Active Directory Integration (ADI) Release Notes 2026

This page provides a comprehensive list of the latest enhancements and stability improvements for JumpCloud's Active Directory Integration (ADI). Interested in previous years' release notes? See:

• ADI Release Notes 2023
• ADI Release Notes 2024
• ADI Release Notes 2025

Alternately, see JumpCloud's Feature Release Notes.

2026-04-09 ADI Release Notes

AD Sync Agent v4.81.0

This release delivers a comprehensive suite of updates designed to enhance security, connection resiliency, and environmental flexibility. Key highlights include the implementation of intelligent retry logic with exponential backoff and jitter to protect DCs and JumpCloud infrastructure from connection overloads during service interruptions. This version also introduces critical support for single-label domains and non-standard Root DN structures, ensuring structural accuracy for diverse directory architectures. Coupled with enhanced attribute-level logging and significant fixes for group membership and password-expiration synchronization, this release provides a more stable, secure, and precise syncs from JumpCloud to AD.

Enhancements

• Intelligent Connection Resiliency (Backoff & Jitter): The agent now utilizes exponential backoff with jitter for its connection streams. During service interruptions or mass agent reconnections, the agent will incrementally space out retry attempts. This significantly reduces the load on the ADI service and prevents "tight-loop" retries that could previously stress DCs with thousands of LDAP binds in a matter of seconds.
• Detailed Attribute Logging: In the event of a sync failure due to invalid syntax, logs now specify the exact attribute causing the error, allowing for faster troubleshooting compared to previous generic syntax warnings.
• Single-Label Domain Compatibility Refactored the validation logic for the Root Distinguished Name (DN). The agent can now correctly process and synchronize domains with fewer than two components (e.g., single-label domains like DC=internal vs. the standard DC=internal;DC=com). This ensures smoother integration for legacy or specialized internal AD setups.
• Minor gRPC security and performance enhancements

Bug Fixes

• Reduced LDAP Bind Errors & DC Stress: Resolved an issue where a dropped delegated-auth stream would cause the agent to retry connection attempts too rapidly. This fix eliminates the flood of "LDAP 52e" errors and prevents excessive resource consumption on the Domain Controller.
• gRPC Log Optimization: Significantly reduced the volume of delegated authentication bind error logs that previously populated the gRPC logger during upgrades or connection instability.Password-expiration sync to Active Directory: Resolved the synchronization of password expiration states to AD by refining how the userAccountControl flag is handled, setting a user to "Password Expired" in JumpCloud now correctly forces pwdLastSet=0 in AD.
• Configuration Continuity: Fixed a bug where admins had to manually re-enter all configuration values after upgrading the sync agent. The installer now correctly preserves existing settings.
• Resolved "Malformed Root DN" Error Addressed a bug where the Sync Agent intermittently failed to retrieve groups from Active Directory. Previously, the agent would return a failed to get groups from AD: malformed root DN error in environments with specific internal configurations.

AD Import Agent v4.23.0

This release delivers significant advancements in authentication reliability, sync resilience, and connection stability. By prioritizing unique UPN and sAMAccountName identifiers for Delegated Authentication, this release eliminates login conflicts caused by shared mail attributes, while a newly implemented non-blocking workflow ensures that imports continue seamlessly even when individual user errors occur. Furthermore, this release introduces gRPC intelligent retry logic with exponential backoff to protect your DCs from connection surges during service interruptions. These enhancements—alongside improved logging and scalability fixes for MSP environments—provide a more transparent, secure, and reliable integration.

