Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Access & Azure - Disable existing users

Hi,

We have enabled Access and implemented SSO with Azure. The "Scope" in Azure is set to  "Sync only assigned users". Users are sync'ed correctly. I have a couple of questions:

 

1. The scope in Azure contains project groups that use Atlassian. Not all projects in the company have Atlassian products. How can we make it so a user gets deactivated in Atlassian when a it is removed from the groups in the scope? Basically he no longer is in the scope of the sync so provisioning will not try to process that user and change his status.

2. I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

3. There are a lot of accounts since before the Access/Azure integration. The accounts are not in the scope of the provisioning. How can I de-activate them. Basically this question ties the first two. I want to deactivate all users not in the groups in the scope. I want them to get re-activated if they are added in the scope at some point.

 

Thanks!

1 answer

1 accepted

0 votes
Answer accepted
Dave Meyer Atlassian Team Dec 16, 2019

Hi @Ioan Damian

If a user is removed from all groups that are assigned to the Atlassian application in Azure AD, that should trigger Azure AD to deactivate the user's Atlassian account on the Atlassian side automatically.

I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

No, this isn't by design. The user should be getting reactivated every time Azure AD syncs assuming the user is active and in scope for Atlassian on the Azure AD side. If this isn't what you're seeing, I recommend contacting our support team.

To deactivate a large number of users in bulk from the Atlassian side, you can use the user management API: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post (note the link at the top of the page that you can use this endpoint to get user's account IDs).

Cheers,

Dave

Hi,

 

Thank you for your answer.

You're correct. I've tested the following situations:

- add new group with users in the scope in Azure. Result: The users are provisioned

- remove existing group from the scope in Azure. Result: The users are deactivated

- add user to existing group in the scope in Azure. Result: The user is provisioned

- remove user from existing group. Result: The user is deactivated

- add the same user again to the group. Result: the user is activated

 

The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

We're launching improved navigation for admins

Hi Atlassian Community, My name is Avni Barman and I am a Product Manager on the Atlassian Access team! One of my top priorities is to help make the administrator's life easier through improved pro...

638 views 0 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you