Too many Confluence users

This insight checks whether your users with access to Confluence Data Center exceed the limit of users you can have in Confluence Cloud. We only count users who have:

Active status
Application access to Confluence

All of these users count towards your license, so it might be a good idea to clean up some old accounts before you migrate.

Why is there a limit?

Confluence Cloud limits the number of users with product access. If you have more users, you can still migrate them to Atlassian Cloud, but users above the limit won't be able to get access to and use Confluence.

What’s the recommendation?

We recommend that you review your user base to find good candidates for deletion. It often happens that Confluence includes users who never logged in, aren't actually real users who need access, or exist in Confluence, but aren't actually referenced in any spaces or pages. It might turn out that the number of users that you need to migrate is below the limit.

Cleaning up users often depends on your user management and other requirements. Here are some ideas on how to reduce their number:

Delete users who never logged in
Fix users with invalid or duplicated emails
Delete users from untrusted domains
Migrate only users referenced in spaces
Change your user provisioning filters

Delete users who never logged in

When viewing this insight on the dashboard, you can copy an SQL query that returns the list of users who never logged in from your database.

Reviewing users by using an SQL query

To retrieve a list of users with the SQL query:

Copy the SQL query from the dashboard and run it on your database.
Review the returned list of users and prepare to delete them.

Reviewing users manually

You can also look for users to delete in Confluence, but that would require reviewing them manually, which isn't the best option.

To view users in Confluence:

Go to Administration > User management.

Filtering on the user management page

You can use the following tabs and filters on the User management page to help you find candidates for deletion.

Filter: Licensed users only: This will return users who have a Confluence license.
Tab: Unsynced from Directory: This will return users who weren't included in your last sync in an external directory.

Delete the users

You can delete these users with one of the following ways:

Delete users directly in your external directory. This will make sure they won't be provisioned to cloud after the migration.
Exclude users from your provisioning and syncing filters.
Manually delete users from the User management page. Note that if you delete users only in the Confluence internal directory, they might be later provisioned to cloud, which is something you want to avoid.

Fix invalid or duplicated emails

You can run a user assessment in the migration assistant that will find users with invalid and duplicated email addresses. Users with such emails block your migration and must be fixed anyway.

Run a user assessment to identify users with incorrect emails

Access the user assessment faster

When viewing this insight on the dashboard, select the first View user assessment in the assistant link to open the assessment in your instance.

To run a user assessment:

Open the Confluence Cloud Migration Assistant by going to Administration > General configuration > Migration Assistant.
On the home screen, find the Assess and prepare your users card, and select Begin assessing.
Once the assessment is complete, you should see the number of users with incorrect emails:

Results of the user assessment in Jira Cloud Migration Assistant.

The results show the number of users that have invalid or duplicated email addresses. These users are potential candidates for deletion, but you should review them.

Fix invalid emails by migrating these users as former users

Before you begin

When fixing invalid emails, we’ll make the following choices:

CSV: Use the CSV file instead of automatic options. This will allow you to choose which users are deactivated and which migrated as active users.
Former users: Turning users with invalid emails into former users, deactivating them. Thanks to the CSV file, you’ll be able to choose a different option for selected users.

To fix users with invalid emails:

When viewing the assessment results, select Fix invalid emails.
You’ll see a few automatic options for fixing your users. Select the Update users based on CSV file, and download the CSV file.

"Fix invalid email addresses" screen in Jira Cloud Migration Assistant.

How to edit the CSV file

The CSV file includes all users with invalid emails. You can view detailed instructions and explanations in the readme file.

Most important information on the CSV file

Pre-generated emails: All users will have dummy email addresses assigned. These addresses are valid, but aren’t actually working. If you’d like to migrate users as active users, you can change them to any working email you have access to.
Tombstone: All users will have this value set to false. This means they’ll be migrated as active users by default. You can change this value to true for users who can be deactivated and turned into former users.

To reduce the number of users by turning them info former users:

For each user that can be deactivated, change the Tombstone value to true.
For users that you’d like to keep, change the email address to a working email.
Save and upload the file to the migration assistant.

Fix duplicated emails by merging these users

Before you begin

When fixing duplicated emails, we’ll make the following choices:

Automatic option: In this case, we’ll use one of the automatic options instead of the CSV file. That’s because it’s easier and more efficient for merging duplicated emails.
Merging: We’ll merge all users that share the same email address to reduce the final user count.

