Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Nested groups flattening with Azure AD sync – Early Access Program / General Announcement

July 11, 2022

Hi Atlassian Community,

UPDATE June 2023:

I’m excited to announce the general availability of Microsoft Azure Active Directory (AD) for nested groups. The early access program (EAP) for Azure AD sync is finished.

Here's the General Announcement community blogpost: 

https://community.atlassian.com/t5/Enterprise-articles/Azure-AD-for-nested-groups-is-now-generally-available/ba-p/2391051 

I’m Ben, a Product Manager on the Cloud Migrations team.

I’m excited to share that we’ve just started an Early Access Program (EAP) for Azure AD sync, which is an integration between Microsoft Azure Active Directory (Azure AD) and Atlassian Cloud that supports nested groups flattening.

Over the past few years, we’ve seen requests to add support for nested groups in Atlassian Cloud. Although nested groups aren’t supported and we don’t plan to support them in the nearest future, you can keep the nested structure in your external user directory and use the flattened structure in Atlassian Cloud.

We believe that a flattened structure lets you manage permissions and your organisational structure in a similar way to our Server and Data Center products. You can achieve such a structure by using an identity provider or syncing method that supports flattening.

How flattening works

We’ve published an article that explains how flattening works and how to best approach nested groups when moving to Cloud. For details, see Prepare nested groups for Cloud migration.

To give you an example, this is how a flattened structure could look in Atlassian Cloud. As you can see, although groups are no longer nested within one another, all effective memberships are kept:

nest1.png

Supported IdPs and nested groups flattening

Here’s a summary of how identity providers supported in Atlassian Cloud approach nested groups and flattening:

Identity provider

How it works

Details and related links

Okta

  • These identity providers flatten nested groups when you import them from your user directory

  • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure

PingFederate

OneLogin

Microsoft Azure Active Directory (Azure AD)

  • Atlassian created a custom integration for syncing users from Azure AD to Atlassian Cloud

  • The nested structure is flattened while syncing

  • You can’t flatten nested groups when connecting to Azure AD over SCIM

G Suite

  • G Suite supports nested groups

  • When syncing to Atlassian Cloud, you must select every group (parent and nested) separately in the sync settings. These groups will be synced as a flat structure.

  • Any group that isn’t selected won’t be synced and users will lose memberships in it.

More on Azure AD sync

If you use Microsoft Azure Active Directory and nested groups, you’ll need to use Azure AD sync to flatten and sync them to Atlassian Cloud. Flattening isn’t supported when connecting to Azure AD over SCIM. 

What’s included in the EAP/GA:

  • Automatic syncing of users and groups from Azure AD to Atlassian Cloud

  • Flattening of nested groups on the way to Atlassian Cloud, with all effective group memberships preserved

  • Group filtering, automatic domain claim, authentication policies, single sign-on for synced users

nest2.png

nest3.png

If you already provision users from Azure Active Directory over SCIM, you will need to disable SCIM and switch to AzureAD sync. When having larger amount of groups, it takes time until we completely disable SCIM on our side - you can read more here. We’re working on solving this issue.

Comment
Watch
Like # people like this
17970 views

15 comments

Comment

Log in or Sign up to comment
Jack Brickey
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 28, 2022

Nice article @Ben Borecki . While it isn't immediately applicable to me I enjoyed it just the same. Thanks for sharing.

Like Yatish Madhav likes this
Masayuki Abe
Masayuki Abe
Contributor
August 3, 2022

@Ben Borecki 

If I switch to Azure AD Sync, will the group name changes in Azure AD be synced to the Atlassian Cloud side?

Like
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 10, 2022

@Masayuki Abe unfortunately we don't support group renaming in Azure AD sync - group name changes in AzureAD won't be reflected in Atlassian cloud. 

Like
Masayuki Abe
Masayuki Abe
Contributor
October 10, 2022

@Ben Borecki I will wait for another feature request release

Like
Mark Holmes _Adaptavist_
Mark Holmes _Adaptavist_
Contributor
October 25, 2022

@Ben Borecki I am working on my first Could Migration from DC for Jira and we have to deal with Azure AD and Nested Groups. I'd love to explore the EAP. I'll email you.

