When you bind users to external directories like Google Workspace and Microsoft 365 (M365)/Entra ID, JumpCloud starts to manage their identities in those directories. When a bound user sets up their JumpCloud password, and logs in to their User Portal, JumpCloud takes over management of the password in the external directory as well. We call this password takeover. The password is synchronized for those users any time they log in to the User Portal after a change has been made to their user record. This helps centralize identity and provides consistent, predictable password management within JumpCloud, for both Administrators and Users.
Password synchronization will be logged by the external directory as a password update. The User might be logged out of their existing Google Workspace or M365/Entra ID sessions and will receive a notification of a password update. A corresponding log in event can be found in JumpCloud to verify that the password up date was a synchronization with JumpCloud.
Considerations:
- External directory passwords aren’t sent and managed by JumpCloud until users log in to their JumpCloud User Portal for the first time after they’re associated with a directory.
- Remind your users that if they want to change their password, they should do so through their JumpCloud User Portal.
- If a User changes their password in an external directory, it won’t be automatically updated in JumpCloud until the next time the User logs into their User Portal.
- JumpCloud previously required that a user reset their password in JumpCloud to complete synchronization with your external directory. If you had users who didn’t complete that step, their password will be synchronized the next time they logged in to JumpCloud.
- As a result of this password update, the user might be logged out of existing Google Workspace or M365/Entra ID sessions and get notified of a password update.
- M365/Entra ID treats a password sync as a password reset regardless of whether or not the password changed. When a user’s attributes are changed in JumpCloud, the next time that user logs in to the JumpCloud User Portal, a synchronization occurs with M365/Entra ID.
- The synchronization includes the user’s password, which triggers reset password and refresh token update events in M365/Entra ID, even if the user’s password didn’t change. A Microsoft password reset typically logs users out of their locally installed Microsoft applications, like Teams and Outlook, both desktop and mobile.
- If your organization has automation that regularly updates user attributes, users may be logged out of these applications more frequently.
- Leverage JumpCloud’s Bookmarking feature to make your users’ experience more streamlined from their user portal.
The flow differs slightly for active and new users.
Flow for Active Users
An active user is a user in an 'active' user state, has a password, and that password status is 'active'. After an administrator binds an active user to an external directory, the user receives an email telling them the directory they’ve been added to, and to set their password by logging into their JumpCloud User Portal. Once they’ve done this, JumpCloud will manage their password for that external directory.
When the User logs in to the JumpCloud User portal, a notification will indicate that their password was updated.
In the external directory, the password will be updated, resulting in the user being logged out of existing Google Workspace or M365/Entra ID sessions. Users will receive a notification from Google Workspace or M365/Entra ID that their password has been updated.
Users That are Bound to More Than One External Directory
Users will receive a new email for each individual external directory that they are bound to. The flow for users bound to more than one external directory is the same as for active users.
Flow for New Users
A new user is a user in an 'active' user state with a password status of 'password pending'. After an administrator binds a new user without a password to an external directory, the user receives a Welcome to JumpCloud (activation) email that takes them through how to set up their new account. After the user sets up their account, creates an account password, and logs in to their User Portal, their password is sent to the external directories they’re bound to. Now, JumpCloud will manage all passwords for external directories that User is bound to.