Use the Active Directory Integration

JumpCloud’s Active Directory Integration (ADI) has three primary configurations: AD Import only, AD Import with Sync, and AD Sync only. Please reference the previous article, Configure the Active Directory Integration for more details on the three supported use cases. We’ll go into more details below on how to leverage the ADI depending on your configuration and use case. 

The ADI Agents check-in for updates from JumpCloud and the Domain Controller(s) every 90 seconds. Any changes made will be updated and reflected in the counterpart within that cadence. 


Use cases and workflows

The currently supported use cases were covered previously in Get Started with the Active Directory Integration.

Use Case Workflow Configuration Install JumpCloud AD Import Agent on DCs Install JumpCloud AD Sync Agent on DCs Add users and security groups under the integration security group in AD Active Directory Migration Utility (ADMU)
AD as Primary IdP - extend AD to the Cloud and manage mixed OS device fleets User identities and passwords are managed solely in AD. Use import agent only
Flexible two-way sync between AD and JumpCloud User identities and passwords can be managed in either AD or JumpCloud Use both import and sync agents
JumpCloud as Primary IdP - extend AD to the Cloud and manage mixed OS device fleets User identities and passwords are managed solely in JumpCloud Install both import and sync agents but only use sync agent
Migrating device management from AD to JumpCloud Devices are managed solely in JumpCloud

AD as Primary IdP – Using the AD Import Agent Only

AD Import Only – Single Domain Workflow

AD Import Only – Multiple Domain Workflow

When the JumpCloud ADI is configured for AD Import only, the illustrations above are the user identity workflows for any changes or password updates in this configuration. This method allows for Admins to extend their AD Users and Passwords to JumpCloud. JumpCloud can then extend these identities out to resources, such as RADIUS WiFi or VPN networks, SSO Applications, LDAP resources, and more.

If you’re only using AD Import, then you may continue to the Using AD Import section of this article and disregard the Using AD Sync section. 

Two-way Sync Between AD and JumpCloud – Using Both the AD Import and AD Sync Agents

Two-way Sync – Single Domain Workflow

Two-way Sync – Multiple Domain Workflow

When the JumpCloud ADI is configured for AD Import and AD Sync, the workflow pictured above is the user identity workflow for any changes or password updates in this configuration. This scenario allows Admins to not only extend their AD users and Passwords to JumpCloud but to also allow JumpCloud to manage identities and passwords within AD for synced users.

JumpCloud as Primary IdP – Using the AD Sync Agent Only

AD Sync Only – Single Domain Workflow

AD Sync Only – Multiple Domain Workflow

Using AD Import

To properly use AD Import, there are 3 primary items to be aware of: 

  1. Importing users from AD into JumpCloud
  2. Activating the users account
  3. Creating, Updating, and Deactivating users accounts

To import users from AD into JumpCloud

The AD Import Agent will only import users that you directly bind as a memberOf the JumpCloud Security Group within AD (i.e., the Security Group with the actual name of JumpCloud you created during the AD Import Agent installation).

There are two ways to import users to your JumpCloud tenant: (1) a direct membership to the JumpCloud Security Group, or (2) by binding another Security Group within AD (i.e., the Security Group you created during the AD Import Agent installation). 

To import a singular user from AD to JumpCloud


 How passwords are handled for users added in AD who already exist in JumpCloud is controlled by the setting for the UserTakeOver action in the AD import configuration file. The default value is deactivate, which will cause the user’s JumpCloud  password to be removed and set to a password pending status.    The user will temporarily lose access to their JumpCloud provisioned resources (such as RADIUS, LDAP, SSO apps, etc.) until the password is updated within AD. See the Advanced Configurations for AD Import article for more information around UserTakeoverAction.

