How to Map Group ID from Microsoft Entra ID/Microsoft Azure AD to Jira Application Access Group Names

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article can be treated as a workaround for SAMLDC-77

Solution

Pre-requisite

Problem

When JIT provisioning is enabled, Azure AD, by default, sends only the group ID (Azure Active Directory Group ObjectId) in the SAML response.

Example Response

1 2 3 4 5 6 7 ... <Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"> <AttributeValue>a76a019d-7375-43f0-9157-bec9f4211c99</AttributeValue> </Attribute> </Attribute> ...

By configuring this setup, you must grant Application Access to the Group ID “a76a019d-7375-43f0-9157-bec9f4211c99” provided in the SAML response for users to access Jira. This default behavior complicates the identification and management of group memberships.

(Auto-migrated image: description temporarily unavailable)

Workaround/Solution

The Group ID can be mapped to the "Application Access" Group name in Jira as below on the Azure AD:

  1. Navigate to the https://portal.azure.com/

  2. Click on Microsoft Entra ID (Formely Azure Active Directory).

  3. Select “Enterprise applications” and choose the respective SSO Application.

  4. Navigate to “Single sign-on” and Edit the “Attributes and Claims”

    (Auto-migrated image: description temporarily unavailable)

5. Select the Group Claim Attribute. The Claim name will be “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups” . Then on the right window, select below configurations

    • Which groups associated with the user should be returned in the claim? - All groups

    • "Customize the name of the group claim": Check this box

      • Name (required)” - Give any meaningful name for “Name (required)” (e.g., "Role")

      • "Apply regex replace to groups claim content" - Check this box

      • "Regex pattern": Pass the respective Group ID for mapping.

      • "Regex replacement pattern" - Pass the Application Access Group name (e.g., "jira-software-users") and click Save

        (Auto-migrated image: description temporarily unavailable)

6. Return to the Jira Application, edit the SSO setup, and navigate to the JIT provisioning section.

7. Enter the "Groups" as "Role" (or whatever was set for Name as part of the Group Claim setup on Azure).

(Auto-migrated image: description temporarily unavailable)

Now, when logging in to Jira with the SSO user, the Group will be sent as part of the SAML Response.

Example Response

1 2 3 4 5 6 7 ... <Attribute>  <Attribute Name="Role">    <AttributeValue>jira-software-users</AttributeValue> </Attribute> </Attribute> ...

Updated on April 7, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community