Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,359,879
Community Members
 
Community Events
168
Community Groups

Atlassian Access - Sync from AD specific group AND auto disable

Good day,

We are using Atlassian cloud.

We are using Atlassian Access. We want to sync users from AAD (Azure AD) but only which belongs to specif group. But we also want that if user is disabled in AAD - it would also be disabled in Atlassian.

We have successfully configured sync from specific AAD group. but how to make automatic disable?

1 answer

1 accepted

2 votes
Answer accepted
Jimmy Seddon Community Leader Sep 23, 2019

Hi @Martynas Ramanauskas,

We are also using Atlassian Access with Azure AD.  I'm pretty sure this is 100% handled on the AD side of things and it just works when user provisioning has been setup correctly.  Our IT team manages our Azure Active directory and they set it up with a specific set of groups to share with Atlassian Access.  We recently had a user leave the company and there was nothing I was required to do as their account was disabled as soon as our IT team disabled the account in AD.

If this isn't happening for you, what you may want to try doing is disabling the sync on the Azure AD side of things and restarting it again, per the troubleshooting steps outlined here:

https://confluence.atlassian.com/cloud/user-provisioning-959305316.html

I hope that helps!

-Jimmy

Hello @Jimmy Seddon, for us it also works automatically like this.

Now, we want another way of working...

Is there also a possibility to make that a user stays active but not synced/linked with Atlassian Access but stays active as an unlinked/unsynced user? (just removed from the group)

This way we will make it possible that users can stay using Bitbucket or Trello for free but loose access to JIRA-license/access.

Like Jimmy Seddon likes this
Jimmy Seddon Community Leader Jul 29, 2022

You got it @Jeroen De Cock!  Simply making sure they aren't a part of the group being sync'd to Atlassian Access should accomplish what you are looking for.

@Jimmy Seddon , strange thing is that when I remove a user from the AD-group the user is disabled in Atlassian Cloud and link with Azure cloud is kept. I would expect that the user stays enabled in Atlassian Cloud but looses link with the AD-group and Azure cloud and Atlassian Access instead.

Jimmy Seddon Community Leader Aug 01, 2022

Sorry @Jeroen De Cock I should have clarified.  Based on what I think you are trying to do, you need to setup a "non-billable" security policy for Atlassian Access.  This is a group that will contain active users who don't get the benefits of Access (like having SSO enabled) but are still active users.  The bottom of this page describes the details of setting that up: https://support.atlassian.com/security-and-access-policies/docs/understand-authentication-policies/

Hey @Jimmy Seddon, problem is that a user which is synced with AD/Azure cloud can not be added to a "non-billable" security policy.

Like Jimmy Seddon likes this
Jimmy Seddon Community Leader Aug 01, 2022

Correct!  You need to remove them from the sync group, and they need to be added as an unsync'd managed account that exists in the non-billable policy.

But when I remove the user from the sync group, the user is disabled instead of becoming an unsync'd managed account.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,499 views 5 5
Read article

Atlassian Community Events