Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Will Atlassian Access work for B2B Guest users in our Azure AD tenant?

Koen Bins I'm New Here Dec 30, 2021

Current situation:

We are using the following cloud products: Confluence, Jira Software and Bitbucket. We distinguish two types of users in these products: 1) workers from our own company (registered with a company email addresses) and 2) external users, such as business partners/suppliers (who are registered with their external business email address).

What we hope to achieve:

We would like to use AA to enable SSO, automated user (de)provisioning, and more advanced security policies. We want this two work for all our current users (internal and external).

Questions:

  • Will user provisioning and SSO authentication also work for the B2B Guest users in our IDP? Since:
    • The UPN of a B2B Guest users does not contain our company domain. Instead the UPN will end on "@<companydomain>.onmicrosoft.com", which is a domain we obviously cannot verify.
    • The B2B Guest user can still be identified based on their external business email address, since it is registered as the email address in their Azure AD record. However, we cannot verify the company domain of our business partners/suppliers on which their email address is based.
  • If yes, will AA recognise the existing external users in our cloud products based on their external email address?
  • Any other recommendations or considerations from community members who have set this up successfully?
  • Slightly off-topic: Is it possible to have a subset of users login with SSO, while another group of users still uses their local user credentials (application-side).

Thanks for your help.

 

1 answer

1 accepted

0 votes
Answer accepted
Dave Meyer Atlassian Team Jan 03, 2022

Hi @Koen Bins ,

Unfortunately this will not work. We don't currently support SSO for users with Atlassian account email addresses on domains that you cannot verify.

We recognize users based on the email address of their Atlassian account. If that email address has a domain that has been claimed by an organization, then we apply the SSO configuration for that user based on the organization.

Improvements to security for external users is something we're actively working on.

Cloud_Roadmap___Atlassian-3.png

 

Is it possible to have a subset of users login with SSO, while another group of users still uses their local user credentials (application-side)

Yes, you can set this up with authentication policies for your organization.

Koen Bins I'm New Here Jan 04, 2022

Hi @Dave Meyer  thanks for your reply.

A follow-up question to my 2nd question: If we configure one group of users with SSO, is it possible to enforce SSO for that group (not allowing application-side logins), while still allowing application-side logins for the other group (primarily consisting of external users)?

Dave Meyer Atlassian Team Jan 04, 2022

Hey @Koen Bins 

Yes, you can set up different authentication policies for internal users (i.e. "managed accounts" or accounts with an email address on a domain you have claimed). External users (users with accounts with an email address on a domain you cannot claim) can still be granted access to your Jira/Confluence instance, but you won't be able to set any kind of login requirements for them.

You can't quite assume that they are purely using an email/password login from Atlassian, because there is the potential scenario that another organization has claimed their domain and enforces its own SSO when they log into their account (for example, if you have consultants working with you. They might have access to your Jira under their @consultant.com email address, but the consulting company enforces SSO on all @consultant.com accounts)

So a scenario you could have is:

1. Authentication Policy A (SSO enforced) for most of your internal users

2. Authentication Policy B (no SSO enabled) for low risk internal users or bots

3. External users that have been invited to your Jira/Confluence but do not fall under your authentication policies.

Hopefully that makes sense.

Dave

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Atlassian Access

Atlassian Access Demo Q&A Recap

Hi Community! Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently ask...

495 views 1 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you