Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Atlassian Guard - two 'default' policies - how to make one not default

Julia Foden
Julia Foden
Contributor
November 17, 2025

Hi

We recently started using Atlassian Guard and have set up SSO with our identity provider. There was an original default authentication policy containing all users (active and inactive). I created the new SSO policy and added all the active users to it (except one break-glass admin account) and made it default. But now there are two authentication policies both marked as default:

  • the original 'Applies to all users' containing inactive users and the break-glass account
  • the SSO-enforced policy containing all active users

I was expecting that when I invite a new user they would fall into the 'default' SSO-enforced policy but that didn't happen. I needed to manually move them from the original 'default' policy to the SSO-enforced 'default' policy which means an extra step every time a new user is invited - this can't be right! 

How can I solve this? The documentation doesn't cover this scenario https://support.atlassian.com/security-and-access-policies/docs/what-is-a-default-authentication-policy/

I tried deactivating the account of an inactive user but this had no effect in the authentication policies.

I am thinking that the only solution would be to create a new 'non-SSO' policy for the break-glass account and then move all the inactive users into the SSO-enforced policy. Would this work? When there are no members in the original 'Applies to all users' policy, will I be able to make it non-default? 

If this method should work, is there any way of doing it other than manually one user at a time? I have searched and do not see any API for changing users' authentication policies.

Thanks,

Julia

 

Answer
Watch
Like # people like this
386 views

2 answers

0 votes
Rantly Liriano
Rantly Liriano
February 18, 2026

is there is any solution for this?  This exactly what is happening to us.

 

View More Comments
Julia Foden
Julia Foden
Contributor
February 19, 2026

Hi @Rantly Liriano 

I did get it solved eventually. I opened a ticket with Atlassian and there was some contradictory advice given and we had to have a call in the end but it is sorted now.

So - my requirement is that we want all of our internal users to be 'managed accounts' with SSO enforced, except for one break-glass admin account. We want to invite new users manually ie not just-in-time provisioning and not using Guard for user provisioning.

What we have setup now is

  • our domain is verified and the Claim Setting is set to Automatic
  • the Identity Provider is linked to our domain

I think these are the only changes I made. This works for us now.

We do still have two authentication policies marked as Default. One is for users in our identity provider directory and the other is for 'all users'.

I hope this works for you. If not go to Atlassian Support; if you select Guard they seem to go to a good helpful human rather than the awful bots we get on some request types!

 

Like
Reply
0 votes
Tudor Tofan
Tudor Tofan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
November 17, 2025

Hi @Julia Foden 

I have checked on 2 of my customers' Jira instances, and indeed, there are 2 policies marked as default in both of them.

Now, I haven't been able to find specific documentation, but my suspicion is the following: In my situation the policy on the left is the one which is default for all local accounts. So if you manually invite an account, they would go into this policy.
Then, on the right, I have whatever default policy I have for my managed users. So basically, if I invite a managed user (maybe via user provisioning), it goes into the one on the left.

I don't think it's a bug, but it's more of a lack of documentation.

By the way, do you have managed users and user provisioning?

View More Comments
Julia Foden
Julia Foden
Contributor
November 17, 2025

Hi @Tudor Tofan 

Interesting that I am not alone in having 2 policies marked as default!

All of the accounts in our domain are classified as Managed Accounts including the inactive/deactivated accounts. We do not have user provisioning set up. I manually invite new users or reactivate existing accounts. When I invite a new internal user from our domain they become a managed account but they fall into the original policy (non-SSO). 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian Guard
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security