Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,171
Community Members
 
Community Events
168
Community Groups

Claim Accounts

Hi,

I am in the process of setting up single sign-on using our Azure Active Directory for our users. I have verified my domains in my organisation and now I need to "Claim Accounts". From both the CSV and by asking staff I know that they are using some paid Atlasssian products (such as GitHub). Before I claim the accounts I am trying to establish if claimed users will continue to:

1) Have access to existing products

2) Be able to pay for those products

3) Be able to add new products

Also I wondered if there are any considerations that may impact their work beyond what it mentioned in https://confluence.atlassian.com/cloud/verify-a-domain-for-your-organization-873871234.html.

Thanks in advance

b

9 answers

1 accepted

1 vote
Answer accepted
Dave Meyer Atlassian Team Feb 21, 2020

Hi @bb777 ,

Claiming accounts will make them "managed" by your organization: https://confluence.atlassian.com/cloud/managed-accounts-873871203.html

Besides the email notification that goes out after you claim the account to let them know that their account is now managed (as covered in the doc you linked) there are no changes to end users experience, with the exception that they will no longer be able to change their account's email address or permanently delete their account. After you have claimed the accounts, your organization is the administrator of those accounts and you can make those changes on behalf of users.

Hope this helps!

Thanks Dave,

This has put my mind at rest.

 

b

Dave - as a follow up to bb777's question - are we able to delete accounts after they are claimed?  We are about to subscribe to Access, and there are tons of accounts on there that are old, or not valid.  We dont want to be paying subscription costs on 100 obsolete or incorrect accounts....?

Dave Meyer Atlassian Team Feb 27, 2020

That's correct @staceyking , however I would just note that in most cases "deactivating" is sufficient without doing a permanent deletion on each account (which can take some time). You're not billed for deactivated accounts. https://confluence.atlassian.com/cloud/deactivate-a-managed-account-961259517.html

Like staceyking likes this

Thanks @Dave Meyer !!!!!  Really appreciate the confirmation and tip!

Deleted user Mar 24, 2020

@Dave Meyer Can I piggy back on this question, please? I just verified out organizations domain.  There are about a dozen unclaimed accounts that I could claim.  They're all legitimate.  If I claim them to have to start paying Atlassian Access to manage them or is there a free tier of management?  If I claim them are there any immediate costs that would be incurred?

Dave Meyer Atlassian Team Mar 24, 2020

Hi @[deleted] ,

No, Atlassian Access is an additional subscription that provides additional features on top of what you can do by verifying your domain and claiming accounts.

Once you've claimed the accounts they become "managed accounts". You can do the following (apologies if this list isn't completely comprehensive) just by claiming the accounts:

  • See all your managed accounts
  • Deactivate and delete managed accounts
  • Audit which products and tenants each account has access to
  • Edit names, email addresses, and user profile pictures for managed accounts
  • See if they have created API tokens
  • Admin API tokens
  • Basic security features;
    • Minimum password strength
    • Custom maximum idle session duration length

Atlassian Access provides additional, richer security features:

  • SAML SSO
  • User provisioning and external user directory sync
  • Audit logging
  • Product usage insights
  • Ability to revoke API tokens

Check out https://confluence.atlassian.com/cloud/admin-features-availability-for-cloud-products-973501817.html

Like Junkang Li likes this
Deleted user Mar 24, 2020

Dave, this is excellent. Thank you very much for the prompt reply.  I know how to proceed now.

Dave,  Can we target accounts and not claim all accounts found?  I work in an organization where only one division will be using the Atlassian cloud service.  I do not want to claim all accounts.  

Like # people like this
Dave Meyer Atlassian Team Apr 08, 2020

@Lucas Duggins not at this time. We've designed Atlassian Access as a wall-to-wall solution to provide visibility and security for the entire company. If you're planning to configure SAML SSO, this is usually necessary anyway because company's SSO providers are centrally managed. Many customers have found success by working with their central IT or security teams to take ownership of Atlassian user administration and security across the company, as there may be other pockets of usage within the company using our products that you're not aware of.

