Mapping Azure AD (Entra ID) or Okta Users with Jira Users and Jira Groups
The Assets module of JSM provides amazing features. Two of the useful capabilities are being able to define attributes as a “Jira User” type and/or “Jira Group”. On this page, we will provide 2 different methods to map Azure AD or Okta users with Jira Users and Jira Groups in JSM Assets.
This would be very handy in case you are using Atlassian Access and already have sync configuration for the Users and Groups.
The example use case could be as follows:
Use Case:
As an Asset and Configuration Manager, I would like to keep track of all the Microsoft Entra ID (a.k.a. Azure AD) or Okta User records and extend them by adding their Jira User and Jira Groups information.
The following are just 2 possible options to fulfill the use case.
This article includes examples of using the listed JSM Automation Components together with Assets:
| Trigger |
|
| Condition |
|
| Branch |
|
| Action |
|
Instructions
Option 1:
Update objects instantly when they are created and set the Jira User and Jira Groups.
1- Install Azure AD (Microsoft Entra ID) Importer for JSM Assets or Okta Importer for JSM Assets from the marketplace.
2- Configure and import your organizational data (i.e. Users and Managers)
3- Set the scheduling for automated replication.
4- Select the “Azure AD” object schema and “Users” object type. Select “Attributes”.
5- Add one new attribute to the end and call it “Jira User”. Set the type to “User”.
6- Add another attribute for “Jira Groups” and set the type to “Groups” as shown in the image below.
7- Create an automation rule at the Global level with the following steps.
| Automation Component | Configuration | Explanation |
 |
 |
Select the trigger for Object Trigger and click “Created“ tab. Select “Azure AD” object schema. |
 |
 |
Check if the newly created object is one of Users.
objecttype = Users |
 |
 |
Search for the user’s “Jira User” record using the Jira Rest API and get the accountId. Send a web request to Jira API using the URL: https://your-site-name.atlassian.net/rest/api/2/user/search?query={{object."E-mail Address"}}
The hidden part in the Authorization header needs to be in a format like: Basic Y29udGFwgpxxxxxxxmdHdhcyyyyWxNZmh4SVdUeFU1YWtwSHJDljI5xxxx Please note that your Email Address and API Token need to be Base64 encoded as explained in the following Atlassian document. |
 |
 |
Make sure that you found only one record. Check the value for: {{webResponse.body.size}}
|
9- From this point please follow Scenario 1 or 2 described at the bottom of this page to complete your automation rule.
Pro Tip: We recommend using the “Log Action” component between the steps above to see if you have mapped the fields properly and the data is flowing as expected. This will save time while you are troubleshooting your rule.
Option 2:
Update objects periodically (i.e. daily or hourly) and set the Jira User and Jira Groups.
1- If you have a scheduled Azure AD import configuration in your Azure AD Importer for JSM Assets application then there is a chance that the Jira User is not created at the time of Azure AD import. This requires the mapping to be performed not in real-time but periodically (i.e. hourly or daily).
2- Follow the same steps as Option 1 above, until Step 7.
3- Create an automation rule at the Global level.
| Automation Component | Configuration | Explanation |
 |
 |
Select the rule trigger for “Scheduled”. Define the schedule period. I.e. every day at 3 AM or hourly. |
 |
 |
Select the the Users in the “Azure AD” object schema which don’t have the Jira User defined. Use the AQL: objecttype = Users and "Jira User" is empty |
 |
 |
Search for the user’s “Jira User” record using the Jira Rest API and get the accountId. Send a web request to Jira API using the URL: https://your-site-name.atlassian.net/rest/api/2/user/search?query={{object."E-mail Address"}}
The hidden part in the Authorization header needs to be in a format like: Basic Y29udGFwgpxxxxxxxmdHdhcyyyyWxNZmh4SVdUeFU1YWtwSHJDljI5xxxx Please note that your Email Address and API Token need to be Base64 encoded as explained in the following Atlassian document. |
 |
 |
Make sure that you found only one record. Check the value for: {{webResponse.body.size}}
|
4- From this point please follow Scenario 1 or 2 described at the bottom of this page to complete your automation rule.
Note: Branch on AQL has a limit on the number of Objects filtered. For example, if you have more than 50 objects resulting in your AQL, only first 50 will be processed.
Scenario 1
Add only the Jira User to the object.
| Automation Component | Configuration | Explanation |
 |
 |
Edit the created object and set the Jira User attribute using the Smart Value. {{webResponse.body.accountId}}
|
Scenario 2
Add the Jira User and the Jira Groups.
| Automation Component | Configuration | Explanation |
 |
 |
Create a variable as jiraUserAccountId for {{webResponse.body.accountId}}
|
 |
 |
Send a web request to the following URL: https://your-site-name.atlassian.net/rest/api/3/user/groups?accountId={{jiraUserAccountId}}
This request collects the list of Jira Groups for the user from Jira Cloud platform. |
 |
 |
Make sure that the response has the information needed by checking: {{webResponse.body.size}}
|
 |
 |
Collect all the Jira Groups in to a variable called jiraGroups by using the smart value: {{webResponse.body.name.asJsonObject("value").asJsonArray}}
|
 |
 |
To be able to update the object, first, you need to find the Workspace ID for your Assets environment by sending a web request to: https://your-site-name.atlassian.net/rest/servicedeskapi/assets/workspace |
 |
 |
Create a variable as workspaceId for the {{webResponse.body.values.workspaceId}}
smart value. |
| Not applicable: Not a step in the automation |  |
Check the Object Type configuration for your Users object type and get the ID. In the screenshot you will see that it is 449 for our demo site. |
| Not applicable: Not a step in the automation |  |
Take note for the object type attributes for the new attributes you created. You may find them in the screenshot as 6037 and 6038 for our demo site. |
 |
 |
Add a new step to update the Object. Send a PUT command this time to the URL: https://api.atlassian.com/jsm/assets/workspace/{{workspaceId}}/v1/object/{{object.id}}
Select the web request body as “Custom data“ and copy paste the following JSON example. Update the object type ID and attribute IDs accordingly. |
 |
 |
Add the response status code to the Audit log as {{webResponse.status}}
You should see “200” in the logs if everything is fine. |
Custom Data Example:
{
"attributes": [
{
"objectTypeAttributeId": "6037",
"objectAttributeValues": [
{
"value": "{{jiraUserAccountId}}"
}
]
},
{
"objectTypeAttributeId": "6038",
"objectAttributeValues": {{jiraGroups}}
}
],
"objectTypeId": "449"
}
We hope this was helpful. Please leave a comment and share your thoughts.
Cheers
Hakan Bahadir
Pio Team
Was this helpful?
Thanks!
Hakan Bahadir _Pio_
0 comments