Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Azure Ad syncs all users to applications (Confluence)

We use crowd together with confluence.

Within crowd:

Application has Azure Ad mapped to confluence. But only the group confluence-users is selected in "Groups that can authenticate"

In Azure Ad we added the group confluence-administrators. Also this group is not selected in "Groups that can authenticate" these users consume licenses in confluence.


We are preparing to move most users to azure ad.

"Allow all users from this directory to authenticate" is not activated for Azure Ad on Application Confluence

4 answers

We are migrating to azure ad and simply wanted to create all users and groups and than switch internal off. But we are reaching our license limit when we add users to azure groups for later use in atlassian applications.


Plan is now to change current usernames to be the same like the later ones used in azure, so applications should count them as same user.

Hi @Benjamin Brummer

'confluence-administrators' may not be in your list of 'Groups that can authenticate' but from Confluence's perspective, it is a special group, that's why its users actually consume licenses. You can also see that special behaviour in Confluence's Administration UI > Users & Security > Global Permissions > Licensed Users.

(BTW if it's important for you not to see all your Azure AD users and groups in Crowd's console and then in Confluence, you might want to take a look at the Office 365 Directory Connector for Crowd (ODCC) plugin that has options to filter Azure AD users and groups. Disclaimer: I work for the vendor of the ODCC plugin.)

0 votes

Hey benjamin,

There is is nothing wrong with your configuration, this is how the products are expected to work, however many people don’t expect this behavior (me included initially). If a user shows in a crowd directory, then they will sync to the applications connected to it. You can then limit who can actually use the product via the application license groups and the “allowed to authenticate”.


The only way we have found so far to limit users getting to the apps is to have groups in AD/LDAP and then ingest in to Crowd using and LDAP filter that limits scope to just that set of users. 


Apart from having a giant list of users in the application that you likely don’t want to see, and if the possibility that there may be a performance hit by storing data that’s never used, is there a functional issue you’re trying to work around?




Same issue on jira. Only jira-users is activated for Jira-Application in crowd, but members of jira-administrators group incloud are consuming licenses.


It looks like if you ad an Azure Ad to an application alle users are synced to the application. "Allow all users from this directory to authenticate" or selecting only some groups is not working.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

171 views 1 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you