Enhancement

• Connection Resiliency (Backoff & Jitter): Added exponential backoff with jitter to the directives stream. This intelligently spaces out reconnection attempts during outages or mass agent restarts, preventing service overloads and ensuring a smoother recovery for the ADBridge service and its datastore.
• Delegated Authentication User Mapping Logic: The agent now only utilizes the User Principal Name (UPN) and sAMAccountName to identify and authenticate users, removing the previous prioritization of the mail-based lookup method, ensuring authentication remains precise and successful even in environments with shared or non-unique mail entries.
• Enhanced Logging & Observability: Refactored logging for faster troubleshooting:
  • Timestamp-First Logs: Correlate events more easily with timestamps at the start of every line.
  • Cleaner Error Messages: Removed redundant formatting and "noisy" prints (e.g., LDAP Result Code 200/Network Error artifacts) for easier and more efficient root-cause analysis.
  • Configuration Audit on Startup: Agent now logs key settings (excluding secrets) upon startup to verify configuration.
• Improved User Sync Workflow: Implemented a non-blocking sync process. Users with attribute issues are now logged and skipped rather than halting the entire import. Skipped users are retried in subsequent cycles once data is corrected in AD
• Case-Insensitive Object Tracking: Switched agent to utilize case-insensitive matching for Active Directory objectGUID lookups to ensure consistent synchronization during OU moves or object renames. This prevents "duplicate" object errors and ensures the import state remains accurate regardless of how attribute casing is returned by different domain controllers.
• Expanded Password Length Support: Added support Active Directory’s maximum password length of up to 256 characters.
• Minor gRPC security and performance enhancements

Bug Fixes

• Domain Controller Configuration Preservation: Resolved an issue where upgrading the Import Agent on a member server could inadvertently clear the Domain Controller IP or FQDN in the jcadimportagent.config.json file. The installer now correctly preserves and prefills existing values during the upgrade process, ensuring LDAP connectivity remains intact without requiring manual re-entry of the DC address.
• Password Tracking on Update: Fixed a bug where the agent would stop tracking password changes after the agent was upgraded on a Domain Controller (DC) unless the service was restarted one more time after the DC restart.
• Authentication Failures for Shared Email Attributes: Fixed an issue where Delegated Authentication would fail if multiple users in Active Directory shared a common value in the mail field.
  • Previously, these scenarios could trigger a "multiple search results" error, blocking portal access. The agent now correctly targets unique directory identifiers (such as UPN or sAMAccountName) to ensure users can log in successfully even if email aliases are shared.
• Improved Hierarchy & Membership Resiliency: Refactored the internal membership logic to better handle transient LDAP errors. If the agent encounters a "No Such Object" error during a membership check, it now gracefully treats it as a non-membership rather than halting the sync cycle.
• Sync Process Stability (Nil Pointer Prevention): Resolved a technical defect where specific background processes (such as user reconciliation or unbinding) could crash due to uninitialized data structures. This "nil pointer" fix ensures the agent remains stable during high-volume update batches.
• Protection for Re-added Objects: Updated the synchronization logic to protect objects that are deleted and immediately re-added to AD. The agent now intelligently skips "Delete" processing for entries already present in a pending update batch, preventing unnecessary transient object removal in JumpCloud.
• Reliable Manager Attribute Updates: Resolved an edge case where changes to a user’s manager in Active Directory were occasionally missed during synchronization. The reconciliation logic now correctly identifies these standalone attribute changes and ensures an update request is triggered, keeping reporting lines accurate in JumpCloud.
• Scale and Reliability Fix (MSP Large Imports): Resolved intermittent new user import failures for specific MSP environments (e.g., large multi-organization MTPs), ensuring these users are consistently imported along with their group and JumpCloud organization memberships. 
• Email Overwrite Prevention: Resolved an issue where a user's JumpCloud email was incorrectly overwritten by their UPN during password updates. The agent now correctly prioritizes the AD "mail" attribute, , ensuring email addresses remain stable even when the mail and userPrincipalName values differ.
• Configuration Preservation on Upgrade: Fixed a bug where custom UserFieldMapping values were reverted to defaults during an upgrade. Existing mappings are now strictly preserved during re-installations or updates.
• Installer UI Improvements: Resolved overlapping text and alignment issues in the installer wizard and updated the security group path description for clarity

ADI Service

Enhancements

• AD Object Identifiers Persistence: The service now persists Active Directory objectSID and objectGUID attributes, providing a more stable foundation for long-term object tracking.
• Automated Notifications: Administrators will now receive email notifications if an AD agent becomes deactivated, allowing for faster response times.
• Delegated Authentication: Updated delegated authentication filters and enhanced the password delegation requests to send AD user filters with SAMAccountName and UPN only.
• Minor security and performance enhancements

Bug Fixes

• Sync Logic Refinement:
  • Adjusted internal data caching logic to ensure group membership changes are detected and processed with higher precision.
  • Fixed an issue where the Manager attribute of a user was not clearing out in the Admin portal
  • Corrected a bug preventing Alternate Email translation
  • Added validation checks before binding a user to a group