Configuration as code plugin 1.54
Active Directory plugin 2.25
jenkins.yaml file in Jenkins home directory contains the following snippet:
On startup Jenkins is configured to use local authentication (presumably the default). It is only when the "Reload existing configuration" button is pressed that AD authentication is configured. I set up a logger for io.jenkins.plugins.casc and no issues are shown, including no indication that the AD config is loaded.
Note: I don't believe this is a security issue, but because the ticket includes the word "security", Jira is only allowing me to create it in the "Security issues" project. I believe the issue is either with the JCASC plugin or the Active Directory plugin.