Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Applying password policy when company emails are internal only

I have read documentation that says that you cannot apply a password policy unless you verify a domain for your organization (https://confluence.atlassian.com/cloud/verify-a-domain-for-your-organization-873871234.html).

However at my company our email addresses aren't a publicly accessible domain. It is only used for our email address (me@abc.com) as well as internal routing to a company intranet page when you're on our corporate network. (www.abc.com is only accessible in the corporate network and assume there's no such public website as www.abc.com otherwise)

Additionally we send invites for Jira & Confluence to external business vendors and international business partners as well. Whlie Atlassian specifies:

You want to verify a domain that you don't own

To protect the privacy and security of Atlassian's users, it's not possible to verify domains that you don't own.

If you'd like to apply Atlassian Access security policies for these users, ask them to change their email address to a domain that you can then verify, or invite them to create Atlassian accounts that use email addresses from the domain.

In actuality many corporate security teams have mandates on password policy criteria, much of which Atlassian does not enforce by default and therefore a security issue in itself (I believe I read passwords just have to be 8 characters, and that's about it).

Are there any plans to allow for account administrators and owners to take more control over those contributing to their cloud based Jira/Confluence/Bitbucket accounts by allowing for more security enforcement without the overhead of domain validation which cannot be satisfied?

1 answer

0 votes
Geoff Atlassian Team Mar 04, 2020

Hi Trinh
Just to clarify, are you saying that the domain used for emails isn't accessible from the public internet at all, meaning that you can't send emails to these addresses from outside your corporate network? If so then you are unfortunately right, you will be unable to claim your domain and set a password policy for the users with email addresses at this domain.

If you can actually send emails to this domain (even though there may not be a public website hosted at the domain) then you will still be able to claim domains using the DNS method and set a password policy. This is most likely the situation you are in as your users would have had to verify their accounts before they could use them which is done by sending them an email with a verification link from Atlassian.

We currently don't have a good solution for external business vendors which you grant access to your site if they are on a different email domain. Atlassian accounts are global in nature which means that once you authenticate and are granted a session, that session will work with all cloud sites where you have access. This means that you can authenticate on any site, such as the external business' own Jira Cloud instance, and then navigate to your instance and be granted access. In essence, password management is on an account level, and not on a site level

I hope this helps

Hi Geoff,

I appreciate and understand the explanation. However I will say as a customer that it is very challenging. Although my part of the organization adopted Atlassian, I wouldn't be able to claim the entire domain because there might be part of the organization that also uses Atlassian on their own and I wouldn't want to be accountable to their groups. You have to think +60k enterprise org here.

While we could go the DNS method, reaching out to the main security/networking team that manages for the email/domain for the company, they're not likely to want/understand the request from one individual business owner or Atlassian admin to get the domain verified. Culturally it's a stretch - and security wise has a high barrier when talking about groups that live and breath Change Management Process.

It used to be that Bitbucket had it's own account management and password system (however that had since been merged to the same login that Confluence and JIRA uses) and the problem I'm running into now is that security practices industry wide have tightened up a lot. If anything it should be Atlassian's stance to have a much more rigid password policy system in place that helps cover many security practices around the industry rather than only 8+ character count by default. It would at least make security teams happy (not that I'm coming from that space) I'm just voicing my concern as a technologist that is trying to make cloud platforms more widely accepted in Huge Enterprise environments.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Asked in Atlassian Account

Upcoming AMA with the Atlassian Identity Product Managers!

"Atlassian Account" is a space where you can raise questions about your Atlassian Account and your identity across all of our Atlassian Cloud Products. This involves understanding User Managemen...

1,014 views 8 17
View question

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you