When someone joins, moves or leaves in BambooHR, you want that change reflected in your on-premise Active Directory without anyone touching it by hand. To connect BambooHR to Active Directory, Joinly reads each HR change in BambooHR through the REST API and applies it to your domain through the Joinly AD Agent, a lightweight connector that runs inside your network. BambooHR stays your source of truth; Joinly is the engine that keeps every account in the right OU, accurate and traceable.
Key takeaways
BambooHR stays your source of truth; Joinly applies every joiner, mover and leaver to on-premise Active Directory automatically.
The Joinly AD Agent runs inside your network and needs only an outbound HTTPS connection — no inbound ports and no domain controller exposed to the internet.
Joinly maps BambooHR department, division and location to the right AD security groups and target OUs, and builds the sAMAccountName, UPN and distinguished name from your own rules.
Reads the hireDate and tracks employment-status changes, so accounts land in the correct OU on the start date and follow the real status of the person.
Every action is logged for a complete audit trail, aligned with NIS2 and ISO 27001 — and the same setup extends to a hybrid Entra ID environment.
Quick facts
Source system | BambooHR (employee directory) |
Target system | On-premise Active Directory (AD DS) |
Connection method | BambooHR REST API → Joinly AD Agent → Active Directory |
Agent requirement | Domain-joined Windows server with a GMSA, outbound HTTPS (443) only |
Supported events | Joiner, mover, leaver (incl. rehire, status change, contractor conversion) |
Synced attributes | Name, sAMAccountName, UPN, mail, department, division, location, job title, supervisor, distinguished name / OU, hire and termination date |
Real-time or batch | Frequent sync, multiple times per day |
Compliance | ISO 27001, NIS2-ready, GDPR (EU data centre) |
How does Joinly sync BambooHR to Active Directory?
Joinly reads each HR change in BambooHR in the cloud, then hands the action to the Joinly AD Agent inside your network, which makes the change in Active Directory. BambooHR holds the authoritative employee record; the agent is the only component that touches your domain.
Joiner. HR adds the new hire in BambooHR. Joinly reads the record, determines the role from department, location and job title, and instructs the AD Agent to create the user in the correct OU, build the sAMAccountName and UPN from your rules, and add the right security groups — timed to the hireDate.
Mover. When someone changes department, location or job title, Joinly tells the agent to move the user to the matching OU, swap security-group membership and update attributes. Access that no longer fits the new position is removed, so permissions stay aligned with the actual job.
Leaver. On the terminationDate, Joinly instructs the agent to disable the AD account and optionally move it to a disabled-users OU. An employment-status change to a non-active status is treated the same way, so access is removed when the person actually stops working — not only on a formal termination.
Example: A creative agency runs BambooHR and an on-premise AD across two studios. It hires a motion designer with a hire date next Monday. Joinly reads the record, and on Monday morning the AD Agent creates the user in the Studio-A > Creative OU, sets the sAMAccountName to a unique pattern, and adds the Creative-Team group. When the designer later moves to the production team, the agent moves the object to the new OU and swaps the groups the same day.
What manual AD account management costs
Without automation, every account starts as a BambooHR notification that an admin works through in Active Directory Users and Computers by hand — creating the object, choosing the OU, building the sAMAccountName, adding groups. BambooHR has no native way to write to on-premise AD, so without a tool the decisions all fall to people, and small teams without an IAM function feel that most.
Onboarding delays. New joiners wait for an AD account and group access while a request sits in someone's inbox, losing productive days in their first week.
Permissions that don't keep up (privilege creep). When movers change department or location, old security-group membership often stays attached, so people accumulate rights they no longer need.
Forgotten offboarding. Accounts that aren't disabled on time are a security and audit risk — easy to miss when there's no automated trigger from BambooHR.
Joinly vs. building it yourself for AD
BambooHR can't write to on-premise AD on its own, and the native Entra provisioning agent only relays cloud-provisioned data. Here's how Joinly compares for a BambooHR-driven AD setup.
