Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Non-billable authentication policy when access to Jira/Confluence is managed by external IdP?

Jason M. November 10, 2022

Strangely Atlassian is freezing support requests as soon as I open them, so will try to ask here:

I understand the concept of a non-billable authentication policy. What I don't understand is how that works when the users for our site are managed by an external IdP & we enforce SSO.  In order for an account to access Jira, it must be part of the jira-users group. jira-users group is sync'd & managed by our IdP.

But according to Atlassian's documentationYou can't add the users you sync from your identity provider (e.g., Okta, Azure AD, Google Workspace) to a non-billable policy.

So in this case, how can I add an existing account to a non-billable policy if it's managed by our IdP? Or create a new account to be part of the non-billable policy if it requires an email invite link to be valid and also needs to be part of the jira-users group anyways to access?

Thank you,
Jason

1 answer

1 accepted

Suggest an answer

Log in or Sign up to answer
2 votes
Answer accepted
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 10, 2022

Hi @Jason M_ 

I faced a similar case with two of my clients. Atlassian will bill you for all users that you want to enforce SSO. First thing first:

Or create a new account to be part of the non-billable policy if it requires an email invite link to be valid and also needs to be part of the jira-users group anyways to access?

As an administrator (site/org) you can invite any user you want. That user will not be managed by your identity provider (e.g. he/she is not part of your company but you want to grant access to that user). That user will be stored in Jira Directory and not the AD. That part is solved.

To grant product access to a user, you either make him a member of the group that grants product access (in your case is jira-users) OR you add another group to grant product access. That most likely you can do (create a group e.g. external-jira-users, place the new user in that group and add this group to product access (go to cog > products > product access > manage access > add groups).

Now for the following question:

What I don't understand is how that works when the users for our site are managed by an external IdP & we enforce SSO.  In order for an account to access Jira, it must be part of the jira-users group. jira-users group is sync'd & managed by our IdP.

But according to Atlassian's documentationYou can't add the users you sync from your identity provider (e.g., Okta, Azure AD, Google Workspace) to a non-billable policy.

So in this case, how can I add an existing account to a non-billable policy if it's managed by our IdP?

Long story short is this: If you want your synced users to have SSO, then you can't add them to a non-billable policy. The user is billable IFF:

  1. The user is synced
  2. The user has product access to any tier (this includes Trello users)
  3. The user doesn't belong to an enterprise plan
  4. Account is active

For the (2) there is an open issue https://jira.atlassian.com/browse/CLOUD-11072 which I watch. Last update was rather disappointing for us all...

Hope all the above helps!

Jason M. November 10, 2022

Hello Alex,

Thanks for your response, that does clear up some uncertainties. One follow-up question, if we already have accounts managed by our external IdP, do you think those can simply be removed from sync and moved over to a group that provides product access, then added back to the non-billable policy?  I get that any new group created for the product access would then have to be included in the global & project permissions schemes...but do you think above move would affect existing API tokens or any other aspect of the account?

Thanks,
Jason

Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 10, 2022

No I don't think you can do that. Since these accounts are managed, even if you don't sync them, and you grant them product access they will count towards you billing. Even free product users count on your Access billing. For an account to be non-billable the criteria are:

  1. They don’t have access to any products.
  2. Their account is deactivated.
  3. They are a member of a non-billable authentication policy.
  4. They have a Jira Service Management portal customer account (portal customers who have an Atlassian account are covered by Atlassian Access features, but only agents count as unique billable users).
  5. Their account is covered by a legacy Trello Enterprise license. For more details see, Impact of Trello users on your Atlassian Access bill
Like Jason M. likes this
Jason M. November 10, 2022

Thanks Alex, looks like I've been operating with a complete misunderstanding of this non-billable auth policy for some time. Its just a bucket for manual or self-signups in to avoid getting billed for an Access license, and has no implications on billing when it comes to those accounts accessing any other product!

Like # people like this
Alex Koxaras _Relational_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 10, 2022

Exactly!

DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events