Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Access & Azure - Disable existing users

Ioan Damian
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 12, 2019

Hi,

We have enabled Access and implemented SSO with Azure. The "Scope" in Azure is set to  "Sync only assigned users". Users are sync'ed correctly. I have a couple of questions:

 

1. The scope in Azure contains project groups that use Atlassian. Not all projects in the company have Atlassian products. How can we make it so a user gets deactivated in Atlassian when a it is removed from the groups in the scope? Basically he no longer is in the scope of the sync so provisioning will not try to process that user and change his status.

2. I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

3. There are a lot of accounts since before the Access/Azure integration. The accounts are not in the scope of the provisioning. How can I de-activate them. Basically this question ties the first two. I want to deactivate all users not in the groups in the scope. I want them to get re-activated if they are added in the scope at some point.

 

Thanks!

1 answer

1 accepted

1 vote
Answer accepted
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 16, 2019

Hi @Ioan Damian

If a user is removed from all groups that are assigned to the Atlassian application in Azure AD, that should trigger Azure AD to deactivate the user's Atlassian account on the Atlassian side automatically.

I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

No, this isn't by design. The user should be getting reactivated every time Azure AD syncs assuming the user is active and in scope for Atlassian on the Azure AD side. If this isn't what you're seeing, I recommend contacting our support team.

To deactivate a large number of users in bulk from the Atlassian side, you can use the user management API: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post (note the link at the top of the page that you can use this endpoint to get user's account IDs).

Cheers,

Dave

Ioan Damian
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
December 19, 2019

Hi,

 

Thank you for your answer.

You're correct. I've tested the following situations:

- add new group with users in the scope in Azure. Result: The users are provisioned

- remove existing group from the scope in Azure. Result: The users are deactivated

- add user to existing group in the scope in Azure. Result: The user is provisioned

- remove user from existing group. Result: The user is deactivated

- add the same user again to the group. Result: the user is activated

 

The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync.

Wech, Jenine October 14, 2022

I am looking for the same answer - if a user is deactivated manually in the Atlassian Administration, how do I allow it to be reactivated by the synch?

Diogo Teles
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 11, 2024

"The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync."

 

More than an year went by, I'm also seeing this issue

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events