Confluence: Too many groups affecting syncing from an identity provider
This insight checks whether your total number of groups exceeds the limit of groups you can sync from an identity provider using SCIM.
How does the group count affect syncing?
Atlassian Cloud limits the number of groups you can sync from an identity provider to a single user directory. Having more groups can affect performance and user actions around Confluence. If you have more groups than the limit, you can still migrate them (with the risk of the same performance issues), but groups (and their users) above the limit won’t be synced and updated on the cloud side.
Learn more about limits in cloud user provisioning
What’s the recommendation?
You should reduce the number of groups below the limit to make sure syncing works correctly and that you don’t experience any performance issues in the future. If you’re unable to do it, you can request to increase the limit for your organization.
Here are actions you can take:
Migrate only users that are referenced in your spaces
Change user provisioning filters on the cloud side
Request to increase the limit
Migrate only users referenced in spaces
When you migrate spaces in the Confluence Cloud Migration Assistant, you’ll have an option to migrate only users referenced in these spaces, excluding all the rest.
You’ll be able to check the number of referenced users and groups without running the migration to give you an idea how many users you can exclude.
Migrate only users referenced in selected spaces
You can choose an option to migrate only users that have some connections to the spaces you're migrating, which will also remove the number of groups.
To migrate only referenced users and their groups:
Create a new migration plan in the Confluence Cloud Migration Assistant.
In the Spaces card, select some spaces to be included in your plan.
In the Users and groups card, select the Only users and groups with permissions on selected spaces option.
Select Add to migration and continue.
Check the number of referenced users and groups
In the next step, on the Review your migration screen, you can check the number of users and groups included in this migration.
Repeat these steps for all spaces you want to migrate to understand how many users you’ll actually need in cloud and whether migrating only referenced users and groups will keep you below the limit for syncing with an identity provider.
Change your user provisioning filters
Depending on how your user provisioning and syncing filters are constructed, you might be syncing more users and groups than necessary, for example including users who are no longer needed or who never even logged in.
Here are some ideas on how to avoid that:
Modify your LDAP (server) or SCIM (cloud) filters to exclude users and groups that are no longer needed or were fixed using other recommendations
Making changes to users and groups in your external directory, and not only the Confluence directory. This will make sure that any updated or removed users and groups won’t be provisioned to cloud
SCIM filters in Atlassian Cloud
You can’t connect an external directory directly to Atlassian Cloud. You will need to use an identity provider in-between. If you wish to modify filters, you’ll need to do it in your identity provider.
Here’s an idea on how to do this with Microsoft:
Here are docs for connecting Atlassian Cloud to identity provider. In some of them, like Okta, you’re able to specify who’s being synced when configuring this connection:
OneLogin: Learn how to configure user provisioning for OneLogin
Azure AD: Learn how to configure user provisioning for Azure AD
Google Cloud: Configure user provisioning with Google Cloud
Google Workspace: Learn how to set up user provisioning for Google Workspace
PingFederate: Learn how to configure user provisioning for PingFederate
JumpCloud: Learn how to configure user provisioning for JumpCloud
Learn more about user provisioning in cloud
LDAP filters in Data Center
Although it’s more important to update your filters on the cloud side, you can also do it in Data Center.
Reduce the number of users synced from LDAP to Confluence
Request to increase the limit
If you’re unable to bring the number below the limit, we can manually increase the limit for your organization. You should treat this option as the last resort, because it can affect performance.
Make sure that you accept the following risks before you request the increase:
Performance issues
User interface issues
User experience issues
Issues with applying permissions to large groups
To increase the limit, raise a Support ticket for cloud Support by choosing Technical issues and bugs in the contact form with the following data:
User limit exception request
Exceeded limit: Number of groups
Result: Your current number of groups
Confirmation: Confirm that you accept the risks and would like to continue with the increase.
Was this helpful?