Thanks so much for responding!

We have SSO configured, it doesn't redirect though, when we go to a product we just get asked to log in, we click Microsoft (MS) option as our log in, after your first log in whenever you go to an Atlassian product you're just automatically in (basically you get that group + user access to the product). 

As for progress, yesterday I did a lot more research on understanding approved domains, user provisioning, configuring SAML with SSO, Atlassian Guard, reviewed control how users get access to products and how to approve/deny requests again,  and some others. I found two answers and I am not sure what is correct yet, the 2nd one is correct but might not be with me require admin approval now for the approved domain;

First, when require admin approval is checked it should still allow users to log in with MS but once they do they will need to request product access. As our SSO provides access to one of three groups and provisions, and then that initial sign in to one of the products provides that product access automatically today to a group that has user access, so I am going to be testing this with someone today, this is the part that I cannot find documentation on. What does the user see when we have SSO enabled, they have no Atlassian account or product access, but log into SSO provider while browsing an Atlassian product like Confluence with the require approval set, so will know hopefully today, the issue with testing is I am super new to the company, I know pretty much no one so far, and of that slim set of people I know already have access, so I am pretty much cold pinging people on MS Teams asking if they have time to help but most are busy with the Crowdstrike outage

Second, I am reading in Atlassian documentation that with SSO "New users automatically have access to your products as soon as they're active, making onboarding new employee's easier." - so I am hoping this doesn't override the admin approval requirement under the approved domain. 

Some more details, we currently have 2 authentication policies, one is Azure, one is just local directory, both have basically the same users. I feel this is not how this should be configured, but that is something I will be looking into after this unless it becomes part of the problem, probably have Azure as main with everyone, other with just Org Admins as backup in case Azure goes down. Our SSO is enforced in the Azure policy. 

Currently has 2 domains, any domain that requires admin access for user role in any product. Our domain that did not require admin access for user role, but I changed this Friday so that it does, and this so far has stopped all emails coming in that say "X person joined Confluence" that we were getting daily. The any domain does allow requests for access to products for the user role, this will be another thing I will most likely set to no products.

I was a site admin prior to this job, this job I am an Org Admin, before I could only see directory in admin.atlassian.com, but now I can see all and I am just learning so much its amazing!

Hi @Jason Krewson ,

Happy to see you're so excited about this! Yes, the full 'Org Admin' experience is one filled with marvels, learning options and complexities.

I would definitely recommend going through these courses as soon as possible: https://university.atlassian.com/student/path/1370008-administer-atlassian-organizations. You will find that sometimes these courses will cover some topics in much more depth than some of the documentation does. 

In some time (6-12 months) you could attempt to do the ACP-520 Organization Admin certification, which will be a nice addition to your resume, and a nice learning experience as well!

I'm certified myself, but even then it's difficult to assist in an environment I don't have access to myself, just having to read your description. So, your best bet would be to go through the courses I mentioned, and if you get stuck, definitely reach out to Atlassian Support to get a more tailored response to your setup (as they can access it to help you out).

Best of luck on your endeavors! 

Awesome, thank you for all the advice and help!

I will update this when I verify it is now fixed or with whatever the solution is after. 

Looking forward to your updates!

I was able to test this 2 ways today. 

1. A user that had Jira access but no Confluence access.
   1. This user went to Confluence and a popup said they did not have access, an email was fired off to the Org Admins that they need access to Confluence. This was a little confusing to the user as they didn't know they were requesting access, they were just starring at an error that said they didn't have access. I approved the request and talked to them on MS Teams. 
2. A user that had no Jira or Confluence access. 
   1. This user did not have access to any Atlassian products, but SSO has already provisioned their Atlassian account (everyones with one of the 3 groups gets auto provisioned). When they went to Confluence they were asked to sign in, they used their MS Account (Azure SSO), once logged in they were prompted that they do not have access, and they can request it, with a text box where they could wite a message and at the bottom a button that said request access. This was the same for Jira as well, both fired off an email to the Org Admins to approve access and this was user friendly. 

In the end, updating the approved domain to require admin approval is what corrected this issue.

Thanks again!