Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

Recognition

  • Give kudos
  • My kudos

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Atlassian managed accounts and Azure AD

Hi,

I have added my domain name to the atlassian admin organization section. I plan to integrate with Azure AD so my users will authenticate with their Azure AD credentials for all things Atlassian based. 

When I verified by domain name a large number of users were pulled in as managed accounts (to my surprise). These users access my customers JIRA or have at some stage signed up for an Atlassian account I assume. 

My question is what will be the experience for these users if I fully integrate with my Azure AD. 

  1. Will the managed accounts still login with their existing passwords?
  2. Will they be forced to change from using their existing Atlassian credentials to using their Azure AD credentials?
  3. These managed accounts appear to incur a cost which puzzles me as they are accessing my customers Jira.

 

Thanks

S

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads Atlassian Team Apr 01, 2019

Hey Simon,

Welcome to the Community! I'm going to assume that by "fully integrate with Azure AD", you mean also enabling SAML SSO as described in the Azure AD guide for Atlassian Cloud. Let's take a look at your questions:

  1. Will the managed accounts still login with their existing passwords?
    The accounts will use their existing Azure AD passwords once you've fully integrated Atlassian Cloud to use SAML from Azure AD. Users will no longer use their Atlassian passwords to sign in to your Atlassian services.
  2. Will they be forced to change from using their existing Atlassian credentials to using their Azure AD credentials?
    If you enable SAML SSO with Azure AD, your users will see an Azure AD sign-in screen on Atlassian Cloud products if they aren't already signed in to Azure AD. If they do already have an active Azure AD session (by being logged in to Office365 for example), they will not be prompted with any login screen at all.

  3. These managed accounts appear to incur a cost which puzzles me as they are accessing my customers Jira.
    Account managed via Atlassian Access (our identity management solution) are by subscription. You're required to have domain verification to manage any accounts, so presumably this should only pick up accounts you control already (example: email@yourdomain.com). If customers from another company have accounts on your Jira, you shouldn't be able to subscribe those accounts to Atlassian Access unless you also control the domain they are coming from (othercompany.com). If you could explain a little more about what accounts you're not expecting to manage and if they are part of your domain or not, that would help clear up the situation.

It's also possible to not add SAML SSO to an Access policy, which would have users continue on with their existing Atlassian passwords separate from your Azure AD setup. You would apply any password policy you wanted to through Atlassian Access then (per our instructions here) and Access would also manage any MFA policies for those Atlassian accounts. The downside of this is that you wouldn't have Single-Sign-On with the other applications you already have set up with Azure AD, and your users would have to manage two different sets of credentials. With SAML SSO enabled, Atlassian Access would hand off password management and MFA to Azure as described here.

Hope that clears things up,
Daniel | Atlassian Support

  1. Perfect thanks
  2. Again thanks
  3. Ok need a little more clarity here. You are correct the managed accounts that it pulls in are from my domain. These are accounts that have signed up to access Jira services in my customers jira instance. My customer is paying for the JIRA licenses however it appears I also have to pay for these users as I verified my domain in Atlassian access. I believe they are $3 per managed account per month. This seems unusual as if my customer invites all my users and has sufficient licenses I also have to pay $3 per user. I might be missing something here! thanks.
Daniel Eads Atlassian Team Apr 04, 2019

For point number three - I see what you're saying. Your concern is that your customer has paid for the users in your domain to access the customer's Jira instance already, so you're not sure why there is now a charge to you in Atlassian Access. I definitely understand the confusion!

The Atlassian Access services (password policy enforcement, MFA, SSO, etc) are provided to the individual Atlassian accounts which may connect to one or more Jira/Confluence instances. Each instance those accounts use needs its own user seat (for example, your customer paying for people in your company to use your customer's Jira). If you added a new Jira instance at your company, the users that are in your customer's Jira would still need new seats in your own Jira. However, since Atlassian Access is on the individual user account level, those users would be under the same Atlassian Access subscription no matter how many Jira/Confluence instances they were connected to.

I hope that makes a little more sense! Definitely understand where you're coming from. The Atlassian Access subscription is only something that you would pay for those users, as the authentication (especially SSO) is designed to let you enforce your company's security policies across any Atlassian products the users at your company are connecting to. Nobody else will pay for Atlassian Access for those users. But they will need seats to add those users to Jira/Confluence/etc.

Cheers,
Daniel

Can user able to change password from Jira or confluence after azure AD integration?

 

Thanks,

Sachin

Daniel Eads Atlassian Team Oct 07, 2019

@Senthil Kumar in a SAML-enabled setup, password management is handled by the identity provider (such as Azure AD). Jira and Confluence will redirect users to the login screen for your identity provider. Passwords won't be handled in Jira and Confluence. To change a password with Azure AD configured for SSO, users would need to follow Microsoft's regular steps for password changes in Azure AD.

Cheers,
Daniel

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

We're launching improved navigation for admins

Hi Atlassian Community, My name is Avni Barman and I am a Product Manager on the Atlassian Access team! One of my top priorities is to help make the administrator's life easier through improved pro...

681 views 0 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you