Joinly AD Agent | DIY script / Entra provisioning agent | |
|---|---|---|
Source | Reads BambooHR REST API directly | You call the API yourself, or relay from Entra |
OU placement | Rule-based on department / location | Hand-coded; limited logic |
Role-to-group mapping | Built in, rule-based | Not available out of the box; manual |
Hire-date timing | Times creation to the hireDate | Custom logic in your script |
Employment-status changes | Handled via employmentHistoryStatus | Manual; easy to miss |
sAMAccountName / UPN rules | Custom transformation with uniqueness fallback | Hand-coded in the script |
Audit trail | Per-action logging tied to the HR source | Whatever you log yourself |
Watch-outs when connecting BambooHR to Active Directory
A few details decide whether this connection stays reliable as you grow.
sAMAccountName uniqueness and length. AD limits the sAMAccountName to 20 characters and it must be unique across the domain. Joinly builds it from your rules with a fallback pattern, so duplicate names never produce a collision or a truncated, unreadable login.
OU placement from a flat HR model. BambooHR only has department, division and location — there is nothing that maps to an OU. Joinly builds explicit rules that place each user, and move them on a transfer, into the correct OU from those flat fields.
Reliance on custom fields. Data that decides OU or group often lives in BambooHR custom fields, exposed only by numeric field ID. Joinly discovers them via /meta/fields and maps the ones you need, so a local site code or contract type can drive AD placement.
Employment-status changes. A move to on-leave or contractor-to-FTE is a status change, not a hire or termination. Joinly reads employmentHistoryStatus and disables or re-enables the AD object accordingly, so access matches the person's real status.
Service-account permissions. The agent acts under a service account with delegated rights. Joinly works with least-privilege delegation scoped to the target OUs, so the agent can create, move and disable users without domain-admin rights.
Joinly handles each of these by default with custom mapping and transformation.
Always audit-ready
Every account action the Joinly AD Agent performs is logged in the Joinly cloud: who was affected, when it happened, which OU and groups changed and which BambooHR change triggered it. For NIS2 that matters directly: access can be traced back to an authorised HR source rather than an ad-hoc request. Joinly is ISO 27001 certified, runs in an EU data centre in Amsterdam, applies least-privilege by default, and is built to meet NIS2 and ISO 27001.
Example case
Take a creative agency with around 180 employees across two studios, running BambooHR but still living in an on-premise Active Directory for its design workstations and file shares. Every new designer, editor or account manager starts as a BambooHR notification that one overloaded admin processes by hand in AD — creating the object, choosing the OU, building the login, adding groups. With freelance contracts and frequent moves between teams the work never empties, and new joiners wait until day two or three for their account.
Connect BambooHR to Active Directory with Joinly and that work disappears. The Joinly AD Agent creates each user in the right OU on the hire date, builds a unique sAMAccountName, adds the correct security groups, moves people on a transfer and disables accounts on the termination date with a 30-day grace window — all driven by the HR change in BambooHR.
"An account is simply ready in the right OU when the designer walks in, moves between teams sort themselves out, and we can show exactly which BambooHR change created every bit of access."
The outcome this setup is designed for: onboarding drops from days to zero touch, privilege creep from old roles is eliminated, and a small team can walk into its next NIS2 assessment with a complete, source-backed audit trail.
More than a connector
A standalone BambooHR to Active Directory connection is a good start, but identity rarely stops at one target. The same Joinly setup extends to Entra ID for a hybrid environment and to your other systems, managing the complete chain from joiner to leaver with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Schedule a demo
Installation guide
Follow these steps to connect BambooHR to your on-premise Active Directory with Joinly. Most of the setup happens in the cloud platform; the only local component is the lightweight Joinly AD Agent, which you install on a domain-joined server.
1. Create your account
Go to platform.joinly.app and create your account.
