I've got two managed accounts for developers that are no longer with the organization. I cannot deactivate them as I get the message "User is last billing admin of a transaction account that has one or more active entitlements"
How can I resolve this so I can deactivate the user accounts?
Hello @Ethan DiPilato
Welcome to the Atlassian community.
For the billing accounts where those individuals are specified as the last billing admin another billing admin will need to be added.
Were these individuals specified as billing admins for your organization's Atlassian Cloud products?
https://support.atlassian.com/subscriptions-and-billing/docs/understand-billing-administration/
If there are not specified as billing admins for your organization's products, then perhaps their managed accounts were made billing admins for another organization's products. This might include those individuals having started their own separate Atlassian Cloud app subscriptions under the identity that your organization set up for them.
In the interim while you are trying to figure this out you may want to Suspend their access to your organization's apps.
https://support.atlassian.com/user-management/docs/remove-or-suspend-a-user/
These accounts were never specified as billing admins for our organization's products so I guess the alternative scenario you suggest where they may have with the account, while still with the organization, opened up a separate product subscription is the likely case.
As they aren't with the organization anymore their access to the accounts themselves is long since suspended.
I would just like to have them properly deactivated to keep things tidy.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Does you organization have a subscription to Atlassian Guard? If so, have you checked the Shadow IT features to see if the users have subscriptions to other Atlassian products?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We do not, we're entirely on free tiers of products as we are a small organization. Looks like I can start a trial so I'll give that a look, thanks. Once I can identify what product they signed up for when they were active, is there a way I can remove it so that the account can be deactivated?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Refer to the information available here for that topic:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunately Atlassian Guard did not help. It did not identify the shadow apps that these two accounts are connected to.
Woops, meant to post this as a reply, not an answer
How is Atlassian Cloud authentication governed for those accounts? Can you login as those users? It won't work to use the Log In As User option. You will have to go to id.atlassian.com and login as that user with whatever password, MFA, or SSO option you have enabled for the managed accounts.
If you can login to id.atlassian.com as that user then you will be able to also go to admin.atlassian.com as that user and admin.atlassian.com/billing to find out where they have been specified as a billing admin.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello, @Ethan DiPilato
If these accounts are managed – change their email addresses to something within your organisation that you can access. If they have 2FA enabled in Atlassian Cloud – disable (I think you should be able to for a managed account)
Usually using "subaddressing" with your own email as the base will work – here is the explanation from Microsoft but the same is for Google Workspace: https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/plus-addressing-in-exchange-online
Once you can access "their" emails – reset the password and login as "them" and discover what the products are.
Guard should have still identified the instances – but it does take some time, I think, so maybe check again?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunately Atlassian Guard did not help. It did not identify the shadow apps that these two accounts are connected to.
Woops, meant to post this as a reply, not an answer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.