When someone joins, moves or leaves in Dayforce, you want that change reflected in your on-premise Active Directory without anyone touching it by hand. To connect Dayforce to Active Directory, Joinly reads each HR change through the Dayforce REST API and applies it to your domain through the Joinly AD Agent — a lightweight connector that runs inside your network. Dayforce stays your source of truth; Joinly is the engine that keeps every account in the right OU, accurate and traceable.
Key takeaways
Dayforce stays your source of truth; Joinly applies every joiner, mover and leaver to on-premise Active Directory automatically.
The Joinly AD Agent runs inside your network and needs only an outbound HTTPS connection — no inbound ports and no domain controller exposed to the internet.
Joinly maps Dayforce structures to the right AD security groups and target OUs, and builds the sAMAccountName, UPN and distinguished name from your own rules.
Resolves XRefCodes and reads the hire date, so accounts land in the correct OU on the start date and a termination in Dayforce actually disables the AD account.
Every action is logged for a complete audit trail, aligned with NIS2 and ISO 27001 — and the same setup extends to a hybrid Entra ID environment.
Quick facts
Source system | Dayforce (Dayforce HCM) |
Target system | On-premise Active Directory (AD DS) |
Connection method | Dayforce REST API → Joinly AD Agent → Active Directory |
Agent requirement | Domain-joined Windows server with a GMSA, outbound HTTPS (443) only |
Supported events | Joiner, mover, leaver (incl. rehire, status change, future-dated work assignment) |
Synced attributes | Name, sAMAccountName, UPN, mail, department, job, position, manager, location, distinguished name / OU, hire and termination date |
Real-time or batch | Frequent sync, multiple times per day |
Compliance | ISO 27001, NIS2-ready, GDPR (EU data centre) |
How does Joinly sync Dayforce to Active Directory?
Joinly reads each HR change in Dayforce in the cloud, then hands the action to the Joinly AD Agent inside your network, which makes the change in Active Directory. Dayforce holds a single combined HR and payroll record; the agent is the only component that touches your domain.
Joiner. HR completes the hire in Dayforce. Joinly reads the new record, resolves the department, position and location XRefCodes to determine the role, and instructs the AD Agent to create the user in the correct OU, build the sAMAccountName and UPN from your rules, and add the right security groups — timed to the hire date.
Mover. When someone changes position, department or location, Joinly tells the agent to move the user to the matching OU, swap security-group membership and update attributes. Access that no longer fits the new position is removed, so permissions stay aligned with the actual job.
Leaver. On the termination date, Joinly instructs the agent to disable the AD account and optionally move it to a disabled-users OU. Because Dayforce termination and AD deprovisioning are otherwise separate, Joinly is what guarantees the account is actually disabled when the last working day arrives.
Example: Illustrative: a regional grocery retailer runs Dayforce and an on-premise AD across its stores and a distribution centre. It hires a store associate with a hire date next Monday. Joinly reads the record, resolves the location and position XRefCodes, and on Monday morning the AD Agent creates the user in the Store-12 > Floor OU, sets the sAMAccountName to a unique pattern, and adds the Store-Associates group. When the associate later moves to a shift-lead position, the agent moves the object to the new OU and swaps the groups the same day.
What manual AD account management costs
Without automation, every account starts as a Dayforce ticket that an admin works through in Active Directory Users and Computers by hand — creating the object, choosing the OU, building the sAMAccountName, adding groups. Aquera's connector or Microsoft's Entra provisioning agent can push Dayforce data to on-premise AD, but they offer limited mapping, no role-to-group logic and leave the termination-to-deprovisioning gap open, so the decisions still fall to people.
Onboarding delays. New joiners wait for an AD account and group access while a ticket sits in a queue, losing productive days in their first week.
Permissions that don't keep up (privilege creep). When movers change position, old security-group membership often stays attached, so people accumulate rights they no longer need.
Forgotten offboarding. Because a Dayforce termination doesn't disable the AD account by itself, accounts that aren't disabled on time are a security and audit risk — and a terminated worker can keep domain access for weeks.
Joinly vs. the middleware agents for AD
Aquera's connector and Microsoft's Entra provisioning agent can write Dayforce data to on-premise AD, but they stop short of the part that actually decides access. Here's how the two compare for a Dayforce-driven AD setup.
