Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 
  • Community
  • Q&A
  • Jira
  • Questions
  • How to export a complete list of Groups (including empty ones) & assigned users & App/Product Access

How to export a complete list of Groups (including empty ones) & assigned users & App/Product Access

sana_faiyaz
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 17, 2026

Hi everyone,

I am trying to generate a comprehensive audit report of all the groups within our Atlassian organization. Specifically, I need a list that shows:

  1. Every group (including legacy or empty groups that currently have 0 users).

  2. The users inside those groups.

  3. The Apps/Product Access assigned to each group (e.g., Jira Software, Confluence, Jira Service Management).

What I've tried so far:

  • UI User Export: Running a user export from admin.atlassian.com gives me the apps and groups, but it only shows groups that currently have active users assigned to them. Empty groups are completely left out of this report.

  • Organization API v2: I tried writing a script using the (https://api.atlassian.com/admin/v2/) endpoints (specifically /groups/search with expansions). I had generated an personal API endpoint. I have site admin role so i can access admin.atlassian.com

    but when i query it via the script i get error saying "401 Unauthorized error". I was doing bearer authorization but ofcrouse my token is personal. 


    I can query this endpoint though using basic authentication, my email ID, site name and the api token. 

    {JIRA_URL}/rest/api/3/group/bulk



    Why is this failing?
    As a site admin can I not consume the the api.atlassian.com endpoint via basic authentication??
    Do i need to get a bearer API token?

2 answers

0 votes
samiishaq236
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 17, 2026

You need to use a bearer token to access the Admin API; a personal API token or basic authentication won't work. That's why you're getting the 401 Unauthorized error.

0 votes
Gabriela
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 17, 2026

Two different auth planes, and that's the whole of it. Calls to your site host take basic auth with your email plus a personal API token, which is why group/bulk works for you. Point that same token at api.atlassian.com/admin and it dies both ways: basic gives you 401, bearer gives you 401. That host wants an Admin API key, a separate credential you create at admin.atlassian.com under Settings, API keys, and then send as a Bearer token. Worth knowing org admin and site admin are distinct roles up there too, so if that page isn't showing you anything, that's your next thread to pull.

Better news. Your three requirements don't need that API at all.

Every group including the empty ones is GET /rest/api/3/group/bulk on basic auth, the credential you already have working. It lists groups whether or not anyone is in them, which is the exact thing the UI export drops on the floor. Members per group is GET /rest/api/3/group/member?groupId={groupId}.

Product access by group is GET /rest/api/3/applicationrole. It arrives inverted, product by product with the groups listed underneath, so you flip it in the script. Cheap to do. That endpoint is Jira's own though, which means Software and Service Management land in it while Confluence access doesn't. For the Confluence half you're back at the admin API with a real key.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events