After you fixed invalid email, select Fix duplicated emails. You’ll be moved to a similar screen where you can fix users with duplicate emails.

To merge users with duplicated emails:

Select the Merge duplicate users option.

"Fix duplicated email addresses" screen, with Merge duplicated users option selected.

Review changes and make a list of changed users

After choosing options to fix invalid and duplicated emails, select Review and apply.

Delete users from untrusted domains

You can run a domain assessment in the migration assistant to identify all email domains used by your users. This can help you find domains that you don’t recognize, don’t trust, or that are suspicious and blocked by us.

Run a domain assessment

Access the domain assessment faster

When viewing this insight on the dashboard, select the first Review email domains in the assistant link to open the assessment in your instance.

To run a domain assessment:

Open the Confluence Cloud Migration Assistant by going to Administration > General configuration > Migration Assistant.
On the home screen, find the Review domains card, and select Begin assessing.
Once the assessment is complete, you should see the list of email domains found in your user directory

Domain assessment in Jira Cloud Migration Assistant.

For every domain, you can select the number in Active / Inactive users to view the filtered list of users in Confluence.

Review blocked domains

If we find any suspicious domains, we’ll block them. You should start by checking if you have such domains, as their users are the best candidates for deletion.

Sample blocked domain in the Domain assessment.

Select the number of users in these domains to view and delete them. You can delete such users in Confluence, but you’ll also need to delete them from your external directory or exclude from provisioning filters.

Review remaining domains

For remaining domains, you can either review them in the user interface or by downloading a CSV file. The migration assistant requires that you mark all domains as trusted. If you find domains you don’t recognize or trust, you’ll need to delete their users so the domains disappear from the list.

Sample domains marked as "Not trusted" in the Domain assessment.

Learn more about reviewing email domains

Migrate users referenced in spaces

When you migrate spaces in the Confluence Cloud Migration Assistant, you’ll have an option to migrate only users referenced in these spaces, excluding all the rest.

You’ll be able to check the number of referenced users and groups without running the migration to give you an idea how many users you can exclude.

Migrate only users referenced in selected spaces

You can choose an option to migrate only users that have some connections to the spaces you're migrating.

To migrate only referenced users and their groups:

Create a new migration plan in the Confluence Cloud Migration Assistant.
In the Spaces card, select some spaces to be included in your plan.
In the Users and groups card, select the Only users and groups with permissions on selected spaces option.
Select Add to migration and continue.

Selecting users to migrate in the Confluence Cloud Migration Assistant.

Check the number of referenced users and groups

In the next step, on the Review your migration screen, you can check the number of users and groups included in this migration.

'Review your migration' screen from the Confluence Cloud Migration Assistant.

Repeat these steps for all spaces you want to migrate to understand how many users you’ll actually need in cloud and whether migrating only referenced users and groups will keep you below the limit.

Change your user provisioning filters

Depending on how your user provisioning and syncing filters are constructed, you might be syncing more users and groups than necessary, for example including users who are no longer needed or who never even logged in.

Here are some ideas on how to avoid that:

Modify your LDAP (server) or SCIM (cloud) filters to exclude users and groups that are no longer needed or were fixed using other recommendations
Making changes to users and groups in your external directory, and not only the Confluence directory. This will make sure that any updated or removed users and groups won’t be provisioned to cloud

SCIM filters in Atlassian Cloud

You can’t connect an external directory directly to Atlassian Cloud. You will need to use an identity provider in-between. If you wish to modify filters, you’ll need to do it in your identity provider.

Here’s an idea on how to do this with Microsoft:

Scoping users and groups to be provisioned with Microsoft

Here are docs for connecting Atlassian Cloud to identity provider. In some of them, like Okta, you’re able to specify who’s being synced when configuring this connection:

Okta: Learn how to configure user provisioning with Okta
OneLogin: Learn how to configure user provisioning for OneLogin
Azure AD: Learn how to configure user provisioning for Azure AD
Google Cloud:Configure user provisioning with Google Cloud
Google Workspace: Learn how to set up user provisioning for Google Workspace
PingFederate: Learn how to configure user provisioning for PingFederate
JumpCloud: Learn how to configure user provisioning for JumpCloud

Learn more about user provisioning in cloud

LDAP filters in Data Center

Although it’s more important to update your filters on the cloud side, you can also do it in Data Center.

Reduce the number of users synced from LDAP to Confluence

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Still need help?

The Atlassian Community is here for you.

Ask the Community