Thank you @Ed Letifov _TechTime - New Zealand_ 

that is by far the clearest explanation I’ve read. Atlassisn docs are a maze.

I undetstand the SSO comment and we have Azure AD connected to our company LDAP. I haven’t found in the Atlassian docs how to limit which users we sync with in Azure.

Is this filter settable on our connection only or set for Azure as a whole? We are thinking to use OU properties. Although this may complicate our user on boarding slightly.

due to budget constraints, anyone who is not our Jira users will be treated as not my users. 

Tom

@Tom Lister 

1) "Anyone who is not our Jira users will be treated as not my users" – I am yet to meet a Security Team that would accept this. They have to assess the risk of user that was declared "not your user" today causing a problem tomorrow. Do run this by your security team!

Also considering that new users from your organisation are only added automatically to the default authentication policy in Access – you are facing an admin nightmare to maintain users. You will either have to manually load your new users via CSV import into the SSO policy (when it's not the default one – these are the very users that your IdP just pushed to Access via SCIM) or all others into the non-billable one (when the SSO one is the default one). 

Do note, if you don't push all 13k to Cloud, you don't necessarily have to pay for 13k users... Only if they somehow are already in the Cloud...

2) Re: Setting up Azure AD side – in Azure AD you install an app to connect to Atlassian Access. With any app you have two options – either you make it available to every user in Azure AD or you map groups, thus making the app available to the members of these groups only. This translates into "all" vs. "only these users" being pushed to Access side.

Unfortunately push of the groups will happen only if you map groups. Having groups come in from Azure AD usually is very useful – the holy grail for security is to add a user to a group in Azure AD and then everything just flows from there.

Here is an answer I've written previously on how we (TechTime, a Platinum Solution Partner in New Zealand) recommend setting it up with Azure AD – see: Integrate Azure AD with Atlassian Cloud 

Our clients usually want to have tight control over who from the organisations is allowed into Atlassian systems, so usually use groups with explicit membership both for SSO and User Provisioning. You may tweak this to your original problem statement to avoid managing 13k users by having all users allowed (i.e. no group mapping) on SSO side, and only specific groups of "your users" on the User Provisioning side. 

This won't stop the billing for those of the 13k that are already in the Cloud, but at least you won't have to manage them in a list (or, considering the 1000 records limitation of CSV import – in 13 lists!)

Also this may be relevant in the context of the original question about Access billing: https://community.atlassian.com/t5/Confluence-questions/What-is-the-difference-between-site-access-and-product-access/qaq-p/1306257#M221166

Hi @Ed Letifov _TechTime - New Zealand_ 

Welcome to my world!

Did I mention a 3rd of our Jira users are external partners in domains we have no control over?

I have will spent some time on the various useful links supplied in these answers.

You didn't :) Our customers in this case get a Google Workspace, register a different domain there (since it has to be functional emails) and require all partners to use that to login.

Hi, i'd like to join the party :-).

I'm interested in the following case>

we are probably gonna have to choose between Service Now and Jira Service Management and the Atlassian Access is very much the blocker for having JSM.

I've read the discussion and one thing is missing or I did not find it there. How about my internal customers who would only be accessing the customer portal or sending an email to JSM? Will those be billable for Atlassian Access? So I just need user privisioning from Azure AD and no product license needed.

thanks

Z.

@Zaid Al-Tamimi ,

Users without product access (so customers) will not be billed in your Atlassian Access. 

As soon as they do have product access on any Atlassian product they will begin counting. But the Customer is a specific exception for Atlassian Access so you don't get billed for hundreds/thousands of accounts who might not log in or only once in a blue moon.

sounds good, thanks!

Our own @Jimmy Seddon made a good video on how user provisioning works (https://www.youtube.com/watch?v=qf_SHEgEpHM).

afaik, you set up a connection to your LDAP but you still choose which groups/ou's get synced over.  Those users will then be billed for (only once even if they use multiple products)

Brother @Jimmy Seddon would know. You just filled in the blank for the LDAP bit for me, @Dirk Ronsmans as I have mostly been in "AD is evil" shops who had gone the Okta Way.

First thing, I would recommend is doing the 30-day free trial as that will not charge you but you will be able to see what the estimate is going to be.

Second, Know that setting up SSO (single sign-on) and user provisioning (user and groups updates made in your identity provider) are two different things and are supported differently.

User provisioning (syncing all users and groups from AD) doesn't support on premise AD.  https://support.atlassian.com/provisioning-users/docs/understand-user-provisioning/

You would need to use Azure Connect to sync AD to Azure AD and you can connect Azure AD to Atlassian Access.

Or you can use one of the other supported methods.  You are charged for only the users/groups that you identify in the connector between your identity provider and Atlassian Access.  So if you decided to only sync the R&D Teams, you won't be charged for Finance.

When it comes to SSO, you "CAN" use AD/LDAP and there is a "non-billable" policy you can define to add users to where you won't be charged for them, however they also can't have any security policies applied to them and they won't have SSO authentication.

I hope that helps a bit.

-Jimmy

Thanks @Jimmy Seddon 

Excellent answers as always.

Are you saying the limit on which users are synced is part of the Azure side set up? And is that for all of Azure or can it be defined just on our connection?

Our Azure AD is set up for company wide SSO. I need to limit it to our 1400 user Jira liicense.

Against advice, we have only got approval for a 1400 user Access license to match pur Jira&Confluence licenses.

@Tom Lister as per my other answer – on Azure side you install an Enterprise Application "Atlassian Cloud" from the Azure AD Gallery, see here tutorial by Atlassian on the Microsoft side: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial

So, effectively, you are not integrating Azure AD with Access instance - you are integrating Azure AD with this application. You can have multiple instances of this application in your Azure, each hooked up to different Access instances.

Azure AD itself can serve 13k users, but when a user tries to go to Atlassian Cloud, based on their email domain they will be identified as a user managed by an Access  instance, and if they are in an authentication policy that forces SAML SSO via Azure – a SAML SSO request will be sent from Access to Azure. It will have an entityID that identifies which application Azure AD should to "look at" – so the settings (mapped groups) on this application will define who is allowed to perform SSO into this Access instance.

When the instance of this application on Azure side wants to push users (every 40 minutes) based on mapped groups it pushes them to the Access instance it is connected to.

The catch here is that domain verification for Atlassian is Cloud-wide. There can only be one Access instance "owning" the domain. In the context of my statement above about multiple instances of the Azure application being hooked up to different Access instances – this only works "...for different email domains".

I would strongly suggest to start Access trial ASAP, and try claiming your domain. With the situation you are describing there is a very high chance someone already claimed it – which means you may have a much bigger problem on your hands.

Hi @Ed Letifov _TechTime - New Zealand_ 

Thank you - we have claimed our domain and our site. 

Due to mostly internal approval issues we are still waiting for licences. I will be putting in the Access trial in the meantime.

@Tom Lister I'd jump back in here but @Ed Letifov _TechTime - New Zealand_ has done such an amazing job of answering this one already!