I am in the process of setting up single sign-on using our Azure Active Directory for our users. I have verified my domains in my organisation and now I need to "Claim Accounts". From both the CSV and by asking staff I know that they are using some paid Atlasssian products (such as GitHub). Before I claim the accounts I am trying to establish if claimed users will continue to:
1) Have access to existing products
2) Be able to pay for those products
3) Be able to add new products
Also I wondered if there are any considerations that may impact their work beyond what it mentioned in https://confluence.atlassian.com/cloud/verify-a-domain-for-your-organization-873871234.html.
Thanks in advance
Hi @bb777 ,
Claiming accounts will make them "managed" by your organization: https://confluence.atlassian.com/cloud/managed-accounts-873871203.html
Besides the email notification that goes out after you claim the account to let them know that their account is now managed (as covered in the doc you linked) there are no changes to end users experience, with the exception that they will no longer be able to change their account's email address or permanently delete their account. After you have claimed the accounts, your organization is the administrator of those accounts and you can make those changes on behalf of users.
Hope this helps!
Dave - as a follow up to bb777's question - are we able to delete accounts after they are claimed? We are about to subscribe to Access, and there are tons of accounts on there that are old, or not valid. We dont want to be paying subscription costs on 100 obsolete or incorrect accounts....?
That's correct @staceyking , however I would just note that in most cases "deactivating" is sufficient without doing a permanent deletion on each account (which can take some time). You're not billed for deactivated accounts. https://confluence.atlassian.com/cloud/deactivate-a-managed-account-961259517.html
@Dave Meyer Can I piggy back on this question, please? I just verified out organizations domain. There are about a dozen unclaimed accounts that I could claim. They're all legitimate. If I claim them to have to start paying Atlassian Access to manage them or is there a free tier of management? If I claim them are there any immediate costs that would be incurred?
Hi @tony_stecca ,
No, Atlassian Access is an additional subscription that provides additional features on top of what you can do by verifying your domain and claiming accounts.
Once you've claimed the accounts they become "managed accounts". You can do the following (apologies if this list isn't completely comprehensive) just by claiming the accounts:
Atlassian Access provides additional, richer security features:
@Lucas Duggins not at this time. We've designed Atlassian Access as a wall-to-wall solution to provide visibility and security for the entire company. If you're planning to configure SAML SSO, this is usually necessary anyway because company's SSO providers are centrally managed. Many customers have found success by working with their central IT or security teams to take ownership of Atlassian user administration and security across the company, as there may be other pockets of usage within the company using our products that you're not aware of.
Dave - some additional questions on this topic. I have 291 unclaimed users that are using another instance of Jira. We are spinning up a new instance for a different department and we want to OKTA enable this instance. Do I have to claim all 291 users or can I leave them unclaimed? If Ieft unclaimed, can I still enable OKTA on the new Jira instance created?
Also - do I need Atlassian Access for OKTA enablement as we have not subscribed to this.
It's not possible to claim a subset of users, we currently require a single organization to claim all users on a domain. Once you've claimed a domain and subscribed to Atlassian Access, you can configure SAML SSO for all users on the domain via Okta. When you enable SSO, it's enforced on users' Atlassian accounts, regardless of what Jira Cloud (or any other product) a user might have access to.
In cases where multiple departments each have independent instances, we've seen customers share administrative responsibility for SSO and share the cost of Access between departments.
I understand that when claiming the users, I have to claim all of the users for our domain. I cannot do it selectively.
1. Will we only use an Access license if someone has access to a product within our organisation, or is it if they have access to any product - even outside of our organisation?
2. If we don't transfer a site to our organisation (for example a Jira instance paid for a by a project), will their users continue to log in to their site without single sign-on? My concern is that we claim the users in the domain, but they are affected in the other products if we remove them as Managed users from our organisation.
4. If we did transfer such other sites to our organisation, would their product billing continue as it is currently?
Does anybody know what affect claiming accounts will have on billing. ie. Will the person listed on a given instance still receive the bill? Or will the administrator who has "claimed accounts" be sent the bill. I work at an educational institute where separate departments have bought Jira instances with their own department funds. I am willing to claim the accounts, but the billing and payment need to remain separate.
Claiming accounts has no impact on the various instances that the claimed accounts might have access to. When you do a domain claim, the user's accounts become managed under your organization, but it's intentionally independent of the products that each user has access to (the users might be using a Jira or Confluence instance that isn't paid for by your institution at all).
"Many customers have found success by working with their central IT or security teams to take ownership of Atlassian user administration" - we definitely won't be one of those.
Is there any way to work around the "claim all policy" - e.g.: by mapping jira username to an alternate AzureAD attribute with alternate email-address/domain?
Follow-on to this: We've recently Verified Domains, but chosen *NOT* to yet Claim accounts.
So they all show up under Domains.
We would like to configure SAML SSO, but that page says we need to verify a domain.
Do we actually need to both verify the domain and claim accounts before it will let us configure SAML SSO?
Will this change with the new Authentication Settings? Because we'd love to have this set up before spamming the whole company.
@Darryl Lee Claiming the accounts is a mandatory step in configuring SAML SSO. The new authentication settings do not change this mechanism.
The error message that you're seeing is a bit old and will be improved. It should say that you need to verify a domain and claim its accounts.
Hi Atlassian Community, My name is Avni Barman and I am a Product Manager on the Atlassian Access team! One of my top priorities is to help make the administrator's life easier through improved pro...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events