Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,166
Community Members
 
Community Events
168
Community Groups

Azure SSO: We were unable to verify the email associated with your Microsoft account

Hello Community!

We are setting up a new Helpdesk and Knowledge Base for our business and we are sold on Jira Service Management and Confluence, so I set up Azure SSO (SAML) with Atlassian Access.

I am able to login as myself with my Azure account, so I created a new Azure user to test with and the account was pulled into Atlassian Access almost immediately. I opened a new private Chrome tab to test the experience when logging in as a customer.

I didn’t get any hits when searching for text that appears on the pages I land on so I will add that information to this post even though the images describe the same text, I apologise if this makes this post lengthy.

After navigating to our Confluence Portal and the Service Management Help Center (which I believe is just a drilled down level within the Confluence Portal). The links are:

Confluence Portal: https://OurOrganization.atlassian.net/servicedesk/customer/portals

Jira Service Management Help Center: https://OurOrganisation.atlassian.net/servicedesk/customer/portal/2

Both of these links loads the correct portal:

FD2F012C-789A-41DB-A44F-BAF9443D5B7E.jpeg

 

After entering the email address, I am correctly redirected with the title Your group uses single sign-on and a button with the title Login in with single sign-on:


7432B838-B588-45D6-B4A1-3107D60F74FB.jpeg

 

I then get the default Atlassian login page. After entering the email address, the page recognises the username (which I was surprised at honestly!) however after entering the password I’m given the error message Incorrect email address and / or password. Do you need help logging in?


63C77773-AF2B-498D-A348-55E67CAE67D7.jpeg


I can understand that technically this username doesn’t have an Atlassian account, though I would like this to happen when we pull that user in via Atlassian Access. I want them to exist so I can select their name when creating a ticket (which seems to be the case currently) but if I can have them login here at this page, that would be wonderful.

If that’s not possible, I can understand that we might be required to click Continue with Microsoft in order to login. However the reason for my post is that after being redirected to Microsoft and logging in, I hit this page:

0491E769-6832-4A4B-8A97-884D40105D3F.jpeg



The message reads We were unable to verify the email associated with your Microsoft account, so let’s do that now.


Now admittedly after clicking the button, I get an email with a code and I can successfully verify the account and login as that employee. I’d like to simplify the login process for our employees as much as possible, hence the desire to login at the first Atlassian login page. So having them receive a code and verifying their account before they can login to respond to tickets or manage them is a little much for our business.

Is there a way to simplify this? I’m possibly importing the wrong fields from Azure or something? When I created the Azure app, I used the automatic method and everything was customised and set up via that tool so I would expect that it’s configured correctly but I don’t know if this is the expected experience for an organisation customer to encounter for Atlassian/Jira products.

Any help would be absolutely amazing, I think that the community here is outstanding and I look forward to not only using these products for our business but hopefully to assist the community in the future after I find my feet with these products!

Thank you everyone!
Eli

1 answer

1 vote
Dave Meyer Atlassian Team Mar 17, 2021

Hi @Elijah Wolf ,

So I think your diagnosis of the problem is correct – we initially do a check on the domain to recognize that you should log in with SSO, but on the next login screen, that user doesn't actually haven an Atlassian account yet so they aren't automatically sent to the SSO provider.

I think the simplest way to solve this would be to set up user provisioning from Azure AD:

1. That will ensure that any new users you create will have an Atlassian account automatically

2. Provisioning from Azure AD bypasses the email verification step

The instructions to set that up are here: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial

Typically the way to do this with JSM is to put all your "customer" users (i.e. non-agents) in a group. You should make sure that group is synced to the site, but is not a "product access group" for JSM, so that they don't get billed as agents. 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,502 views 5 5
Read article

Atlassian Community Events