We use crowd together with confluence.
Application has Azure Ad mapped to confluence. But only the group confluence-users is selected in "Groups that can authenticate"
In Azure Ad we added the group confluence-administrators. Also this group is not selected in "Groups that can authenticate" these users consume licenses in confluence.
We are preparing to move most users to azure ad.
"Allow all users from this directory to authenticate" is not activated for Azure Ad on Application Confluence
Same issue on jira. Only jira-users is activated for Jira-Application in crowd, but members of jira-administrators group incloud are consuming licenses.
It looks like if you ad an Azure Ad to an application alle users are synced to the application. "Allow all users from this directory to authenticate" or selecting only some groups is not working.
There is is nothing wrong with your configuration, this is how the products are expected to work, however many people don’t expect this behavior (me included initially). If a user shows in a crowd directory, then they will sync to the applications connected to it. You can then limit who can actually use the product via the application license groups and the “allowed to authenticate”.
The only way we have found so far to limit users getting to the apps is to have groups in AD/LDAP and then ingest in to Crowd using and LDAP filter that limits scope to just that set of users.
Apart from having a giant list of users in the application that you likely don’t want to see, and if the possibility that there may be a performance hit by storing data that’s never used, is there a functional issue you’re trying to work around?
'confluence-administrators' may not be in your list of 'Groups that can authenticate' but from Confluence's perspective, it is a special group, that's why its users actually consume licenses. You can also see that special behaviour in Confluence's Administration UI > Users & Security > Global Permissions > Licensed Users.
(BTW if it's important for you not to see all your Azure AD users and groups in Crowd's console and then in Confluence, you might want to take a look at the Office 365 Directory Connector for Crowd (ODCC) plugin that has options to filter Azure AD users and groups. Disclaimer: I work for the vendor of the ODCC plugin.)
We are migrating to azure ad and simply wanted to create all users and groups and than switch internal off. But we are reaching our license limit when we add users to azure groups for later use in atlassian applications.
Plan is now to change current usernames to be the same like the later ones used in azure, so applications should count them as same user.
Hello Community members! We’re wrapping up the end of JSM June with an Ask Me Anything (AMA) with the Jira Service Management product team. This is your chance to ask all your ITSM questions to o...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events