Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
badges earned

Your Points Tracker
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Control of password strength and 2-factor authentication for guest accounts

We are using SAML and 2 factor authentication for our Jira and Confluence users. We now have very often external team members that need access. They will use their own e-mail to sign on. If I give them access to our URLs, do I have any control over the password strength that they use?

1 answer

1 accepted

0 votes
Answer accepted
Daniel Eads Atlassian Team Jun 17, 2019

Hi Frank,

Since Cloud users can be members of multiple instances, password policies are set at the email domain level rather than at each individual Jira/Confluence instance.

I'm guessing from your previous question that you've already gotten familiar with Atlassian Access (formerly known as Identity Manager). That's how organization owners set password policies, but it's specific to accounts for the email domain owned/claimed by that company.

In this sense, you control the password strength for your employees working across all Atlassian Cloud instance (even ones that you don't manage). But the downside as you're finding out is that you're at the mercy of "external" vendors to set the password strength for accounts in their organization. Erego, if the external team members have an email like, someone would need to verify with Atlassian Access to apply password policies to those users.

The minimum password strength for non-managed accounts is 8 characters (no complexity requirements). We hope users are selecting passwords stronger than this, but their domain would need to be verified with Atlassian Access to enforce a different policy.


Thank you. That would mean that if we want to enforce the password strength we would need to enforce that the people would use a P&G email.


Like Daniel Eads likes this

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Atlassian Access

We're launching improved navigation for admins

Hi Atlassian Community, My name is Avni Barman and I am a Product Manager on the Atlassian Access team! One of my top priorities is to help make the administrator's life easier through improved pro...

1,085 views 2 12
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you