Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Control of password strength and 2-factor authentication for guest accounts

Frank Bernhardt
Frank Bernhardt June 12, 2019

We are using SAML and 2 factor authentication for our Jira and Confluence users. We now have very often external team members that need access. They will use their own e-mail to sign on. If I give them access to our URLs, do I have any control over the password strength that they use?

Answer
Watch
Like Jon Espen Ingvaldsen Kantega SSO likes this
615 views

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 17, 2019

Hi Frank,

Since Cloud users can be members of multiple instances, password policies are set at the email domain level rather than at each individual Jira/Confluence instance.

I'm guessing from your previous question that you've already gotten familiar with Atlassian Access (formerly known as Identity Manager). That's how organization owners set password policies, but it's specific to accounts for the email domain owned/claimed by that company.

In this sense, you control the password strength for your employees working across all Atlassian Cloud instance (even ones that you don't manage). But the downside as you're finding out is that you're at the mercy of "external" vendors to set the password strength for accounts in their organization. Erego, if the external team members have an email like vendor@stranger.com, someone would need to verify stranger.com with Atlassian Access to apply password policies to those users.

The minimum password strength for non-managed accounts is 8 characters (no complexity requirements). We hope users are selecting passwords stronger than this, but their domain would need to be verified with Atlassian Access to enforce a different policy.

Cheers,
Daniel

View More Comments
Frank Bernhardt
Frank Bernhardt June 17, 2019

Thank you. That would mean that if we want to enforce the password strength we would need to enforce that the people would use a P&G email.

Thanks

Like Daniel Eads likes this
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

    See all events