We have enabled Access and implemented SSO with Azure. The "Scope" in Azure is set to "Sync only assigned users". Users are sync'ed correctly. I have a couple of questions:
1. The scope in Azure contains project groups that use Atlassian. Not all projects in the company have Atlassian products. How can we make it so a user gets deactivated in Atlassian when a it is removed from the groups in the scope? Basically he no longer is in the scope of the sync so provisioning will not try to process that user and change his status.
2. I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?
3. There are a lot of accounts since before the Access/Azure integration. The accounts are not in the scope of the provisioning. How can I de-activate them. Basically this question ties the first two. I want to deactivate all users not in the groups in the scope. I want them to get re-activated if they are added in the scope at some point.
Hi @Ioan Damian
If a user is removed from all groups that are assigned to the Atlassian application in Azure AD, that should trigger Azure AD to deactivate the user's Atlassian account on the Atlassian side automatically.
I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?
No, this isn't by design. The user should be getting reactivated every time Azure AD syncs assuming the user is active and in scope for Atlassian on the Azure AD side. If this isn't what you're seeing, I recommend contacting our support team.
To deactivate a large number of users in bulk from the Atlassian side, you can use the user management API: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post (note the link at the top of the page that you can use this endpoint to get user's account IDs).
Thank you for your answer.
You're correct. I've tested the following situations:
- add new group with users in the scope in Azure. Result: The users are provisioned
- remove existing group from the scope in Azure. Result: The users are deactivated
- add user to existing group in the scope in Azure. Result: The user is provisioned
- remove user from existing group. Result: The user is deactivated
- add the same user again to the group. Result: the user is activated
The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync.
Did you know Atlassian Access offers more than SAML single sign-on for Atlassian cloud products, like Jira and Confluence? Whether you're just starting to plan for your organization or in the pr...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events