Atlassian Access Demo Q&A Recap

Hi Community!

Thank you to all who joined our ongoing monthly Atlassian Access demo! We have an engaging group of attendees who asked many great questions. I’ll share a recap of frequently asked questions or questions we didn’t get to during the demo along with some relevant resources.

The questions below are categorized by these topics:

• Domain verification

• SAML single sign-on (SSO)

• SCIM / User provisioning / User management

• Identity providers

• Multi-factor authentication / Two-step verification

• Audit logs

• Academic institutions

• Billing

I’ll continue to update this post as new questions come through so be sure to follow the post for updates. If you have more questions about Atlassian Access, comment below and we’ll get to them as soon as we can.

If you’ve missed a demo or want to attend one in the future, register here for demos with live chat Q&A with our Customer and Product Advocate teams. If any of these times don’t work for you, we also have an on-demand version of the demo to watch at your own time.

Thanks! We can’t wait to hear from you in the comments or at a future demo!

Top Atlassian Access resources to bookmark

• Atlassian Access homepage – Overview of what it is and how it works

• Atlassian Access setup guide – Dig into each feature and how to successfully set up your trial

• Overview of domain verification – Guide on what it is and how it works

• SAML single sign-on (SSO) – Guide on what it is and how it works

• SCIM automated user provisioning – Guide on what it is and how it works

• Zero Trust security, explained – Why Zero Trust matters in the cloud and how to get started

• Flexibility with multiple authentication policies – Achieve security goals by setting up different policies

• Resources – Whitepapers, blogs, webinars, and more on how to securely manage users

Domain verification

1. We are in the process of verifying our domain and claiming our users, but we have users who already have an Atlassian account. Can you describe what will happen to them? Verifying your domain and claiming users on that domain will bring in those existing users as your managed accounts. This won’t change their product access or how they log in, but will transfer certain account functionality (such as deleting your Atlassian account or updating your email address) over to you as the Organization Administrator.

SAML single sign-on (SSO)

1. Can single sign-on work for customers as well as licensed users? If the users' domain is verified and users claimed, yes. However, they will only be billable for Atlassian Access if they are licensed to 1 or more Atlassian cloud products. If a domain is not verified and users are not claimed, SSO cannot be enforced and users essentially choose how they sign in.

SCIM / User provisioning / User management

1. What if I have 100 users that are currently in the Atlassian directory when I connect my identity provider Azure AD? You shouldn't need to delete your users and can simply follow these instructions to sync Azure AD with Atlassian Access.
2. Is there a way to automate user deletion / removal when a user is no longer an employee? Yes, if you connect your identity provider with Atlassian Access, user permissions are kept up-to-date with your identity provider. When an employee leaves, your identity provider will be updated and the user will be de-provisioned off Atlassian cloud products via Atlassian Access. You can read more about how automated user provisioning and de-provisioning works here.

3. How do these accounts show up if we never used Atlassian Cloud before? Accounts that are claimed/managed will show up under the “directory” section of admin.atlassian.com and will simply say “No product access” under the current product list next to those users. You can read more about managed accounts here.

4. Can we control users after they leave the organization? How does that work? When you connect your identity provider with Atlassian Access to set up automated user provisioning, users who leave the organization are deleted/deactivated on your identity provider and will automatically sync that update to deactivate the user’s account on Atlassian Cloud. You can learn more about how user provisioning works in our documentation.

Identity providers

1. How can I connect my identity provider Azure AD? We have a support page that provides step-by-step instructions on how to integrate with specific identity providers, including Azure AD, here.

2. If I have an internal AD environment, can I use existing AD groups to provision or will we need to use another partner for that? If our internal AD is extended to Azure AD to sync our users/groups, will that work? To configure user provisioning for Active Directory or LDAP with your Atlassian organization, you’ll connect your on-premises Active Directory to a supported identity provider. This connection will sync your user’s account details between your identity provider and Atlassian products. Here is a guide that helps walk you through the Atlassian Cloud integration with Azure Active Directory.

3. Would AD FS or Azure be preferred as an SSO? What are the differences between the two providers? You can configure SAML SSO with AD FS and here is our documentation on how to do so. However, AD FS does not support user provisioning (the identity provider is responsible for creating their end of the integration for SCIM / user provisioning). If you want to be able to leverage both SAML SSO and SCIM, it will be necessary to either use a different identity provider to connect to Atlassian Cloud (e.g., integrate AD FS to Azure AD then Azure AD to Atlassian Cloud) or develop scripts to work with the SCIM / user provisioning API (see our documentation here) in order to create the connection between AD FS and your organization. In addition to that, user provisioning should be the last thing you do after the migration to avoid issues with data linking in the site.

4. Do we need Atlassian Access to federate from Azure AD for Jira and Confluence Cloud? Can we use Azure AD for SSO directly with Jira/Confluence Cloud? Syncing and enforcing SSO with Azure AD is only achievable with an Atlassian Access subscription. Teams can still manually add new team members without Atlassian Access, but you will need an Atlassian Access subscription to enforce SAML SSO and sync users from Azure AD to Atlassian Cloud products, like Jira and Confluence Cloud.

Multi-factor authentication (MFA) / Two-step verification (2SV)

1. What happens when I am setting up MFA for the first time? Do my users get an email asking them to set it up with their authentication app? If your organization has the multiple authentication policies feature, users will receive an email when admins enforce MFA. If you do not yet have this feature, your users will not receive an email. The MFA enforcement will apply the next time the user logs in. If you want to enforce MFA for your users immediately, you can reset sessions to force users to log out. You can read more about enforced two-step verification in our support documentation.

Audit logs

1. How far back are audit logs accessible? With an Atlassian Access subscription, audit logs are available for 180 days. If you need audit logs for longer than this duration, you will want to export your logs before the 180 days are over. There is more information about audit logs in our support documentation.

Academic institituions

1. How many users can we provision with an educational license of Atlassian Access? There is no limit to provisioning users through Atlassian Access. You’d only be limited by the number of seats available under the product you’re adding users to.

2. How does Atlassian Access billing work for an educational license? For our academic institution customers, Atlassian Access is free of charge. There is more information about pricing for academic institutions here.

Billing

1. How does Atlassian Access affect users on the free version of Atlassian Cloud products? Please take a look at our documentation on how billing works for Atlassian Access. It covers the difference between Managed and Billable users.

2. We’re interested in using the free version of Trello for our small organization but want the security that comes with an Azure AD integration. Is Atlassian Access all we need to do that? Or would we need a paid version of Trello too? You can have an Atlassian Access subscription to add security features to your Trello free plan. You do not need to have a paid version of Trello to leverage Atlassian Access features. Here is our documentation on Atlassian Access billing.