Azure Ad syncs all users to applications (Confluence)

Benjamin Brummer February 27, 2018

We use crowd together with confluence.

Within crowd:

Application has Azure Ad mapped to confluence. But only the group confluence-users is selected in "Groups that can authenticate"

In Azure Ad we added the group confluence-administrators. Also this group is not selected in "Groups that can authenticate" these users consume licenses in confluence.

Background:

We are preparing to move most users to azure ad.

"Allow all users from this directory to authenticate" is not activated for Azure Ad on Application Confluence

4 answers

0 votes
Benjamin Brummer February 28, 2018

We are migrating to azure ad and simply wanted to create all users and groups and than switch internal off. But we are reaching our license limit when we add users to azure groups for later use in atlassian applications.

 

Plan is now to change current usernames to be the same like the later ones used in azure, so applications should count them as same user.

0 votes
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 27, 2018

Hi @Benjamin Brummer

'confluence-administrators' may not be in your list of 'Groups that can authenticate' but from Confluence's perspective, it is a special group, that's why its users actually consume licenses. You can also see that special behaviour in Confluence's Administration UI > Users & Security > Global Permissions > Licensed Users.

(BTW if it's important for you not to see all your Azure AD users and groups in Crowd's console and then in Confluence, you might want to take a look at the Office 365 Directory Connector for Crowd (ODCC) plugin that has options to filter Azure AD users and groups. Disclaimer: I work for the vendor of the ODCC plugin.)

0 votes
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 27, 2018

Hey benjamin,

There is is nothing wrong with your configuration, this is how the products are expected to work, however many people don’t expect this behavior (me included initially). If a user shows in a crowd directory, then they will sync to the applications connected to it. You can then limit who can actually use the product via the application license groups and the “allowed to authenticate”.

 

The only way we have found so far to limit users getting to the apps is to have groups in AD/LDAP and then ingest in to Crowd using and LDAP filter that limits scope to just that set of users. 

 

Apart from having a giant list of users in the application that you likely don’t want to see, and if the possibility that there may be a performance hit by storing data that’s never used, is there a functional issue you’re trying to work around?

 

 

CCM 

0 votes
Benjamin Brummer February 27, 2018

Same issue on jira. Only jira-users is activated for Jira-Application in crowd, but members of jira-administrators group incloud are consuming licenses.

 

It looks like if you ad an Azure Ad to an application alle users are synced to the application. "Allow all users from this directory to authenticate" or selecting only some groups is not working.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events