Missed Team ’24? Catch up on announcements here.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How do I auto-provision AzureAD users for JSM portal access without an Atlassian Access license?

Jason Bowne August 15, 2023

We have AzureAD / Atlassian Cloud enterprise app setup / groups setup / users in groups / SCIM setup - all good.  We have 2 authentication policies in Atlassian Access (one billable and one non-billable for trello free users).

When we turned on SCIM the group used for access to the Atlassian Cloud azureAd enterprise app (some of which were in the billable profile and a good amount in the non-billable profile) > all went into the billable profile and now show they are taking a license (which included all the people that I had in the non-billable profile).

We are working with a consulting group and as part of it was ensured that end users in the company did NOT need an Atlassian Access license to get to the JSM portal via SSO, only the agents that needed a license would need to have Atlassian access licenses.

Once we turned on SCIM I am unable to move any of the managed users that landed in the billable profile, over into the non-billable profile.  I don't see how I can ensure that our 4,000 employees can get to a JSM portal via SSO and not get billed Atlassian access licenses for all of them.

I can't find anything on the internet, nothing in Atlassian support, that addresses this situation. The consulting team we are working with are digging into this as well as we just turned this on today and are seeing it.


2 answers

1 vote
NC August 28, 2023

Hi Jason,

I believe what you are after is possible and we have implemented a remarkably similar solution for internal and external customers and JSM portal access.

The cleanest way is to have all your customers in one AAD security group or if you have multiple portals, you can have an AAD security group per portal that is the solution we have. The AAD security group can be either manual or dynamic. I would recommend, if possible, you go down the dynamic root as this will reduce manual intervention over time.

Within Atlassian Admin make sure that these new AAD security group have no access to any products.

Now go to the JSM project -> Project Settings -> People -> Add People

Select the AAD security group and assign the role "Service Desk Customer"Now if you return to Atlassian Admin and view a member of one of the AAD security group their profile will appear like the image below with only two access flags checked:

  1. Has access on site
  2. Jira Service management - Customer

MicrosoftTeams-image (3).png

Jason Bowne August 29, 2023

Hey NC - thanks for the detailed reply. This is what we have setup and it does work great. However the problem comes in with Casey's comment below - any SCIM provisioned account from AzureAD into Atlassian lands in the billable profile and can't be moved out.

That is fine for the scenario of making that group a customer in a portal in JSM as customer isn't charged an Atlassian access license.

The rub comes in where every account in that Azure AD group that is provisioned via SCIM into the billable profile, has a trello free account.  Atlassian tags trello 'free' as a product, and thus increases the atlassian access license ticker for that user, even though the product is a 'free' version (not so free)..

0 votes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 28, 2023

Hi Jason!

Atlassian Access is billed for all Atlassian users under your claimed domains. As SCIM is a feature offered under this subscription, adding your non-billable users to this profile/policy will automatically make them billable.

Learn more by reading the guides below:
 Manage your bill for Atlassian Access.
Understand user provisioning 

Jason Bowne August 29, 2023

I totally understand Casey, and thank you for the references.  My ask is that Atlassian re-classify Trello free to NOT be a product, and thus if this is the ONLY 'product' they are using - not requiring an Atlassian access license (the same as JSM customer does not need an Atlassian access license). 

Completely understand if the user has a Trello standard (requiring an Atlassian access license) or enterprise (not requiring Atlassian access license payment as Atlassian access is built into Trello enterprise license).

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events