Externally Managed Passwords

This feature is in Beta.

Externally managed passwords prevent password changes within JumpCloud, both by users and admins. When users password authority is set externally, they will no longer receive password expiration notifications and password expirations won’t apply to them.

Use this setting when a user’s password is being managed by an upstream integration or when they’re authenticating with an external Identity Provider (IdP).


  • The appropriate integration, like Active Directory or an Identity Provider, is configured in JumpCloud OR an upstream SCIM/provisioning integration is configured.


  • Once this user setting is enabled, users will not be able to change their own password from their JumpCloud device tray application, User Portal, or any other password reset flow. Additionally, admins won’t be able to set user passwords from the Admin Portal.
  • The Externally Managed Password setting requires that an integration be selected for the password authority. 
  • If the user is associated to an Active Directory Integration, changes to the externally managed password may be overwritten on the next Active Directory Integration sync.

Setting the Password Authority for Users in Admin Portal

To set the password authority for your users:

  1. Log in to the JumpCloud admin portal. 
  2. Go to USER MANAGEMENT > Users
  3. Click on the user you want to set the password authority for. 
  4. Click on the Details tab, then open the dropdown for User Security Settings and Permissions.
  5. Under Externally Managed Password, select the Password Authority from the dropdown menu.
  6. Click save user. They won’t be able to change their password through JumpCloud. If the Password Authority is integrated with JumpCloud, the user will be able to change their password in the upstream application and the password will be allowed to synced to JumpCloud.
  7. The user will see a message in their user portal under Security > Password, that says Your password is externally managed and can’t be updated in JumpCloud.
  8. This change will be updated and made visible in a few different places in the admin portal:
    • On the Users list page, under the Password Status column, the user’s password authority will be visible. It will say Password Externally Managed if their password authority is external. 
    • Once you click on a specific User and pull up their information page. Their password authority will also be listed directly under their profile > Security Status.

Setting the Password Authority for Users in Bulk

You can utilize the REST API to set the Password Authority in bulk. The PowerShell script below will read in a CSV of User IDs (which can be exported from the Admin Portal), and set the password authority to 'external' for each user. 

Note: The script will prompt you to enter your JumpCloud admin API key. Replace the CSV path with your CSV. Your CSV doesn't need a header row.

$key = Read-Host "API Key" -MaskInput
$headers = @{
    'x-api-key' = $key
Import-Csv $path -Header "id" | ForEach-Object {
    $uri = "https://console.jumpcloud.com/api/systemusers/" + $_.ID
    $body = @{
        restrictedFields = @( @{
            field = "password"
            type = "scim"
    } | ConvertTo-Json
    Invoke-RestMethod -Uri $uri -Method PUT -Body $body -Headers $headers -ContentType "application/json"     

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case