  1. Open the Active Directory Users and Computers (ADUC) Menu:
    1. Click start button, type “dsa” and click the Active Directory Users and Computers icon.
  1. Once ADUC is open, navigate to a user that you would like to import into JumpCloud. 
  2. Right-click on the target user and click Properties
  1. Navigate to the Member Of tab in the Properties menu. 
  1. Click Add. Then add this user as a member of the JumpCloud Security Group.
  1. Click Apply. Wait up to 90 seconds and then check to see if the user has been fully imported into JumpCloud. This validates that your AD Import Agent is working appropriately. 

You’ll notice the user is imported into a Password Pending state and they have an AD Integration badge below their email address. Before they’re activated in your JumpCloud tenant, the user must update their password within AD or an AD-bound resource. Users created in AD after the AD Import Agent is installed and running will have their passwords automatically imported/updated with their user account and will be activated upon importation into your JumpCloud tenant.

To import multiple users from AD into JumpCloud:

This method allows you to import all users that are members of a specific Security Group. For example, if you want to export all AD users that are members of the Accounting Security Group, you would make the Accounting Security Group a memberOf the JumpCloud Security Group. This will then import the Accounting Security Group and all users that are associated members. 

  1. Open the ADUC Menu
    1. Click Start button, type “dsa” and click the Active Directory Users and Computers icon.
  1. Once ADUC is open, navigate to the Security Group that you would like to export to JumpCloud.
  2. Right-click on the target Security Group and click Properties.
  1. In the Security Group Properties Menu, click the Member Of tab and click Add.
  1. Add this Security Group to the JumpCloud-named Security Group and click Apply.
  1. Wait 90 seconds for both the Security Group and the Users within that Security Group to be created in JumpCloud. You will see both the user accounts and user groups within JumpCloud’s Admin Portal marked by an AD Integration badge. 

You’ll notice the user is imported into a Password Pending state and they have an AD Integration badge below their email address.. Before they’re activated in your JumpCloud tenant, the user must update their password within AD or an AD-bound resource. Users created in AD after the AD Import Agent is installed and running will have their passwords automatically imported/updated with their user account and will be activated upon importation into your JumpCloud tenant.

To activate the user account

When existing AD users are imported from AD into your JumpCloud tenant, the user Accounts are imported in a Password Pending state. Meaning that there is no password associated to the account until the user resets their password in AD. You’ll see the newly imported users in JumpCloud marked with an AD badge and in an orange Pending state within the user menu. 


Users MUST change their AD user password within AD or a domain-bound resource to activate their JumpCloud account. This is a required step. If the user never resets their password in AD, then JumpCloud will never receive a password for the account and the JumpCloud user will never be fully activated. 

Users created in AD post install of the JumpCloud AD Import Agent will arrive in your JumpCloud tenant with a green Active state and do not require a password reset from with in AD.

Steps to activate 
  1. Users will need to change their password in AD or on an AD-bound resource. 
  2. After the password reset is conducted by users, JumpCloud will be updated in 90 seconds. The JumpCloud Admin should now see the user account change from an orange Password Pending state to a green check-marked state within the User Menu. You will not see expiry dates for AD-managed users in JumpCloud as the expiry is managed by AD, not JumpCloud.
  3. All Password changes moving forward will need to be done within AD or on AD-bound resources. 


If you’re planning on using AD Sync alongside AD Import, Passwords can be updated in JumpCloud after this required initial password change has taken place within the steps outlined above. This is a requirement for both AD Import only and AD Import & Sync use cases. 

To create, update, and disable user accounts

Now that AD Import has been successfully installed and configured, AD Admins will be able to manage JumpCloud user accounts and the following attributes within AD for any CrUD updated (Create, Update, and Deactivate/Disable):

  • firstname
  • lastname
  • username
  • email
  • password, and
  • user state (active or disabled)


These changes on a user or user group will be reflected within JumpCloud in approximately 90 seconds. 

Creating new users in AD

You would follow the same process outlined above for importing users from AD into JumpCloud. For example; A new hire user account would be created in AD first, then added to a Security Group which is currently being synced with your JumpCloud tenant. This will automatically create the User Account in your JumpCloud tenant within 90 seconds. 