Dave - some additional questions on this topic.  I have 291 unclaimed users that are using another instance of Jira.  We are spinning up a new instance for a different department and we want to OKTA enable this instance. Do I have to claim all 291 users or can I leave them unclaimed? If Ieft unclaimed, can I still enable OKTA on the new Jira instance created?

 

Also - do I need Atlassian Access for OKTA enablement as we have not subscribed to this. 

Dave Meyer Atlassian Team Apr 27, 2020

@Desiree Olivito 

It's not possible to claim a subset of users, we currently require a single organization to claim all users on a domain. Once you've claimed a domain and subscribed to Atlassian Access, you can configure SAML SSO for all users on the domain via Okta. When you enable SSO, it's enforced on users' Atlassian accounts, regardless of what Jira Cloud (or any other product) a user might have access to.

In cases where multiple departments each have independent instances, we've seen customers share administrative responsibility for SSO and share the cost of Access between departments.

I understand that when claiming the users, I have to claim all of the users for our domain. I cannot do it selectively.

1. Will we only use an Access license if someone has access to a product within our organisation, or is it if they have access to any product - even outside of our organisation?
2. If we don't transfer a site to our organisation (for example a Jira instance paid for a by a project), will their users continue to log in to their site without single sign-on? My concern is that we claim the users in the domain, but they are affected in the other products if we remove them as Managed users from our organisation.
4. If we did transfer such other sites to our organisation, would their product billing continue as it is currently?

Like # people like this

Does anybody know what affect claiming accounts will have on billing.  ie. Will the person listed on a given instance still receive the bill?  Or will the administrator who has "claimed accounts" be sent the bill.  I work at an educational institute where separate departments have bought Jira instances with their own department funds.  I am willing to claim the accounts, but the billing and payment need to remain separate.

Like Lucas Duggins likes this
Dave Meyer Atlassian Team Jul 14, 2020

Hi @Robert Piscitello

Claiming accounts has no impact on the various instances that the claimed accounts might have access to. When you do a domain claim, the user's accounts become managed under your organization, but it's intentionally independent of the products that each user has access to (the users might be using a Jira or Confluence instance that isn't paid for by your institution at all).

Regards,

Dave

Like # people like this

"Many customers have found success by working with their central IT or security teams to take ownership of Atlassian user administration" - we definitely won't be one of those.

Is there any way to work around the "claim all policy" - e.g.: by mapping jira username to an alternate AzureAD attribute with alternate email-address/domain?

Moved to separate topic

1 vote

I have a question related to this topic. I just verified my domain and want to claim accounts. I have a concern about doing this because I just did a test migration and moved all users to the cloud without sending them a notification because I don't want them to use the Cloud yet. 

My questions is: By claiming the accounts will all the users receive a notification anyway? Because that is no option for me. 

If this is the case I would like to disable / delete all users but keep a few for testing purposes, but I can not do this in Bulk, so what other choice do I have here?

Dave Meyer Atlassian Team Jul 08, 2022

@Jair Bakhuis this thread is out of date. Users are no longer notified via email during the user claim process. https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/#Notify-claimed-user-accounts

Hi all

I have quite a few accounts that I have to claim, but these accounts 90% have personal free trello boards, so I don't want to start paying for those trello accounts but only for the users that I decide will have access to Jira, is it possible to claim those accounts without paying for those trello boards?

 

Regards, 

moved to separate discussion

0 votes
Deleted user Jul 28, 2021

read the atlassian techs post - dave meyer on mar 17th 2021.

makes me think that i can claim accounts but not license and then they are not billed?
can an Atlassian rep please clarify

Dave Meyer Atlassian Team Jul 29, 2021

Hi @[deleted] ,

You can claim a domain and take basic actions on the users that become your managed accounts without an Atlassian Access subscription. You can see which features require an Access subscription and which don't here: https://support.atlassian.com/organization-administration/docs/organization-admin-abilities-for-cloud-products/

You can also subscribe to Atlassian Access but exclude certain users from being billed for it by using the nonbillable authentication policy. You can learn more about setting that up here: https://support.atlassian.com/security-and-access-policies/docs/understand-authentication-policies/#Authenticationpolicies-Whatisanonbillablepolicy

Deleted user Jul 29, 2021

when i verify my domains what happens to those users in terms of licensing? are they automatically added to Atlassian access? because i dont want that. i would have to manually sort through 2000 users and select who to  apply what policy/ Atlassian access?

are they auto give access to my jira or confluence instances where i already have licensed users?

