Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,301,108
Community Members
 
Community Events
165
Community Groups

Access & Azure - Disable existing users

Hi,

We have enabled Access and implemented SSO with Azure. The "Scope" in Azure is set to  "Sync only assigned users". Users are sync'ed correctly. I have a couple of questions:

 

1. The scope in Azure contains project groups that use Atlassian. Not all projects in the company have Atlassian products. How can we make it so a user gets deactivated in Atlassian when a it is removed from the groups in the scope? Basically he no longer is in the scope of the sync so provisioning will not try to process that user and change his status.

2. I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

3. There are a lot of accounts since before the Access/Azure integration. The accounts are not in the scope of the provisioning. How can I de-activate them. Basically this question ties the first two. I want to deactivate all users not in the groups in the scope. I want them to get re-activated if they are added in the scope at some point.

 

Thanks!

1 answer

1 accepted

0 votes
Answer accepted
Dave Meyer Atlassian Team Dec 16, 2019

Hi @Ioan Damian

If a user is removed from all groups that are assigned to the Atlassian application in Azure AD, that should trigger Azure AD to deactivate the user's Atlassian account on the Atlassian side automatically.

I have an active user in scope of the sync. If I deactivate that user in Atlassian Access (the user is still active in Azure) it will not get reactivated upon sync. Is this by design?

No, this isn't by design. The user should be getting reactivated every time Azure AD syncs assuming the user is active and in scope for Atlassian on the Azure AD side. If this isn't what you're seeing, I recommend contacting our support team.

To deactivate a large number of users in bulk from the Atlassian side, you can use the user management API: https://developer.atlassian.com/cloud/admin/user-management/rest/#api-users-account-id-manage-lifecycle-disable-post (note the link at the top of the page that you can use this endpoint to get user's account IDs).

Cheers,

Dave

Hi,

 

Thank you for your answer.

You're correct. I've tested the following situations:

- add new group with users in the scope in Azure. Result: The users are provisioned

- remove existing group from the scope in Azure. Result: The users are deactivated

- add user to existing group in the scope in Azure. Result: The user is provisioned

- remove user from existing group. Result: The user is deactivated

- add the same user again to the group. Result: the user is activated

 

The only remaining issue is the one in which if I deactivate the user by hand in Atlassian it will not get reactivated at the sync.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,173 views 4 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you