

Benefits

  • Future Flexibility & Agility 

    • Once a user identity is in the Cloud, it can be extended more easily.  

    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory  Platform with minimal effort, no need to find another point solution.

  • Automated Offboarding 

    • Deactivating a user in JumpCloud will automatically suspend that user in AD within 5 seconds,resulting in a forced logoff on the user’s computer, the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc., and removal of access to AD managed resources.

  • Easy deployment of non-Windows devices to users

    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.

  • Simplified end-user computer management

    • Remove the need for AD Domain Controller connectivity for all end-user computers 

  • Users managed in the Cloud 

    • Create, suspend, manage users, passwords, and security group membership in JumpCloud.  This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.

  • Migration path

Workflow Details

 

Data syncs one-way from JumpCloud to AD

 

Passwords managed solely in JumpCloud

 

Users created, updated, and deactivated solely in JumpCloud

 

User (security) groups created and managed solely in JumpCloud

 

Group membership managed solely in JumpCloud

 

Configuration

 

Read Configure ADI:Manage users, groups, and passwords in JumpCloud for step-by-step instructions.

 

       Use ADI sync agent only

 

Install agents on either domain controllers (DCs) or member servers.  

 

      Assign users and user groups to the ADI instance in JumpCloud

 

Important Considerations:

  • The AD sync agent does not need to be installed on all servers.
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Managing  privileged user accounts, such as Domain Admins, in AD from JumpCloud isn’t supported.
  • Connect Keys are one-time use keys required for installing the sync agent on a new AD server. Warning:  Connect keys are only valid for 7 days.
  • Groups sync automatically from JumpCloud to AD when one or more sync agents are installed.  This sync cannot be disabled.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

 

JumpCloud Sync Only – Single Domain Workflow

JumpCloud Sync Only – Multiple Domain Workflow

Migrate Windows Devices from AD-member to JumpCloud-managed

If your company is looking to migrate off of your AD domain to JumpCloud or move device management to JumpCloud, we recommend leveraging our Active Directory Migration Utility (ADMU) to migrate Windows devices from AD-bound to JumpCloud-managed.

Important Considerations

  • Utilizing the ADMU does not require the ADI:
    • If you’re looking to migrate user identities off of AD and into JumpCloud, and your company is going to migrate off of AD in phases, we recommend to implementing both JumpCloud’s ADI and ADMU
  • You can run ADMU locally on the device or remotely using JumpCloud Commands

Configuration

See GitHub Wiki Page: JumpCloud ADMU for step-by-step instructions.

Use Cases

  • You want to convert AD-member Windows devices to JumpCloud-managed
  • You are ultimately looking to migrate entirely off of AD
  • You want JumpCloud to become the Primary IdP for all user identities

Workflow Details

  1. User Identities can be imported in any of the following methods: Microsoft365, Google Workspace, JumpCloud ADI, CSV Import, or Manually created.
  2. ADMU tool is run on the AD-member Windows Device, which will convert it from an AD-member device to a local WORKGROUP device, as well as convert an AD User Account to a Local User Account.
  3. The ADMU tool can automatically bind a JumpCloud user to the converted user mentioned in the previous step.

Benefits

  • Automation of device migration

Ready to Configure?

Check out the step-by-step configuration guide that aligns with chosen deployment configuration:

Want additional assistance from JumpCloud? 

JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Need to troubleshoot?

If you’re having issues with getting JumpCloud’s ADI working, try Troubleshoot: ADI.

Want more information?

Back to Top

List IconIn this Article

Notebook IconLearn More

Use ADI

Tutorial: ADI

Configure ADI: Manage users, groups, and passwords in AD

Configure ADI: Manage users, groups, and passwords in JumpCloud

Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case