Updating user attributes in AD

When you change any attributes of an AD user which is currently synced via the AD Import Agent, this will reflect within your JumpCloud tenant in approximately 90 seconds. For example, if you change the Title of a user from Support Engineer I to Support Engineer II, this will reflect on the JumpCloud user’s attribute of Title in 90 seconds. 

Disabling users in AD

When deleting, suspending, or deactivating users within AD, this will in turn delete the users from JumpCloud thus removing access to any of the JumpCloud-managed resources he or she had access to such as RADIUS, LDAP, or SSO Applications. 

Using AD Sync

If you’re choosing to also leverage the functionality of AD Sync Agent with your AD Integration, this allows JumpCloud to push CrUD changes of synced users down to AD. With the AD Sync Agent in place, you will be able to do the following: 

  1. Create users in JumpCloud which will then push down to AD.
  2. When users change passwords in JumpCloud, this new password will be pushed down to their AD user account. 
  3. When you suspend or delete a user in JumpCloud, this will disable the user Account in AD. 

To sync an existing JumpCloud user down to AD via AD Sync

In this scenario, you may have pre-existing JumpCloud users in your JumpCloud tenant, but they are currently not interlinked between JumpCloud and AD through the JumpCloud AD Integration via the AD Sync Agent. To sync JumpCloud users to AD, please follow the steps below. 


If you sync existing JumpCloud users to AD, it will change the JumpCloud user account status from Activated to Password Pending, meaning they will lose access to any resources currently tied to JumpCloud. To bar from this, we recommend to see Advanced Configurations for AD Import and change the UserTakeoverAction attribute to retain.

  1. Navigate to your user in JumpCloud and open up their Details
  2. Click on the user groups tab on the user aside. 
  3. Assign user to a JumpCloud group and click Save.
  4. Wait for Active Directory badge to appear.
  1. Bind this user to the user group which they need to be a memberOf in AD (that is also synced using the ADI). In our example, we can see the Accounting User Group is tied to AD via the Directories in the drop-down menu.
  1. Click Save User. The user will then be created in the Root User Container within your AD domain. This can take up to 90 seconds.


Users who are created in AD from JumpCloud are automatically put into the Root User Container you configured during the installation of the AD Import & Sync Agents. If you need to move the user to the appropriate OU or sub OU, you’ll have to do this within AD on the DC. 

To create, update and deactivate user accounts

The following section covers how to manage AD user accounts from JumpCloud. With the AD Sync in place, JumpCloud Admins are able to manage AD users from the JumpCloud Admin Portal. This makes user onboarding, off-boarding, and management much easier. Additionally, this may help with removing the need to remotely access the DC for simple tasks within the Identity Lifecycle for user accounts.

Creating Users in JumpCloud

JumpCloud Admins can create users in AD by binding any JumpCloud user to an AD Integrated User Group within JumpCloud. For example, if you’ve synced the Accounting group from AD to JumpCloud via the Import Agent, then any JumpCloud user bound to this synced user group will be created within AD under the Root User Container. 

The user is created within AD, is a memberOf the associated user group (Security Group in AD), and their AD user account will use their JumpCloud Password. 

Suspending or deleting users in JumpCloud

Suspending or deleting users within JumpCloud will Disable the user account within AD. JumpCloud in any form will never remove or delete user accounts in any of the 3rd party integrations. (This also includes SAML, LDAP, AD, GWS, and M365). These changes will reflect in 90 seconds.

Learn More
AD users losing sudo permissions
Converting AD-Managed Accounts to JumpCloud-Managed Accounts
Advanced Configurations for AD Import
Setting account password on the domain does not update in JumpCloud
Troubleshooting Import Agent Log Errors (LDAPS CONFIG)
Using AD Import with JumpCloud RADIUS

Want additional assistance from JumpCloud?

If you’re having issues with getting JumpCloud’s AD Integration working, see the Troubleshooting Guide.

JumpCloud now offers a myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case