Dave Meyer Atlassian Team Jul 29, 2021

If you haven't already subscribed to Atlassian Access, verifying your domain has no licensing or billing impact.

If you already have an Atlassian Access subscription, then verifying domains will result in new managed accounts being added to your default authentication policy.

For Atlassian Access customers, we require that the default policy be billable so that if new users sign up for an Atlassian account, there is no risk that your security policies would not be applied.

If you don't have an Atlassian Access subscription, it's a moot point because you can only have one authentication policy and by definition it's not billable.

There's information on how to manage authentication policy membership in bulk here: https://support.atlassian.com/security-and-access-policies/docs/edit-authentication-settings-and-members/

Subscribing to Atlassian Access does not have any immediate impact on which users have access to your Jira or Confluence instances.

i already have atlassian access. when i verify my domains what happens to those users in terms of licensing? are they automatically added to Atlassian access? because i dont want that. i would have to manually sort through 2000 users and select who to keep or remove from atlassian access? 

are these added users going to claim a license from my jira or confluence, if they are using the product outside of my enterprise version?

0 votes
Deleted user Jul 28, 2021

i have jira and confluence license with 600 users.
also, i have users that use non- license Trello or a business email linked to outside instances of jira/ confluence.
if i claim the domains who will both sets of users be affected?  i only want to use Atlassian access for my 600  jira and confluence license users.

The latest I heard is there is "supposed" to be a function where you can un-include the Trello accounts from Access. I have not seen this yet, and we are paying for the Trello Access, and those accounts are now managed by the Org

Deleted user Jul 28, 2021

we do not license trello and could care less if they all loose access. we already contacted all trello users to change their trello emails to a personal email  or create a new trello account and be added to the boards again and remove the company account. otherwise they may loose access.

i need to know if im going to get slapped with Atlassian access bills for all these users. that will be claimed and using the product in a non-enterprise way.
 
the documentation is terrible at defining this process. and giving example scenarios. 

Any account using your domain will be billed for Access. It is an all or nothing. When you claim the domain as well, if there are any smaller instances of Jira/Confluence that have users from your domain they will be included in the Access bill as well. We found this out the hard way. 


Also, if you deactivate a Trello account to avoid getting billed for it, it is technically an Atlassian account, so that user will not be able to use your Jira/Confluence, or log in to their Atlassian account. It does not seem that this is a problem for you, but it became one for us as our unlicensed customers were not able to log into our Service Portal if we deactivated their Trello account. 

Claiming your domain does not cost anything and it will give you more information on how many accounts are out there, and what products they are using.

Deleted user Jul 29, 2021

read the atlassian techs post - dave meyer on mar 17th 2021.

makes me think that i can claim accounts but not license and then they are not billed?
can an Atlassian rep please clarify

0 votes
Darryl Lee Community Leader Mar 22, 2021

Follow-on to this: We've recently Verified Domains, but chosen *NOT* to yet Claim accounts. 

So they all show up under Domains.

We would like to configure SAML SSO, but that page says we need to verify a domain.

Do we actually need to both verify the domain and claim accounts before it will let us configure SAML SSO?

Will this change with the new Authentication Settings? Because we'd love to have this set up before spamming the whole company.

@Darryl Lee Claiming the accounts is a mandatory step in configuring SAML SSO. The new authentication settings do not change this mechanism.

The error message that you're seeing is a bit old and will be improved. It should say that you need to verify a domain and claim its accounts.

@Dave Meyer If I claim the accounts, I have to admin, manage, and pay for them now? 

Dave Meyer Atlassian Team Mar 17, 2021

@Catherine Svendson you only pay for accounts as part of an Atlassian Access subscription. You can claim and take basic administration actions without an Access subscription. 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

1,502 views 5 5
Read article

Atlassian Community Events