Hi,
my name is Antti and I'm working as an Atlassian Consultant in a Finnish Atlassian Platinum Partner company Ambientia Group Oy. I have several years of experience on Atlassian Cloud products, mostly Jira, Confluence, Jira Service Management and Guard. We've done dozens of Atlassian Cloud implementations along with configuring Atlassian Guard with the customers, mostly to Entra ID.
I've noticed there's an important aspect missing from the documentation provided by both Microsoft and Atlassian. What if user changes their name, hence their email address?
The key is "Matching precedence". By default, it's set to UPN or email for value of 1 - meaning that attribute is the one deciding if the user already exists in Atlassian cloud - but when the user changes their name, their email address and UPN usually change. This affects provisioning by creating a duplicate user in Atlassian Cloud - because the new user email address doesn't exist there yet. There will also be "Resource [USER]: with email[firstname.lastname@customer.com] already exists." errors in the provisioning log.
To fix this, you should set "Matching precedence" to 1 on "objectid" <-> "externalid", which is the unique, unchanging identifier for the user account in question. Then you probably need also Atlassian Support's help with purging the duplicate account from their SCIM database. After this, you should be all fixed!
1 comment