Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Atlassian managed accounts and Azure AD

Simon
Simon
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 1, 2019

Hi,

I have added my domain name to the atlassian admin organization section. I plan to integrate with Azure AD so my users will authenticate with their Azure AD credentials for all things Atlassian based. 

When I verified by domain name a large number of users were pulled in as managed accounts (to my surprise). These users access my customers JIRA or have at some stage signed up for an Atlassian account I assume. 

My question is what will be the experience for these users if I fully integrate with my Azure AD. 

  1. Will the managed accounts still login with their existing passwords?
  2. Will they be forced to change from using their existing Atlassian credentials to using their Azure AD credentials?
  3. These managed accounts appear to incur a cost which puzzles me as they are accessing my customers Jira.

 

Thanks

S

Answer
Watch
Like Be the first to like this
2839 views

1 answer

1 accepted

1 vote
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 1, 2019

Hey Simon,

Welcome to the Community! I'm going to assume that by "fully integrate with Azure AD", you mean also enabling SAML SSO as described in the Azure AD guide for Atlassian Cloud. Let's take a look at your questions:

  1. Will the managed accounts still login with their existing passwords?
    The accounts will use their existing Azure AD passwords once you've fully integrated Atlassian Cloud to use SAML from Azure AD. Users will no longer use their Atlassian passwords to sign in to your Atlassian services.
  2. Will they be forced to change from using their existing Atlassian credentials to using their Azure AD credentials?
    If you enable SAML SSO with Azure AD, your users will see an Azure AD sign-in screen on Atlassian Cloud products if they aren't already signed in to Azure AD. If they do already have an active Azure AD session (by being logged in to Office365 for example), they will not be prompted with any login screen at all.

  3. These managed accounts appear to incur a cost which puzzles me as they are accessing my customers Jira.
    Account managed via Atlassian Access (our identity management solution) are by subscription. You're required to have domain verification to manage any accounts, so presumably this should only pick up accounts you control already (example: email@yourdomain.com). If customers from another company have accounts on your Jira, you shouldn't be able to subscribe those accounts to Atlassian Access unless you also control the domain they are coming from (othercompany.com). If you could explain a little more about what accounts you're not expecting to manage and if they are part of your domain or not, that would help clear up the situation.

It's also possible to not add SAML SSO to an Access policy, which would have users continue on with their existing Atlassian passwords separate from your Azure AD setup. You would apply any password policy you wanted to through Atlassian Access then (per our instructions here) and Access would also manage any MFA policies for those Atlassian accounts. The downside of this is that you wouldn't have Single-Sign-On with the other applications you already have set up with Azure AD, and your users would have to manage two different sets of credentials. With SAML SSO enabled, Atlassian Access would hand off password management and MFA to Azure as described here.

Hope that clears things up,
Daniel | Atlassian Support

View More Comments
Simon
Simon
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 1, 2019
  1. Perfect thanks
  2. Again thanks
  3. Ok need a little more clarity here. You are correct the managed accounts that it pulls in are from my domain. These are accounts that have signed up to access Jira services in my customers jira instance. My customer is paying for the JIRA licenses however it appears I also have to pay for these users as I verified my domain in Atlassian access. I believe they are $3 per managed account per month. This seems unusual as if my customer invites all my users and has sufficient licenses I also have to pay $3 per user. I might be missing something here! thanks.
Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 4, 2019

For point number three - I see what you're saying. Your concern is that your customer has paid for the users in your domain to access the customer's Jira instance already, so you're not sure why there is now a charge to you in Atlassian Access. I definitely understand the confusion!

The Atlassian Access services (password policy enforcement, MFA, SSO, etc) are provided to the individual Atlassian accounts which may connect to one or more Jira/Confluence instances. Each instance those accounts use needs its own user seat (for example, your customer paying for people in your company to use your customer's Jira). If you added a new Jira instance at your company, the users that are in your customer's Jira would still need new seats in your own Jira. However, since Atlassian Access is on the individual user account level, those users would be under the same Atlassian Access subscription no matter how many Jira/Confluence instances they were connected to.

I hope that makes a little more sense! Definitely understand where you're coming from. The Atlassian Access subscription is only something that you would pay for those users, as the authentication (especially SSO) is designed to let you enforce your company's security policies across any Atlassian products the users at your company are connecting to. Nobody else will pay for Atlassian Access for those users. But they will need seats to add those users to Jira/Confluence/etc.

Cheers,
Daniel

Like Kalin U likes this
Senthil Kumar
Senthil Kumar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 5, 2019

Can user able to change password from Jira or confluence after azure AD integration?

 

Thanks,

Sachin

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 7, 2019

@Senthil Kumar in a SAML-enabled setup, password management is handled by the identity provider (such as Azure AD). Jira and Confluence will redirect users to the login screen for your identity provider. Passwords won't be handled in Jira and Confluence. To change a password with Azure AD configured for SSO, users would need to follow Microsoft's regular steps for password changes in Azure AD.

Cheers,
Daniel

Like Kalin U likes this
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Guard
TAGS
AUG Leaders

Atlassian Community Events

    See all events