Note: charges may apply for using the platform after the trial period ends.
Sign up at platform.joinly.app to get started.
2. Find the BambooHR integration in the Joinly marketplace
Open the Joinly marketplace and search for the BambooHR integration.
Don't see your system listed? Get in touch at support@koppelhet.nl and we'll help you out.
Search the marketplace for the BambooHR integration.
3. Follow the installation wizard
You may be redirected to integrations.joinly.app. Create an account there and enter your BambooHR connection details: your company subdomain and a BambooHR API key (generated from your name in the lower-left → API Keys). All data is encrypted and stored securely.
Enter your BambooHR subdomain and API key in the wizard.
4. Download the Joinly AD Agent
In the platform, go to Workflows → Select a workflow → Add action → Select 'Provisioning via Agent' and download the installer. The agent is a lightweight Windows service that connects your domain to the Joinly cloud over an outbound HTTPS connection only — there are no inbound ports to open.
Read the full Joinly AD Agent installation guide here.
Download the Joinly AD Agent installer from the provisioning settings.
5. Install the agent on a domain-joined server
Run the installer on a domain-joined Windows server that can reach a domain controller. The server needs outbound HTTPS (port 443) to the Joinly cloud and a GMSA account installation on your domain controller. Run through the installer; it registers the agent as a Windows service that starts automatically.
6. Pair the agent with your Joinly tenant
Copy the pairing token from Settings → Provisioning → AD Agent in the platform and paste it into the agent's configuration screen. The agent uses the token to register securely with your tenant; once paired, its status shows as Connected in the platform.
Pair the agent with your tenant using the pairing token.
7. Set the target OU and attribute mapping
Configure where users are created and how their attributes are built. Map the distinguished name / OU from department and location, and build the sAMAccountName, userPrincipalName, mail, department and manager with Liquid templates.
Select the OU and attribute mapping.
8. Configure your workflows
Create an onboarding (joiner) and offboarding (leaver) workflow with trigger-based execution, then an Identity updated workflow with a Create/update employee in Active Directory action so every change in BambooHR flows through the agent to AD. Add a threshold workflow that disables the account a set period after the termination date (for example 30 days), optionally moving it to a disabled-users OU.
Create a trigger-based onboarding workflow.
A date-threshold workflow disables accounts a set number of days after termination.
9. Network and firewall requirements
The agent needs outbound HTTPS (443) to the Joinly cloud and a GMSA account with PowerShell access to your domain controllers. No inbound firewall rules are required, and no domain controller is exposed to the internet. For high availability you can run the agent on more than one server.
Need cloud Entra ID provisioning as well? See our guide on connecting BambooHR to Microsoft Entra ID, or contact support at support@koppelhet.nl.
Frequently asked questions
Does the Joinly AD Agent need inbound firewall openings?
No. The agent only makes an outbound HTTPS connection to the Joinly cloud and acts on your domain controllers from inside the network through a GMSA with PowerShell access. There are no inbound ports to open and no domain controller is exposed to the internet.
What account does the agent run under?
A Group Managed Service Account (GMSA) with PowerShell access to your domain controllers, scoped to the target OUs so it can create, move and disable user objects without domain-admin rights.
Which OU do new accounts land in?
The one your rules define. Joinly builds the distinguished name and OU placement from BambooHR department and location fields, and moves the object to a new OU automatically when someone transfers.
How is the sAMAccountName built and kept unique?
From your Liquid template, with the generateUniqueUsername helper falling back to the next pattern on a collision, all within AD's 20-character limit.
Can I provision to both Active Directory and Entra ID?
Yes. The same Joinly setup drives a hybrid environment — the AD Agent for on-premise AD and the native Entra connection for the cloud. See the BambooHR to Entra ID guide.
Can I run more than one agent for high availability?
Yes. You can install the agent on multiple domain-joined servers so provisioning continues if one server is unavailable.