"Some email addresses are already taken" error when using Entra ID for nested groups
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
When using Entra ID for nested group integration, a message with the error "Some email addresses are already taken" is displayed.
Diagnosis
As an organization administrator, log in to https://admin.atlassian.com and select your organization if you have more than one.
Navigate to Security > Identity providers.
Select your identity provider directory that's configured for the Entra ID for nested groups integration.
Verify whether the error is displayed above the sync status.
Cause
You see the "Some email addresses are already taken" error if one or more synced accounts have changed in Entra ID since the last sync to a value already associated with an existing Atlassian account.
Select Download the list with conflicting emails to see the new emails being returned from Entra for already-synced users that conflict with emails on existing Atlassian accounts.
Solution
Option 1: Free up the conflicting emails in Atlassian
To allow the affected users' emails to update successfully via the Entra ID sync integration, the new email values must not be used on any Atlassian accounts. To quickly ensure this, find the accounts in your Managed accounts list that are currently using the new email address values Entra is trying to pass to Atlassian and update the emails on those accounts to values you don't want to use moving forward.
Change the user's Atlassian account email address to a placeholder value, for example, new.email.address+duplicate@domain.examp. The idea is to make the target email address available so the identity provider can update the user's Atlassian account email address as expected. The placeholder email address doesn't have to be an actual email address, but the organization must verify the domain. See the Update email address documentation for more information.
If you don't find the existing accounts in your organization's "Managed accounts" list, claim them first.
Navigate to the Domains page - either in the Directory or Settings tab.
Check if any accounts are listed as "Available to claim."
Claim the user's Atlassian account. See Claim accounts for more information.
If no Atlassian accounts are available to be claimed, that would indicate that another organization already claims the Atlassian account. The org. Admins. of the other organization will need to be contacted, and they will need to un-claim the user's Atlassian account so it can be claimed on the expected organization. See Unclaim accounts for more information.
Alternatively, the other org. Admin can update the end user's Atlassian account email address to a placeholder value described above.
Option 2: Revert email changes in Entra ID
If you didn't intend to update the emails on the users' synced Atlassian accounts, you can revert the email changes in Entra ID so the users are synced using their old emails during the next sync cycle. You must work with your Entra ID administrator(s) to revert the users' email updates in Entra ID.
Was this helpful?