I'm looking for some advice from the community on best practices for group management through Azure AD.
Below are three scenarios. In each, I did my best to draw what I think might be a viable design for group management. I'll explain them each below.
I assume this is how most people are doing group management.
That is, IF it's possible to manage non-synced groups through the Atlassian admin site. This part of the Understanding User Provisioning article makes me think it's not possible: Understand user provisioning | Atlassian Support . But I think that's ludicrous.
Is it good practice to have roles be independent of the different Jira sites? For instance, we would need Project Managers in every Jira site. Keeping them in one group would be clean.
Each group has a green arrow that provides app access and a blue arrow that provides permissions.
This would allow the most granular control but could be the messiest for Help Desk admins and require the most upkeep on the Azure and Jira sides.
Scenario 1
Scenario 2 and 3
How should I weigh these different considerations against each other? What do other people do?
Are people using attributes scoping for group management?
Is Scenario 1 possible?!?!?!
@Hunter Lardy sharing some of my thoughts here, hope this is helpful:
Is Scenario 1 possible? Unfortunately, no. Once you enable SCIM provisioning, you can only manage groups that are synced from your identity provider. You lose the ability to manage groups directly in the Atlassian admin interface for provisioned users.
Recommended Approach:
After reviewing your scenarios, I'd recommend Scenario 3 for maximum flexibility and control, but pair it with a tool like Multiplier to eliminate the administrative overhead of adding/removing users from the individual groups in AAD.
Scenario 3 gives you:
Multiplier solves the overhead problem:
Your Help Desk team never touches Azure AD directly - users request access through JSM, get approvals, and Multiplier handles all the group assignments automatically.
Bump!
Starting conversations with our Azure admins soon. I'll update this post with the solution we implement. Maybe it will help out future generations.
Appreciate any insight y'all community members can provide.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.