User provisioning in the Atlassian Isolated Cloud

User provisioning with Isolated Cloud

Each Atlassian Isolated Cloud instance has a separate user database distinct from the Atlassian Commercial Cloud. If your organization has both an Atlassian Cloud subscription and an Atlassian Isolated Cloud subscription, user provisioning operates independently for both. There is no automatic synchronization between the two.

This separation is intentional: Isolated Cloud is designed to be truly isolated from other Atlassian environments. As such, user information does not need to be automatically synchronized between Atlassian Commercial Cloud and Isolated Cloud in either direction.

Requirements

User management and provisioning in the Atlassian Isolated Cloud requires a supported identify provider. Password-based authentication and manual user invites are not supported on the Isolated Cloud.

See Supported identity providers for a complete list of identity providers supported by both Atlassian Isolated Cloud and Atlassian Commercial Cloud.

What this means for managing users

When you provision users from your identity provider, each environment maintains its own directory of users and groups. A user who exists in both environments has a separate account in each, even if the username and email address are the same.

Because of this:

• Deleting or deactivating a user in Isolated Cloud does not remove them from Atlassian Cloud (or vice versa). You must delete or deactivate the user in each environment separately.

• Changes to user attributes in one environment are not reflected in the other. If you update a user's details in your identity provider, only the environment connected to that IdP directory receives the update.

• You must set up a separate app integration in your IdP for Atlassian Isolated Cloud. This integration must be distinct from the one you use for Atlassian Cloud.

• Isolated Cloud users need to log in to Atlassian Isolated Cloud. It’s important not to mix Atlassian Cloud and Atlassian Isolated Cloud accounts, directories, or sign-in flows.

If you use the same identity provider for both environments, ensure that your user de-provisioning workflows removes accounts in both directories.

What it means for migrating users

When “migrating” from the Atlassian Commercial Cloud to an Atlassian Isolated Cloud instance, user accounts are not moved or synchronized between the two environments. Isolated Cloud uses its own separate user database, so users must be provisioned into the Isolated Cloud instance as a separate onboarding step.

In practice, this means:

• Users need to be provisioned to Isolated Cloud independently. Existing Commercial Cloud users do not automatically appear in Isolated Cloud, even if the same identity provider, email addresses, or usernames are used.

• Accounts with the same email address are still separate accounts. A person may have one account in Commercial Cloud and another account in Isolated Cloud, backed by separate directories.

• Groups, product access, and permissions need to be recreated or mapped for Isolated Cloud. Do not assume existing Commercial Cloud group membership or access will carry over unless the Isolated Cloud provisioning configuration explicitly creates the same groups and memberships.

• De-provisioning remains environment-specific. Removing or disabling a user in Commercial Cloud does not remove or disable their Isolated Cloud account, and the reverse is also true.

For migration planning, treat Isolated Cloud user provisioning as a new environment setup: configure the identity provider connection for Isolated Cloud, validate the required groups and product access, and run a controlled provisioning test before onboarding users at scale.

Atlassian test tenants

Atlassian provisions and maintains its own test tenants in production Isolated Cloud environments for automated testing, validation, and ongoing maintenance. These tenants are used to continuously verify that the environment is functioning correctly; for example, by creating and interacting with test Jira projects or Confluence pages.

Test tenants operate exclusively on test data and do not have access to customer production data. They are subject to the same isolation and transit policies as customer tenants within the environment.

Additional resources

The Atlassian Isolated Cloud supports the same identity providers as the Atlassian Commercial Cloud, and follows a similar provisioning workflow for its user database as well. See Understand user provisioning for for more information.