I was trying to help a team with verifying a domain using the Azure AD method, and one of the things that was mentioned on a support call was that automatic user provisioning was a requirement for the domain verification to work via Azure AD. The support engineer cited this resource:
https://support.atlassian.com/provisioning-users/docs/connect-to-azure-active-directory/
However, this does not seem to be a requirement for Atlassian Guard or domain verification, at least not from what I read.
Is there anything that specifically says automatic user provisioning is required in order to use the Azure AD method for domain verification?
It's not mentioned here at all:
https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/
The page says "Connect these identity providers to your Atlassian organization, and any domains associated with the identity provider will be automatically verified for your organization"
This was not the case at all. The domains were associated with the IdP but the domains could not be verified, and we were told it was because automatic user provisioning was not selected.
I believe what's implied here is: Azure AD and Google Workspace integration is a "sync app" for users and groups running from Atlassian Cloud side that you connect to Azure AD or Google Workspace via OAuth flow by you being logged in into the IdP as an admin.
It's a "pull" integration rather than SCIM "push" (with an app on Azure side).
So once connected it verify the domains automatically, but it will also establish sync i.e. it's not a requirement/pre-requisite it's a consequence. You can probably restrict sync to some empty group, to avoid actual accounts being synchronised.
Forgive me, but I'm still not fully understanding.
Why would automatic user provisioning determine whether or not the domain verification would work?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.