Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,920
Community Members
 
Community Events
176
Community Groups

Nested groups flattening with Azure AD sync – Early Access Program

Hi Atlassian Community,

I’m Ben, a Product Manager on the Cloud Migrations team.

I’m excited to share that we’ve just started an Early Access Program (EAP) for Azure AD sync, which is an integration between Microsoft Azure Active Directory (Azure AD) and Atlassian Cloud that supports nested groups flattening.

Over the past few years, we’ve seen requests to add support for nested groups in Atlassian Cloud. Although nested groups aren’t supported and we don’t plan to support them in the nearest future, you can keep the nested structure in your external user directory and use the flattened structure in Atlassian Cloud.

We believe that a flattened structure lets you manage permissions and your organisational structure in a similar way to our Server and Data Center products. You can achieve such a structure by using an identity provider or syncing method that supports flattening.

How flattening works

We’ve published an article that explains how flattening works and how to best approach nested groups when moving to Cloud. For details, see Prepare nested groups for Cloud migration.

To give you an example, this is how a flattened structure could look in Atlassian Cloud. As you can see, although groups are no longer nested within one another, all effective memberships are kept:

nest1.png

Supported IdPs and nested groups flattening

Here’s a summary of how identity providers supported in Atlassian Cloud approach nested groups and flattening:

Identity provider

How it works

Details and related links

Okta

  • These identity providers flatten nested groups when you import them from your user directory

  • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure

PingFederate

OneLogin

Microsoft Azure Active Directory (Azure AD)

  • Atlassian created a custom integration for syncing users from Azure AD to Atlassian Cloud

  • The nested structure is flattened while syncing

  • You can’t flatten nested groups when connecting to Azure AD over SCIM

Available as Early Access Program (EAP)

G Suite

  • G Suite supports nested groups

  • When syncing to Atlassian Cloud, you must select every group (parent and nested) separately in the sync settings. These groups will be synced as a flat structure.

  • Any group that isn’t selected won’t be synced and users will lose memberships in it.

More on Azure AD sync

If you use Microsoft Azure Active Directory and nested groups, you’ll need to use Azure AD sync to flatten and sync them to Atlassian Cloud. Flattening isn’t supported when connecting to Azure AD over SCIM. The Early Access Program (EAP) for Azure AD sync is now open for Atlassian Enterprise and paid Access customers. To participate in the EAP let us know - AzureAD sync is currently hidden under a feature flag. 

What’s included in the EAP:

  • Automatic syncing of users and groups from Azure AD to Atlassian Cloud

  • Flattening of nested groups on the way to Atlassian Cloud, with all effective group memberships preserved

  • Group filtering, automatic domain claim, authentication policies, single sign-on for synced users

nest2.png

nest3.png

If you already provision users from Azure Active Directory over SCIM, you will need to disable SCIM and switch to AzureAD sync. When having larger amount of groups, it takes time until we completely disable SCIM on our side - you can read more here. We’re working on solving this issue.

Join the EAP

If you’d like to participate in the EAP, please create a ticket here: join AzureAD sync EAP.

If you have feedback or questions about nested groups migrations, let us know in comments.

 

6 comments

Jack Brickey Community Leader Jul 28, 2022

Nice article @Ben Borecki . While it isn't immediately applicable to me I enjoyed it just the same. Thanks for sharing.

@Ben Borecki 

If I switch to Azure AD Sync, will the group name changes in Azure AD be synced to the Atlassian Cloud side?

Ben Borecki Atlassian Team Oct 10, 2022

@Masayuki Abe unfortunately we don't support group renaming in Azure AD sync - group name changes in AzureAD won't be reflected in Atlassian cloud. 

@Ben Borecki I will wait for another feature request release

@Ben Borecki I am working on my first Could Migration from DC for Jira and we have to deal with Azure AD and Nested Groups. I'd love to explore the EAP. I'll email you.

Like Ben Borecki likes this
Ben Borecki Atlassian Team Oct 30, 2022

@Mark Holmes we'd be happy to onboard you to the EAP! 

Like Mark Holmes likes this

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events