Heads up! On March 5, starting at 4:30 PM Central Time, our community will be undergoing scheduled maintenance for a few hours. During this time, you will find the site temporarily inaccessible. Thanks for your patience. Read more.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SCIM vs Graph API (Azure AD for nested groups)

Adam Rypel _MoroSystems_
Adam Rypel _MoroSystems_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 6, 2023

Hi all,

We are in the midst of our cloud project and I am thinking how to specifically handle the user management. 

The user provisioning goes through Azure AD and Atlassian Access, that is clear. However, with the recent release of Azure AD for nested groups, I am deciding which option to use - regular SCIM or Azure AD for nested groups? Even if the customer does not use the nested groups, the "Azure AD for nested groups" seems easier, quicker to configure, is managed from Atlassian side and at the same time offers the same functionality. Is there a reason to still use SCIM?

So basically my question summarized: Does Azure AD for nested groups (Graph API) have any limitations compared to SCIM way? 

Thanks,
Adam

Answer
Watch
Like # people like this
1733 views

1 answer

1 vote
Kyle Lapham
Kyle Lapham October 25, 2023

Hi @Adam Rypel _MoroSystems_ 

Did you get anymore knowledge on this? 

The documentation seems short on the limitations and i am pretty much trying to understand these.

Let me know if you have found out any information on this please.

 

Thanks 

Kyle

View More Comments
Adam Rypel _MoroSystems_
Adam Rypel _MoroSystems_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 25, 2023

Hello @Kyle Lapham ,

Not much, our customer eventually decided to use SCIM anyways due to the security reasons (they don't want to use API), so it was a clear decision.

I summarized just couple of points at the time:

SCIM

  • does not allow synchronization of nested groups
  • allows you to create custom attribute mappings
  • requires application installation in Azure AD
  • it is managed and configured in Azure AD

Graph API (Azure AD for nested groups)

  • enables the synchronization of nested groups
  • does not allow you to create custom attribute mappings
  • it works through a technical account that must have admin rights in Azure AD - through this account data is pulled using the API
  • it is managed and configured from the Atlassian administration

I was testing it during EAP and it seems the only limitation is the inability of creating a custom mapping - so you cannot choose which attribute goes where and adding any additional attributes.

If I remember correctly, the Graph API option also has a synchronization interval every 4 hours, opposed to SCIM's 30-60 minutes.

Hopefully that helps you a little bit.

Adam

Like Steffen Opel _Utoolity_ likes this
Kyle Lapham
Kyle Lapham October 26, 2023

Very Helpful, appreciate your quick response on this Adam :)

Like Adam Rypel _MoroSystems_ likes this
Lennert Timmers
Lennert Timmers
Contributor
October 31, 2023

@Adam Rypel _MoroSystems_ in your summary about the Azure Graph API you mention the use of a technical account. Do you know if there is more documentation about the use of this account and the exact permissions needed (like scopes or app roles)?

Like
Adam Rypel _MoroSystems_
Adam Rypel _MoroSystems_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 31, 2023

@Lennert Timmers I couldn't really find any documentation on that. We did find out simply by trying to connect the AAD with Atlassian - when logging in with the technical account, Atlassian Cloud asks you for access and it lists which specific permission it needs. Specifically step 6 here: https://support.atlassian.com/provisioning-users/docs/connect-to-azure-active-directory/#:~:text=can%20verify%20them.-,Connect%20to%20Azure%20Active%20Directory,-To%20connect%20to

"You can then log in with your Microsoft account to the Microsoft portal. Microsoft asks you to allow Atlassian to access your account."

Unfortunately I did not take a note which exact permissions those were, so I'm not able to provide that to you upfront.

Like Lennert Timmers likes this
Lennert Timmers
Lennert Timmers
Contributor
October 31, 2023

@Adam Rypel _MoroSystems_  Thank you for your response. It's a pity that the Atlassian documentation is not more comprehensive on this topic. We have a fairly large IT organisation, and our colleagues that manage the Azure environment would like to know precisely what is required to set up such a connection and how those admin permissions are used behind the scenes.

Like Steffen Opel _Utoolity_ likes this
Adam Rypel _MoroSystems_
Adam Rypel _MoroSystems_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 31, 2023

Yeah, I can understand that. This feature was released just recently, so there might not be that extensive documentation.

Maybe you can try to contact Atlassian support, they were always very helpful in this topic: https://support.atlassian.com/contact

Like Lennert Timmers likes this
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Guard
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events