Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Atlassian Access - Sync from AD specific group AND auto disable

Martynas Ramanauskas
Martynas Ramanauskas September 22, 2019

Good day,

We are using Atlassian cloud.

We are using Atlassian Access. We want to sync users from AAD (Azure AD) but only which belongs to specif group. But we also want that if user is disabled in AAD - it would also be disabled in Atlassian.

We have successfully configured sync from specific AAD group. but how to make automatic disable?

Answer
Watch
Like Edgardo Safranchik likes this
2201 views

1 answer

1 accepted

2 votes
Answer accepted
Jimmy Seddon
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 23, 2019

Hi @Martynas Ramanauskas,

We are also using Atlassian Access with Azure AD.  I'm pretty sure this is 100% handled on the AD side of things and it just works when user provisioning has been setup correctly.  Our IT team manages our Azure Active directory and they set it up with a specific set of groups to share with Atlassian Access.  We recently had a user leave the company and there was nothing I was required to do as their account was disabled as soon as our IT team disabled the account in AD.

If this isn't happening for you, what you may want to try doing is disabling the sync on the Azure AD side of things and restarting it again, per the troubleshooting steps outlined here:

https://confluence.atlassian.com/cloud/user-provisioning-959305316.html

I hope that helps!

-Jimmy

View More Comments
Jeroen De Cock
Jeroen De Cock July 29, 2022

Hello @Jimmy Seddon, for us it also works automatically like this.

Now, we want another way of working...

Is there also a possibility to make that a user stays active but not synced/linked with Atlassian Access but stays active as an unlinked/unsynced user? (just removed from the group)

This way we will make it possible that users can stay using Bitbucket or Trello for free but loose access to JIRA-license/access.

Like Jimmy Seddon likes this
Jimmy Seddon
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 29, 2022

You got it @Jeroen De Cock!  Simply making sure they aren't a part of the group being sync'd to Atlassian Access should accomplish what you are looking for.

Like
Jeroen De Cock
Jeroen De Cock July 29, 2022

@Jimmy Seddon , strange thing is that when I remove a user from the AD-group the user is disabled in Atlassian Cloud and link with Azure cloud is kept. I would expect that the user stays enabled in Atlassian Cloud but looses link with the AD-group and Azure cloud and Atlassian Access instead.

Like
Jimmy Seddon
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 1, 2022

Sorry @Jeroen De Cock I should have clarified.  Based on what I think you are trying to do, you need to setup a "non-billable" security policy for Atlassian Access.  This is a group that will contain active users who don't get the benefits of Access (like having SSO enabled) but are still active users.  The bottom of this page describes the details of setting that up: https://support.atlassian.com/security-and-access-policies/docs/understand-authentication-policies/

Like
Jeroen De Cock
Jeroen De Cock August 1, 2022

Hey @Jimmy Seddon, problem is that a user which is synced with AD/Azure cloud can not be added to a "non-billable" security policy.

Like Jimmy Seddon likes this
Jimmy Seddon
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 1, 2022

Correct!  You need to remove them from the sync group, and they need to be added as an unsync'd managed account that exists in the non-billable policy.

Like
Jeroen De Cock
Jeroen De Cock August 1, 2022

But when I remove the user from the sync group, the user is disabled instead of becoming an unsync'd managed account.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

    See all events