Joinly AD Agent | Aquera / Entra provisioning agent | |
|---|---|---|
Source | Reads the Dayforce REST API directly | Reads Dayforce (often via SFTP/CSV staging) |
OU placement | Rule-based on department, location and position | Single configured container; limited logic |
Role-to-group mapping | Built in, rule-based | Not available out of the box; manual |
XRefCode handling | Resolves lookup XRefCodes automatically | Manual mapping; invalid codes fail with a silent 400 |
Future-dated work assignments | Times creation to the hire date | Needs custom date-window configuration |
sAMAccountName / UPN rules | Custom transformation with uniqueness fallback | Limited expression mapping |
Audit trail | Per-action logging tied to the HR source | Limited |
Watch-outs when connecting Dayforce to Active Directory
A few details decide whether this connection stays reliable at scale.
sAMAccountName uniqueness and length. AD limits the sAMAccountName to 20 characters and it must be unique across the domain. Joinly builds it from your rules with a fallback pattern, so duplicate names never produce a collision or a truncated, unreadable login.
OU placement from Dayforce structures. Legal entity, location, department and position don't map one-to-one to your OU structure. Joinly builds explicit rules that place each user — and move them on a transfer — into the correct OU.
XRefCode resolution. Every Dayforce lookup is keyed by an XRefCode, and an invalid one returns a bare HTTP 400. Joinly resolves the right XRefCodes from the live tenant before the agent acts, so OU and group mapping doesn't fail silently halfway through a sync.
Termination decoupled from deprovisioning. A Dayforce termination does not disable the AD account on its own. Joinly bridges the two, so the moment Dayforce records a termination date the agent disables the account — no terminated worker keeps domain access.
gMSA permissions and Windows Server 2025. The agent runs as a Windows service under a group Managed Service Account (gMSA) that is automatically granted CreateChild, WriteProperty and Reset Password on the OUs you select — no domain-admin and no stored password. On Windows Server 2025 a default gMSA is rejected for still carrying RC4; the Joinly installer creates it AES-only and repairs existing accounts automatically.
Joinly handles each of these by default with custom mapping and transformation.
Always audit-ready
Every account action the Joinly AD Agent performs is logged in the Joinly cloud: who was affected, when it happened, which OU and groups changed and which Dayforce change triggered it. For NIS2 that matters directly: access can be traced back to an authorised HR source rather than an ad-hoc request. Joinly is ISO 27001 certified, runs in an EU data centre in Amsterdam, applies least-privilege by default, and is built to meet NIS2 and ISO 27001.
Example case
Take a regional grocery retailer with around 3,200 employees across fifty stores and a distribution centre, running Dayforce but still living in an on-premise Active Directory for its till, scheduling and warehouse systems. Every new store associate, cashier or picker starts as a Dayforce ticket that IT processes by hand in AD — creating the object, choosing the store OU, building the login, adding groups. With high seasonal turnover and constant store-to-store transfers the queue never empties, and new joiners wait until day two or three for their account.
Connect Dayforce to Active Directory with Joinly and that work disappears. The Joinly AD Agent creates each user in the right store OU on the hire date, builds a unique sAMAccountName, adds the correct security groups, moves people on a transfer and disables accounts on the termination date with a 30-day grace window — all driven by the HR change in Dayforce.
"An account is simply ready in the right store OU when the associate clocks in, transfers move themselves, and a termination in Dayforce now actually closes the AD account instead of leaving it open for weeks."
The outcome this setup is designed for: onboarding drops from days to zero touch, privilege creep from old roles is eliminated, and the team can walk into its next NIS2 assessment with a complete, source-backed audit trail.
More than a connector
A standalone Dayforce to Active Directory connection is a good start, but identity rarely stops at one target. The same Joinly setup extends to Entra ID for a hybrid environment and to your other systems, managing the complete chain from joiner to leaver with logging and governance built in. You review the exceptions; Joinly maintains the chain.
Schedule a demo
Installation guide
Follow these steps to connect Dayforce to your on-premise Active Directory with Joinly. You set up the Dayforce connection and a workflow in the platform, then install the lightweight Joinly AD Agent on a domain-joined Windows server. For the full agent reference, see HR to Active Directory on-premise synchronisation.
1. Connect your Dayforce integration
In platform.joinly.app find the Dayforce integration in the marketplace and complete the wizard: your Dayforce Web Services URL (company instance endpoint), company ID, and OAuth credentials from the Dayforce developer portal. Joinly now reads every joiner, mover and leaver from Dayforce at the source.
Find and connect the Dayforce integration in the Joinly marketplace.
Enter your Dayforce Web Services endpoint, company ID and OAuth credentials.
2. Enable the Joinly Agent module in the marketplace
In the Joinly marketplace, search for Joinly Agent and install the module. This makes the on-premise agent and its workflow action available in your tenant.
