Nested groups flattening with Azure AD sync – Early Access Program / General Announcement

Hi Atlassian Community,


UPDATE June 2023:

I’m excited to announce the general availability of Microsoft Azure Active Directory (AD) for nested groups. The early access program (EAP) for Azure AD sync is finished.

Here's the General Announcement community blogpost: 

https://community.atlassian.com/t5/Enterprise-articles/Azure-AD-for-nested-groups-is-now-generally-available/ba-p/2391051 


I’m Ben, a Product Manager on the Cloud Migrations team.

I’m excited to share that we’ve just started an Early Access Program (EAP) for Azure AD sync, which is an integration between Microsoft Azure Active Directory (Azure AD) and Atlassian Cloud that supports nested groups flattening.

Over the past few years, we’ve seen requests to add support for nested groups in Atlassian Cloud. Although nested groups aren’t supported and we don’t plan to support them in the nearest future, you can keep the nested structure in your external user directory and use the flattened structure in Atlassian Cloud.

We believe that a flattened structure lets you manage permissions and your organisational structure in a similar way to our Server and Data Center products. You can achieve such a structure by using an identity provider or syncing method that supports flattening.

How flattening works

We’ve published an article that explains how flattening works and how to best approach nested groups when moving to Cloud. For details, see Prepare nested groups for Cloud migration.

To give you an example, this is how a flattened structure could look in Atlassian Cloud. As you can see, although groups are no longer nested within one another, all effective memberships are kept:

nest1.png

Supported IdPs and nested groups flattening

Here’s a summary of how identity providers supported in Atlassian Cloud approach nested groups and flattening:

Identity provider

How it works

Details and related links

Okta

  • These identity providers flatten nested groups when you import them from your user directory

  • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure

PingFederate

OneLogin

Microsoft Azure Active Directory (Azure AD)

  • Atlassian created a custom integration for syncing users from Azure AD to Atlassian Cloud

  • The nested structure is flattened while syncing

  • You can’t flatten nested groups when connecting to Azure AD over SCIM

G Suite

  • G Suite supports nested groups

  • When syncing to Atlassian Cloud, you must select every group (parent and nested) separately in the sync settings. These groups will be synced as a flat structure.

  • Any group that isn’t selected won’t be synced and users will lose memberships in it.

More on Azure AD sync

If you use Microsoft Azure Active Directory and nested groups, you’ll need to use Azure AD sync to flatten and sync them to Atlassian Cloud. Flattening isn’t supported when connecting to Azure AD over SCIM. 

What’s included in the EAP/GA:

  • Automatic syncing of users and groups from Azure AD to Atlassian Cloud

  • Flattening of nested groups on the way to Atlassian Cloud, with all effective group memberships preserved

  • Group filtering, automatic domain claim, authentication policies, single sign-on for synced users

nest2.png

nest3.png

If you already provision users from Azure Active Directory over SCIM, you will need to disable SCIM and switch to AzureAD sync. When having larger amount of groups, it takes time until we completely disable SCIM on our side - you can read more here. We’re working on solving this issue.

15 comments

Comment

Log in or Sign up to comment
Jack Brickey
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 28, 2022

Nice article @Ben Borecki . While it isn't immediately applicable to me I enjoyed it just the same. Thanks for sharing.

Like Yatish Madhav likes this
Masayuki Abe August 3, 2022

@Ben Borecki 

If I switch to Azure AD Sync, will the group name changes in Azure AD be synced to the Atlassian Cloud side?

Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 10, 2022

@Masayuki Abe unfortunately we don't support group renaming in Azure AD sync - group name changes in AzureAD won't be reflected in Atlassian cloud. 

Masayuki Abe October 10, 2022

@Ben Borecki I will wait for another feature request release

Mark Holmes (Adaptavist) October 25, 2022

@Ben Borecki I am working on my first Could Migration from DC for Jira and we have to deal with Azure AD and Nested Groups. I'd love to explore the EAP. I'll email you.

Like Ben Borecki likes this
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 30, 2022

@Mark Holmes (Adaptavist) we'd be happy to onboard you to the EAP! 

Ilango A February 8, 2023

Hello @Ben Borecki , this is a great feature that we are looking forward to. Do you have an ETA for the public release please?

Cheers!

Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 15, 2023

Hey @Ilango A we plan to have the public release around June/July 2023! We're going to update this blogpost right after general announcement. Stay tuned!

Klaus Floth June 5, 2023

Hi @Ben Borecki, we are really looking forward to this feature in the Atlassian cloud, which we were already used to in the server variant. I learned if we'd like to join the EAP we'd have to switch from SCIM to Azure AD sync. However, our IT department does not want to use an unreleased and unsupported feature productively. How does it work when nested groups flattening is publicly released? Do we still have to switch from SCIM to Azure AD sync to use this feature then or will it be available with SCIM?

Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2023

Hi @Klaus Floth the public release is now in progress, we should roll-out the changes to all customers by the end of June/early July. Nested groups flattening won't be supported in AzureAD SCIM, so you will have to switch to AzureAD.

Like Tomislav Tobijas likes this
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 16, 2023

Hi @Klaus FlothAzureAD sync was just released to public. You can find the documentation explaining how to switch from SCIM to Azure AD sync here: https://confluence.atlassian.com/enterprise/switch-from-scim-to-azure-ad-sync-1141966053.html

Klaus Floth July 17, 2023

Hi @Ben Borecki, we tested Azure AD Sync with nested groups plattening support today but we found out that we either can synchronize all Azure AD groups (which does not suit us at all, because synchronising all groups would firstly make the group list in Atlassian Access very confusing, as we only need a fraction of the groups here, and secondly the synchronisation would take a very long time due to the number of groups in our AD) or only explicitely spezified ones, but it seem not to be possible to sync groups fitting to some kind of regex. E.g. if we have a couple of groups with names starting with "SW_Atlassian_" we can't configure groups synchronization with wildcards like "SW_Atlassian_*". This would mean that we would always have to explicitly include every newly created group that we need in Atlassian Access in the list of groups to be synchronised. Is this correct or did we overlook something?

Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 18, 2023

@Klaus Floth 

 it seem not to be possible to sync groups fitting to some kind of regex.

Thanks for the feedback. You're right - that option doesn't exist right now. If you find that option useful, you can create a JAC ticket so we can start gathering interest. Similar to the https://jira.atlassian.com/browse/ACCESS-1426 issue.

> E.g. if we have a couple of groups with names starting with "SW_Atlassian_" we can't configure groups synchronization with wildcards like "SW_Atlassian_*". This would mean that we would always have to explicitly include every newly created group that we need in Atlassian Access in the list of groups to be synchronised. Is this correct or did we overlook something?

It would be best to reach out Atlassian support team, so they can help with figuring out the best workaround. However, what I can suggest from top of my mind is creating a parent group "SW_Atlassian" and adding all "SW_Atlassian_*" groups there. It's still manual though. 

Fabian Krehnke July 28, 2023

Cheers @Ben Borecki

For which license is it available? 
Was it rolled out for all those who have licensed Access or is an Enterprise license required? 

Like nojansen likes this
Ben Borecki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 9, 2023

Hi @Fabian Krehnke , AzureAD sync is available to any customer that has Atlassian Access.

Like Christoph Baumhoer likes this
TAGS
AUG Leaders

Atlassian Community Events