Email address change via User Provisioning is not reflected on Atlassian

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Summary

Once you connect your identity provider to your Atlassian organization via User Provisioning, you manage all user attributes and group memberships from your identity provider (IdP).

You can update these user attributes from your identity provider:

  • Display name: This is a combination of a user’s first and last name. If you update the display name it also overwrites the attributes for first and last name.

  • Email address

  • Organization

  • Job title

  • Timezone

  • Department

  • Preferred language

When any Atlassian account attribute is updated via SCIM and the end user's Atlassian account is unmanaged by the organization:

  • Removes the user from groups provisioned by SCIM

  • May cause the user to lose product access granted in the SCIM group

To make sure users aren’t removed from product access groups, claim the unverified domain in your Atlassian organization first.

If the end user's Atlassian account is not managed by the org, the organization is not able to update the end user's Atlassian account attributes via provisioning sync. Any attempts to re-sync the user from the IdP would likely create a new Atlassian account for the end user and the end user will have a new sync record created for them on the Atlassian provisioning directly. At this point, the end user will have duplicate Atlassian accounts and will lose access to their historical data if they cannot log into their previous Atlassian account.

Diagnosis

We see the following in the provisioning logs. Navigate to Atlassian Administration > Security > Identity providers > [Directory name] > View troubleshooting log:

Email update to unmanaged user with ID <SCIMid>, primary email user@abc.com, unlinked any associated atlassian account.

Cause

You can't update from a Managed to an Unmanaged email in Atlassian.

Solution

  1. Update the email address through provisioning sync: For this, the Org Admins would need to claim the destination domain in the same Org as the Primary domain making this domain Managed by the Organisation or,

  2. Push the new emails of the users as fresh accounts and not update the emails of the Managed accounts on the IdP. This will push the user@abc.com as a fresh Externally Managed user and a new Atlassian Account will get created for this user. The issue with this approach is that the user will end up having two Atlassian Account one Managed (old) and new Externally provisioned account user@abc.com.

Updated on April 24, 2025
Platform
Cloud only
Product
Atlassian Cloud Cloud
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community