Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Access & Azure - Disable existing users


We have enabled Access and implemented SSO with Azure. The "Scope" in Azure is set to  "Sync only assigned users". Users are sync'ed correctly. I have a couple of questions:


1. The scope in Azure contains project groups that use Atlassian. Not all projects in the company have Atlassian products. How can we make it so a user gets deactivated in Atlassian when a it is removed from the groups in the scope? Basically he no longer is in the scope of the sync so provisioning will not try to process that user and change his status.

2. I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

3. There are a lot of accounts since before the Access/Azure integration. The accounts are not in the scope of the provisioning. How can I de-activate them. Basically this question ties the first two. I want to deactivate all users not in the groups in the scope. I want them to get re-activated if they are added in the scope at some point.



1 answer

1 accepted

0 votes
Answer accepted
Dave Meyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 16, 2019

Hi @Ioan Damian

If a user is removed from all groups that are assigned to the Atlassian application in Azure AD, that should trigger Azure AD to deactivate the user's Atlassian account on the Atlassian side automatically.

I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

No, this isn't by design. The user should be getting reactivated every time Azure AD syncs assuming the user is active and in scope for Atlassian on the Azure AD side. If this isn't what you're seeing, I recommend contacting our support team.

To deactivate a large number of users in bulk from the Atlassian side, you can use the user management API: (note the link at the top of the page that you can use this endpoint to get user's account IDs).





Thank you for your answer.

You're correct. I've tested the following situations:

- add new group with users in the scope in Azure. Result: The users are provisioned

- remove existing group from the scope in Azure. Result: The users are deactivated

- add user to existing group in the scope in Azure. Result: The user is provisioned

- remove user from existing group. Result: The user is deactivated

- add the same user again to the group. Result: the user is activated


The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync.

I am looking for the same answer - if a user is deactivated manually in the Atlassian Administration, how do I allow it to be reactivated by the synch?

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events