Integrate Azure AD with Atlassian Cloud

Hi João,

Thank you for the detailed reply and information.

I've done reading around both the SSO and User Provisioning (Microsoft documentation) and it seems we can setup SAML SSO first and then do the User Provisioning setup afterwards so as to get the benefits of SSO and User Provisioning. I appreciate the mapping of the attributes for SSO and User Provisioning is different.

 "If you have previously setup Atlassian Cloud for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially." - Taken from Microsoft documentation around User Provisioning.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial?source=docs

As we are trying to make the authentication as secure as possible for all users but at the same time make management of users simpler via Azure so hopefully we can incorporate both SAML SSO and User Provisioning as it seems to allow it. 

If you think this will not not work your feedback will be helpful 

Regards

Rachel

This will work but this is a mistake.

Groups you assign to the Atlassian Cloud application in Azure affect BOTH who are allowed to sign-in and who is provisioned. You'd think these should always be the same, but in real enterprise scenarios this is not always true.

If you have a security breach associated with one of the users – you'd want to lock them out immediately, but you will want to keep their product groups intact, so you can investigate i.e. to identify what they could have possibly have access to.

Please review these threads also, these might help:

https://community.atlassian.com/t5/Confluence-questions/What-is-the-difference-between-site-access-and-product-access/qaq-p/1306257#M221166

https://community.atlassian.com/t5/Jira-Service-Management/Azure-AD-login-and-incoming-email-not-matching-up/qaq-p/1821809#M88619

This is what I share with our customers:

Here are our recommendations on how to configure Cloud site and Atlassian Access integrated with Azure AD.

1) A lot of features in Cloud User Management, and access setup are aiming to make it easier for non-enterprise users to set everything up. 

In the presence of Atlassian Access provisioning a lot of these features are actually make it harder to manage everything from Azure AD.

As such it is recommended to tighten up the setup of Atlassian Cloud site as much as possible, so, at least for the regular users, the control over who gets access to what is fully on the side of Azure AD.

• Cloud site can list domains in Site Access, so users from these are pre-approved to just join the site on a whim by clicking a link and wandering in. This should be disabled – so the only way someone is allowed to be on the site is by being provisioned from Azure AD via User Provisioning in Atlassian Access
• It's impossible to stop site-admins from inviting users directly, but it can be tightened up: when a user is invited or joins the site they automatically get access to products that have "New users have access to this product" checked in Product Access. These checkboxes should be unchecked for all applications, so nobody gets any acess unless it comes from Azure AD via User Provisioning in Atlassian Access
• Product Access must have at least one default group, these are the groups that a user is assigned when the site admin ticks a checkbox to give access to a product or when they get a default product: this needs to be disabled. A dummy "local" group should be created – we usually call it "default-do-not-use". This group should be added to all applications in Product Access, made to be the default one, and any other default groups should be stopped from being default.
• In Product Access, except for site-admins and administrators – all groups that give access to products should be coming from Azure AD via User Provisioning in Atlassian Access
• In Product Admin Access, except for site-admins and administrators – all groups that give access to products should be coming from Azure AD via User Provisioning in Atlassian Access
• Inside the actual products e.g. Jira – access should be keyed to groups coming from Azure AD via User Provisioning in Atlassian Access. When we do Cloud Migrations we re-key application data e.g. from jira-administrators being used everywhere to the group name coming from Azure AD.
• "Local" Cloud groups e.g. site-admins and administrators should be used as little as possible, e.g., in Global permissions only.

All of the above ensures that users can only get access via Azure AD. Once a user is provisioned, with some groups listed in Product Access, they are given site access. When they are deprovisoined they lose access.

A site admin can elevate someone else to a site-admin or administrators level – but this will only allow you to administer site or get into administrators section of the product e.g. to review how setup is done. 

2) We recommend having two instances of "Atlassian Cloud" Enterprise application in Azure AD – one solely responsible for SSO and the other solely for User Provisioning.

• It is recommended to configure SSO via Azure AD to be based on a group or set of groups distinct from the product groups used in provisioning, i.e. "authentication-only" group(s) assigned to the Atlassian Cloud Enterprise application in Azure AD that is responsible for SSO only, and "authorization-only" groups(s) assigned to the Atlassian Cloud Enterprise application in Azure AD that is responsible for User Provisioning only. Thus in Azure AD you would require a user to be a member of at least two groups – the access one and the product one.

