How to link Atlassian Admin groups with SSO users' groups (Azure AD)

Hi @Nick Block 

In general you will have to go through what @Kieren desribed.

Just for clarity:

1) The reason why you want to make your current groups stop being default is because:

• Users get added to the default group when a Cloud admin invites a user to the site in the Cloud UI and gives access to product (via checkboxes, rather than explicitly assigning groups). So a default group must be writeable by Cloud.
• groups synced from IdP are not writeable by Cloud, they are locked, so can't be used as default

2) You associate groups by name, i.e., your only straightforward option is to create groups in Azure AD that have the same exact name as what Atlassian has already used in Cloud.

I am yet to meet an organisation where Azure AD admins just accepted the Atlassian naming convention.

3) If you do not create groups with matching name in Azure AD but instead go with your Azure AD admin names, e.g. some Atlassian-Jira-Application-Admin monstrosity you can still use that in Product Access setup.

However, to also use them INSIDE the product you will have to manually change all occurrences of jira-admins-xxxx to Atlassian-Jira-Application-Admin in every scheme, every role, every workflow, board, dashboard, and filter. Good luck with this, I don't envy you. Perhaps someone will write an app for this one day?

4) Specifically for bitbucket – for now there is no way to use IdP groups in Bitbucket, but watch this space.

Hi @Nick Block 

I don't have any information on how to do this for Bitbucket specifically, but I can help with how to do it within admin.atlassian.com. And if you're in one of the beta customer groups that get to link their Bitbucket product with their admin.atlassian.com org, then this would also work for your Bitbucket product.

If you're on the new user management UI and have Atlassian Access and SCIM then you'll have control over which groups grant admin roles to your products.

There are a few default admin groups you can control via SCIM (where xxxx is your site name):

1. jira-admins-xxxx
2. confluence-admins-xxxx
3. bitbucket-admins-xxxx (if bitbucket is connected)
4. There are other default admin groups for other Atlassian products, you can find them here

Before you can sync to these groups, you need to remove them as the default group for their respective product admin roles.

i.e. Manually create a new group in admin.atlassian.com called default-jira-admins-xxxx, grant it the Jira admin role then make it the default group for the Jira admin role. Next, remove Jira-admins-xxxx as the default group.

Once you've created the new groups and removed the old/original groups as default groups, you can "take over" the old/original groups... If you create the old group names in your IdP, and select them to sync to your Atlassian organisation, when they sync across they'll 'take over' the existing old groups and replace the users within those groups. The admin roles will also be preserved. Now you're able to sync users into the product admin groups.

You cannot control the site-admin group or the org-admin groups via SCIM though.

This is all a fair bit of work to do and can get quite complex with multiple products... My company is building an automation app to help Atlassian customers with issues just like this (and one that also works for the site-admin and org-admin groups!). In summary we're solving the problem in ACCESS-604. We're planning to release in a free closed beta around mid March 2024. If you're interested, contact us via our website smolsoftware.com to be a part of the beta.

-Kieren
Co-Founder @ Smol Software | Ex-Atlassian