Best app or automation for user management?

@Dee from Texas You should also consider this information posted on the page https://support.atlassian.com/confluence-cloud/docs/assign-space-access-to-guests/ page:

Hi @Dee from Texas ,

Thank you for your post.

Not a easy task, you requirement needs coding and call several api.

You can find more info here: https://community.atlassian.com/forums/Jira-Service-Management/Help-with-the-user-deactivation-automation-for-90-days/qaq-p/3211133 

Marketplace app that I know: https://marketplace.atlassian.com/apps/1211109/user-management-and-license-optimizer-for-jira-confluence?hosting=cloud&tab=overview 

Hope it helps

Hello, @Dee from Texas 

Disclosure: I am from TechTime, a Marketplace Partner, maker of User Management for Confluence (and Jira too) — an app that enables something very similar, specifically automatic delicensing of inactive users.

So...

1) I disagree with @Marc -Devoteam- This has nothing to do with the SSO, only with the User Provisioning from the IdP. We always advise our customers (we are also a Solution Partner in New Zealand and Australia) to separate SSO groups from application groups (and in fact separate SSO-related app in Entra from User Provisioning app in Entra). Any fully enabled user would then have at least two groups: one gives SSO ability and is mapped to SSO app in Entra, the other(s) are product-related groups and are provisioned to Cloud for the sake of enabling making decisions in Cloud e.g. giving access to products.

2) If a group is provisioned from Entra it becomes read-only in Atlassian Cloud, so if this group actually grants the Confluence license you can't remove a user from this group to take the license away.

3) As such you do need a 3rd party app like ours to set up a more elaborate configuration as follows:

• Entra syncs users and "entitlement" groups i.e. an indication to the Cloud that this user SHOULD have a license, e.g., confluence-user-role.
• These groups are NOT the actual access groups in Cloud. Other groups, "local" to Atlassian Cloud, are the access groups, e.g., confluence-user.
• You will also need a different local "marker" group, e.g., confluence-unlicensed-users.
• The app is then configured to regularly look for
  • anyone who is included in the entitlement group confluence-user-role and is not included in confluence-users and is not included in confluence-unlicensed-users -> automatically add them to confluence-users thus actually giving them a license.
  • anyone who is included in confluence-users and not included in confluence-user-role -> licensed but Entra says they shouldn't, remove them from confluence-users
  • anyone who is included in all three confluence-users, confluence-user-role, confluence-unlicensed-users -> they were previously unlicensed but got the license back and are entitled to have it, remove them from confluence-unlicensed-users
• The inactivity-related process is also set up in the app:
  • anyone who is entitled and licensed i.e. member of both confluence-user-role and confluence-users but hasn't been using Confluence for 90 days — take away the license group (confluence-users) and put them into the marker group confluence-unlicensed-users
• One way the user can automatically re-acquire the license is to have your email domains pre-approved for access to products and the license group (confluence-users) to be the default i.e. if the user "comes back" they will automatically get this group. Obviously manual adding to the group by the admin works too.
• Often people do not want such default groups to actually grant any permissions within Confluence i.e. all your permissions should be based on confluence-user-role instead — so the users from your domain may license or re-license themselves but they will only get true access if Entra says they are entitled to have the access. And also the cleanup rule (#2 above) will remove the license as soon as the app runs the check.

4) These days guest access results in users being put into the product-specific guest group. So theoretically you could replace "unlicensed" group with the "guest" one. Our app will happily operate on these groups. Whether it will actually work, specifically produce the expected level of access on the space-level is a question. I believe it maybe kinda one way – all guest users invited to individual spaces end up in the guest group, but not all users from the guest group are invited to all spaces

5) And yes, the warning by Atlassian that @Barbara Szczesniak mentioned is still valid. While delicensing someone who is inactive for 90 days is a task a regular admin can do at any time, and the app in this case merely automates it, converting someone who was a paid user to a guest is basically trying to circumvent Atlassian licensing terms. I can't blame Atlassian for not liking this.

6) If you have ANY questions please don't hesitate to reach out to our 24x7 support or via chat widget on our website 

HI @Dee from Texas 

This is kind of impossible on using Entra as SSO or any SSO solution.

As Entra is in the lead, if a user is active in Entra the user is active in Atlassian, if you alos provision groups and assignee access based on the groups this is also leading on what license is granted

If on Access settings, users from a domain, or any domain are granted a Confluence license, this will always be enforced.

Users not using Confluence for 90 days, but coming from Entra and user access settings or default group settings on provisioned groups ( if user is in this group), Entra sync will always be leading.

How is your setup?