Mainly this is from the desire to separate concerns, e.g., during a security breach investigation – deny someone SSO, effectively locking them out from Atlassian Cloud (temporarily), while not touching their provisioned user and the groups associated with that. If the groups used for provisioning are directly assigned to to the application responsible for SSO – removing the user from a group trying to deny them SSO will trigger deactivation of the user via User Provisioning.

The need for two applications in Azure stems from this too – since for a single application the assigned groups apply to both SSO and User Provisioning.

If you ever start running Jira Service Management – you will need to be able to give access to Cloud without giving access to products for Portal Only users.

3) SSO to Atlassian Cloud is Cloud-wide – it encompasses users outside of your single site, e.g. users from your own other sites, Bitbucket and Trello users, as well as users who require access to other Atlassian Cloud services, e.g. University or Community.

• It is recommended to have two groups in Azure to clearly track these: one for Trello users, one for Other users (as in "other Atlassian services"). These groups should be used in User Provisioning.
• in case you ever start running another site and you'd want to explicitly give access to site1 but not to site2 all other Product access groups used in User Provisioning should have the site name in the name of the group

4) Both User Provisioning and SSO sides of configuration in Azure AD need to be reviewed due to the fact that Atlassian uses email of the user for everything:

For the app responsible for SSO in Azure AD:

• what is pushed into "name" attribute is absolutely irrelevant, might as well be the UPN to match the meaning a username in AAD
• user's email (wherever it is stored in AAD) MUST be pushed to the Cloud's email attribute
• "Unique User Identifier" in the SSO mappings has meaning "... in Atlassian Cloud" and MUST always be the email of the user.

For the app responsible for User Provisioning in Azure AD:

• what is pushed into "username" attribute is absolutely irrelevant, might as well be the UPN to match the meaning a username in AAD
• user's email (wherever it is stored in AAD) MUST be pushed to the Cloud's email attribute
• AAD objectId MUST be pushed as Cloud's externalId, and it MUST be selected as the one used for user record matching ("Matching Precedence" = 1) – this will allow you to change the UPN, or email at will but keep Cloud in sync
• any groups assigned to the app responsible for SSO in Azure AD MUST be included in the list of groups assigned to the app responsible for User Provisioning in Azure AD (as otherwise you'd have to rely on product access groups to actually have the user provisioned or won't be able to lock a user out temporarily by removing them from a group giving them SSO without triggering deactivation via User Provisioning)

5) A new user created in Azure AD or a user after rename/change of email or/and UPN should wait for the provisioning to push the changes to Cloud (Azure AD does it only every 40 minutes)

6) For traceability,  admins in Atlassian Cloud should never trigger deletion of a previously active real user in Atlassian Admin UI – only deactivate.

Deleting a user in Azure AD or removing them from all groups assigned to the app responsible for User Provisioning in Azure AD will automatically trigger deactivation on Atlassian Cloud side, not delete.

7) To avoid being locked out if SSO is malfunctioning, it is recommended to have at least one org-admin and site-admin account from another domain, e.g., if we are supporting you in the Cloud – one of techtime accounts. They are all attached to real users, with Atlassian's own 2FA and strong passwords enforced. We use aliasing to avoid logging into one customer and accidentally changing something for another customer.

Creating a special "break glass" account in your own domain and assigning it to no-SSO policy in Atlassian Access is not recommended as this effectively circumvents the very security controls you are trying to implement with SSO via Azure AD.

Hi Ed,

Thank you for detailing it and making it very easy to follow. I appreciate the help and I will be taking your advice and implementing it as you recommend.

It's made things a lot easier now as I now understand the difference between SSO and User Provisioning for Atlassian/Azure.

Rachel      

Hi Ed,

I second Rachel Coles appreciation!  It's been about a year since your shared your recommendations for configuring Cloud site and Atlassian Access integrated with Azure AD.  We are about to implement the same integration.

Are there any updates or new considerations you would make today?

Sean

Hi, @Sean Thorburn I do not think anything has changed.