It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Can Azure AAD Guest Users log in with Atlassian Access?

Hi all,

I'm trying to set up Atlassian Access for SSO with Azure Active Directory and so far, everything is working fine for regular accounts. e.g.

My question is: can Azure B2B guest users also log on to Atlassian Access (e.g.

On the face of it, it does not seem possible, as their email address domains are not registered as verified domains in Atlassian Cloud. I worked around this by logging in with the Azure UPN (e.g., which correctly redirects to the Azure login page. 

Atlassian receives the SAML message, but then displays this message:

I assumed that this was due to the fact that Azure would deliver "" as an assertion inside the SAML message and Atlassian checks that against  the verified domains (say, "") and the mismatch leads to the message.

Now, I configured Azure so that "" is delivered inside the SAML message:

<Attribute Name=""> <AttributeValue></AttributeValue>

The same message still appears though. I'm at a loss now. Any suggestions? Has anybody got this to work? 

What exactly is happening behind the scenes here in Atlassian Access?


Thanks and cheers

1 answer

0 votes

Hi @Nils Löber ,

The screenshot with the error message seems to be missing.  Can you kindly re-upload it so that we can check what is the returned error?

Also, did you actually provision/invite the test user to the instance before trying to log-in? 



Hi Dario,

thank you for your reply. Here is the screenshot again:

The message text is:

Oops, there was an error logging you in.

Whoops! The email address you entered can't be used to log in here. Try logging in from, or check your email address with your Organisation admin.

Configuration guide and troubleshooting


I did not provision the user, but I did enable "Anyone can join", so I would assume the invitation would not be the problem. (I couldn't get provisioning to work yet and sending an invite by email is tricky in this case because the pseudo-address,i .e. does not work as an email address alias in Azure)

Thanks and best regards

Dario Atlassian Team Oct 17, 2019

Hi @Nils Löber ,

Unluckily the screenshot is still missing, however, if I have a correct understanding of what is happening I can say that it is perfectly normal that the 'external' email address does not work since it does not belong to the verified domain for your Organization.

As a workaround you could do something similar:

  1. Create in AD a groups for the guests accounts
  2. Create a temporary email address (valid) for the user that is something like and add it to the group
  3. Synchronize the group so the the user will be provisioned to the instance (see the User Provisioning page for details on how to do so)
  4. Once the project is over, deactivate the user in AD and this way, since the group is synchronized, it will be removed from your site as well.


Let me know if this helps or, if I didn't understand the problem correctly, please provide more details.



Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

Demo Den Ep. 7: New Jira Cloud Reports

Learn how to use two new reports for next-gen projects in Jira Cloud:  Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...

375 views 1 3
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you