Like Ben Borecki likes this
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 30, 2022

@Mark Holmes _Adaptavist_ we'd be happy to onboard you to the EAP! 

Like Mark Holmes _Adaptavist_ likes this
Ilango A
Ilango A February 8, 2023

Hello @Ben Borecki , this is a great feature that we are looking forward to. Do you have an ETA for the public release please?

Cheers!

Like
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 15, 2023

Hey @Ilango A we plan to have the public release around June/July 2023! We're going to update this blogpost right after general announcement. Stay tuned!

Like
Klaus Floth
Klaus Floth
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 5, 2023

Hi @Ben Borecki, we are really looking forward to this feature in the Atlassian cloud, which we were already used to in the server variant. I learned if we'd like to join the EAP we'd have to switch from SCIM to Azure AD sync. However, our IT department does not want to use an unreleased and unsupported feature productively. How does it work when nested groups flattening is publicly released? Do we still have to switch from SCIM to Azure AD sync to use this feature then or will it be available with SCIM?

Like
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2023

Hi @Klaus Floth the public release is now in progress, we should roll-out the changes to all customers by the end of June/early July. Nested groups flattening won't be supported in AzureAD SCIM, so you will have to switch to AzureAD.

Like Tomislav Tobijas _Koios_ likes this
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 16, 2023

Hi @Klaus FlothAzureAD sync was just released to public. You can find the documentation explaining how to switch from SCIM to Azure AD sync here: https://confluence.atlassian.com/enterprise/switch-from-scim-to-azure-ad-sync-1141966053.html

Like
Klaus Floth
Klaus Floth
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 17, 2023

Hi @Ben Borecki, we tested Azure AD Sync with nested groups plattening support today but we found out that we either can synchronize all Azure AD groups (which does not suit us at all, because synchronising all groups would firstly make the group list in Atlassian Access very confusing, as we only need a fraction of the groups here, and secondly the synchronisation would take a very long time due to the number of groups in our AD) or only explicitely spezified ones, but it seem not to be possible to sync groups fitting to some kind of regex. E.g. if we have a couple of groups with names starting with "SW_Atlassian_" we can't configure groups synchronization with wildcards like "SW_Atlassian_*". This would mean that we would always have to explicitly include every newly created group that we need in Atlassian Access in the list of groups to be synchronised. Is this correct or did we overlook something?

Like
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 18, 2023

@Klaus Floth 

 it seem not to be possible to sync groups fitting to some kind of regex.

Thanks for the feedback. You're right - that option doesn't exist right now. If you find that option useful, you can create a JAC ticket so we can start gathering interest. Similar to the https://jira.atlassian.com/browse/ACCESS-1426 issue.

> E.g. if we have a couple of groups with names starting with "SW_Atlassian_" we can't configure groups synchronization with wildcards like "SW_Atlassian_*". This would mean that we would always have to explicitly include every newly created group that we need in Atlassian Access in the list of groups to be synchronised. Is this correct or did we overlook something?

It would be best to reach out Atlassian support team, so they can help with figuring out the best workaround. However, what I can suggest from top of my mind is creating a parent group "SW_Atlassian" and adding all "SW_Atlassian_*" groups there. It's still manual though. 

Like
Fabian Krehnke
Fabian Krehnke
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 28, 2023

Cheers @Ben Borecki

For which license is it available? 
Was it rolled out for all those who have licensed Access or is an Enterprise license required? 

Like nojansen likes this
Ben Borecki
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 9, 2023

Hi @Fabian Krehnke , AzureAD sync is available to any customer that has Atlassian Access.

Like Christoph Baumhoer likes this
Ben Borecki

Ben Borecki

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

Product @ Atlassian

21 total posts

View profile
groups-icon
Enterprise
TAGS
AUG Leaders

Atlassian Community Events

    See all events