3. Create a workflow on employee mutations and download the agent
Create a new workflow that runs on Dayforce employee mutations, add the Provisioning via Agent action, and download joinly-agent.exe from that action. The agent is a single Windows-service installer — there is nothing else to deploy.
Create a workflow that runs on employee mutations.
Download the Joinly AD Agent from the workflow agent action.
4. Check the requirements
Make sure the target server meets these:
A Windows Server with the Domain Controller role, or a machine joined to the domain
Local administrator rights
Outbound internet access to the Joinly portal (
https://platform.joinly.app)For the gMSA: the Active Directory PowerShell module (
RSAT-AD-PowerShell) and a KDS Root Key in the domain
5. Run the installer wizard
Right-click joinly-agent.exe and choose Run as administrator. In step 1 of the wizard, enter:
Joinly portal URL — default
https://platform.joinly.appAPI key — the API key from the Joinly portal (shown with the agent download)
gMSA account name — for example
svc_joinlyagent(leave blank for LocalSystem, which is not recommended)
On a re-install the existing values are pre-filled, and you can leave the API key blank to keep the stored encrypted key.
Enter the portal URL, API key and gMSA account name in the installer wizard.
6. Select the target OUs
The wizard reads all OUs and containers from Active Directory and shows a multiselect. Select every OU where the agent may create and manage users. The gMSA is automatically granted CreateChild, WriteProperty and Reset Password on the selected OUs and their sub-OUs. If you select nothing, the gMSA gets no write rights — you can delegate them later by hand.
7. Choose the disabled-users OU
Select the OU where disabled (soft-deleted) leavers are moved. Leave it blank to disable accounts in place without moving them. This is what closes the Dayforce termination-to-deprovisioning gap on-premise.
8. Let the wizard finish the gMSA and service setup
The wizard then runs automatically: it installs the files to C:\Program Files\Joinly\Agent, saves the AES-256-GCM-encrypted config to C:\ProgramData\Joinly\Agent\config.json, checks the AD PowerShell module and KDS Root Key, creates the gMSA (AES-only), installs and verifies it, grants the OU rights, registers the Windows service via NSSM under the gMSA, and starts it.
Windows Server 2025: AD creates a gMSA with RC4 still enabled, which Server 2025 rejects. The installer creates the account AES-only and repairs existing gMSAs automatically, so
Install-ADServiceAccountdoesn’t fail.
9. Verify and manage the agent
Confirm the service is running, and re-open joinly-agent.exe as administrator any time to reconfigure, run diagnostics, or uninstall.
10. Add the field mapping
Back in the workflow agent action, add the field mapping. Map the distinguished name / OU from Dayforce location, department and position, and build the sAMAccountName, userPrincipalName, mail, department and manager. Joinly resolves the Dayforce XRefCodes for each lookup value, so you map on the human-readable value and the agent keeps the codes in sync — an invalid code never fails the sync with a silent 400. The match attribute (for example employeeID) is how the agent recognises existing users, and the default OU is where new users are created.
Add the Dayforce-to-AD field mapping to the agent action.
11. Test the workflow
Go to a Dayforce identity, choose Trigger workflow, and run the workflow you created. The agent applies the change in Active Directory — check the result on the user object and in the agent logs.
Need cloud Entra ID provisioning as well? See our guide on connecting Dayforce to Microsoft Entra ID, or contact support at support@koppelhet.nl.
Frequently asked questions
Does the Joinly AD Agent need inbound firewall openings?
No. The agent only makes an outbound HTTPS connection to the Joinly cloud and acts on your domain controllers from inside the network through a GMSA with PowerShell access. There are no inbound ports to open and no domain controller is exposed to the internet.
What account does the agent run under?
A Group Managed Service Account (GMSA) with PowerShell access to your domain controllers, scoped to the target OUs so it can create, move and disable user objects without domain-admin rights.
Which OU do new accounts land in?
The one your rules define. Joinly builds the distinguished name and OU placement from Dayforce location, department and position, and moves the object to a new OU automatically when someone transfers.
How is the sAMAccountName built and kept unique?
From your Liquid template, with the generateUniqueUsername helper falling back to the next pattern on a collision, all within AD's 20-character limit.
Can I provision to both Active Directory and Entra ID?
Yes. The same Joinly setup drives a hybrid environment — the AD Agent for on-premise AD and the native Entra connection for the cloud. See the Dayforce to Entra ID guide.
Can I run more than one agent for high availability?
Yes. You can install the agent on multiple domain-joined servers so provisioning continues if one server is unavailable.