Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,638,458
Community Members
 
Community Events
196
Community Groups

Azure AD login and incoming email not matching up

Rodito Buan
Rodito Buan Sep 30, 2021

Hello All,

We have a bit of an issue with our Jira Service Management instance. We have everything setup and connected to our Azure AD. When people login they redirected to Office 365 which they use login@domain.com but when they email the service desk queue their email is defaulted to firstname.lastname@domain.com, now service desk thinks this is a new user and will assign it to the firstname.lastname@domain.com email address. When the user tries to login to service desk portal they do not see the issue because their account is tied up to login@domain.com.

My question is, Is there a way to merge those two if the login name is not the same as the default email address in Azure AD/Office 365? I would like to avoid having duplicate users in the Customers section.

Thanks

Answer
Watch
Like Be the first to like this
1305 views

1 answer

0 votes
Ed Letifov _TechTime - New Zealand_
Ed Letifov _TechTime - New Zealand_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Sep 30, 2021 • edited Oct 16, 2021

We have discovered the following after long conversation with Atlassian Support:

Short summary: "Atlassian Cloud uses email of the user for everything. What you use to actually login into your IdP is irrelevant".

This is how two Atlassian Cloud enterprise applications need to be configured in Azure AD:

For the app responsible for SSO in Azure AD:

  • what is pushed into "name" attribute is absolutely irrelevant, might as well be the UPN to match the meaning a username in AAD
  • user's email (wherever it is stored in AAD) MUST be pushed to the Cloud's email attribute
  • "Unique User Identifier" in the SSO mappings has meaning "... in Atlassian Cloud" and MUST always be the email of the user.

For the app responsible for User Provisioning in Azure AD (we usually have 2 apps with separate concerns, if you have only one, apply the below to the User Provisioning config in that one):

  • what is pushed into "username" attribute is absolutely irrelevant, might as well be the UPN to match the meaning a username in AAD
  • user's email (wherever it is stored in AAD) MUST be pushed to the Cloud's email attribute
  • AAD objectId must be pushed as Cloud's externalId, and it MUST be selected as the one used for user record matching ("Matching Precedence" = 1)
  • any groups assigned to the app responsible for SSO in Azure AD MUST be included in the list of groups assigned to the app responsible for User Provisioning in Azure AD (as otherwise you'd have to rely on product access groups to actually have the user provisioned or won't be able to lock a user out temporarily by removing them from a group giving them SSO without triggering deactivation via User Provisioning)

Specifically the above configuration will ensure that both or either of email and UPN can be changed in Azure AD.

If the email address change is done on AAD site, the user should wait around 40 minutes (for user provisioning to push the change through) before attempting the login via SSO, since jumping into action too fast WILL create a new user based on the email being different.

Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

See all events