Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

AAD SSO and Guest Users


I have a peculiar issue with Jira Cloud + Atlassian Access. We use SSO (to Azure AD) with automated provisioning for regular users, which works fine. Now, though, we are trying to add a few external partners to our Jira instance. They have Guest accounts in AAD, the provisioning works fine (AAD reports users are successfully created with the correct attributes), but they are not appearing in the "Users" list in Jira, and are unable to log in via our SSO.

I'm sure I'm missing something in the configuration, I just can't work out what/where!

Any pointers on where I should look? Is it more likely to be in Atlassian Access config, or Jira Core/Software?

Follow-up: could it be because I can't add the external partners email domain to "Verified Domains"? I really, really don't want to go creating accounts in our domain for these partners.

2 answers

1 accepted

0 votes
Answer accepted
Daniel Ebers Community Leader Dec 31, 2020

Hi Peter,

I remember there has been a discussion around that topic lately which was referred to as a Suggestion in

Could you please kindly check if this corresponds to your scenario also?
The former request was slightly diverge, but only for some details.

If this matches the current status was that this Suggestion is ongoing and it should not take so long until this is implemented.


Thank you - that's exactly it. I will go comment on the Issue (didn't think to search there).

Daniel Ebers Community Leader Dec 31, 2020

No worries! Here are so many information stored -- which is pretty good -- but sometimes it is hard to find all of them quickly.

Glad this helped!

Peter, did you ever find a way to have your unmanaged guests login via SSO with AAD?  We're up against the same situation and provisioning isn't the problem.

Yes, it's all working since an Atlassian update a while back. I had to tweak the SAML attributes in the Azure AD enterprise app, as the defaults use UPN as UID (which can be "peculiar" for Guest accounts):


Thanks for the quick reply Peter!  We tried provisioning a Guest (different domain than our verified domain) into our Atlassian cloud directory and it imports as a user of the products, but never shows in our directory of managed accounts.  We still seem to not have the ability to scope an authentication policy to anything other than managed accounts, so the guest logging in with an email address and domain different than our verified managed domain still doesn't work.  Are we missing something by chance?

Hmm, not a problem I've come across, I'm afraid - I have a single default Authentication Policy set up (applies to "All Users"), with "Enforce SSO" set, as we don't need to support non-SSO users, so it may be I'd have a similar problem if I had to support that. Sadly, it sounds like this needs to be an Atlassian support ticket 😒

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence Cloud

🎨 Add some visual life to your templates

Hi Atlassian Community, My name is Avni Barman, and I am a Product Manager on the Confluence Cloud team. Based on feedback from you, we are giving admins more power to create templates that a...

229 views 4 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you