409 error when attempting to update email address via user provisioning
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
Upon changing a synced managed account's email address via user provisioning, the following message is displayed at the Troubleshooting log tab under User provisioning:
1
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"409","scimType":"uniqueness","detail":"Resource [USER]: with email[example@example.com] already exists."Diagnosis
Removing the user from a site will not delete their account. You can review the account at the organization level. Follow these steps:
ℹ️ It is necessary to be an organization administrator to access this part.
Go to https://admin.atlassian.com and select the organization with the domain verified for the account in question.
Under the organization, select Directory > Managed accounts
Search for the user's account
Can't find the account?
If you can't see the account on the Managed accounts page, it means the user's Atlassian account isn't claimed by the organization.
Navigate to the Domains page - either in the Directory or Settings tab
Check to see if there are any accounts that are listed as "Available to claim"
Follow our documentation steps to claim the user's Atlassian account
If there are no Atlassian accounts available to be claimed, then that would indicate the Atlassian account is already claimed by another organization. The org. admins. of the other organization will need to be contacted to un-claim the user's Atlassian account so the account can be claimed.
Alternatively, the other org. admin. can simply update the user's Atlassian account email address to a placeholder value as described below.
Cause
Although the email change is performed on the identity provider side, an email address can only be tied to a single Atlassian account. If the change coming from the identity provider points to a different user, the update will not be propagated. To move forward with the change, it is necessary to free the already existing email address.
Solution
After identifying the account, to free its email address and sync the change, one of the alternatives below can be used:
Option 1
Completely delete the managed account, which will go through a 14–day grace period. Once this time passes, try to change the email again.
Option 2
Change the user's Atlassian account email address to a placeholder value (e.g. new.email.address+duplicate@domain.example). The idea is to make the target email address available so the identity provider can update the user's Atlassian account email address as expected. The placeholder email address doesn't have to be a real email address, but the domain has to be a verified domain on the organization.
Was this helpful?