Too many groups affecting syncing from an identity provider

This insight checks if your total number of groups exceeds the limit of groups you can sync from an identity provider using SCIM.

How does the group count affect syncing?

Atlassian Cloud limits the number of groups you can sync from an identity provider to a single user directory. Having more groups can affect performance and user actions around Jira. If you have more groups than the limit, you can still migrate them (with the risk of the same performance issues), but groups (and their users) above the limit won’t be synced and updated on the cloud side.

Learn more about limits in cloud user provisioning

What’s the recommendation?

You should reduce the number of groups below the limit to make sure syncing works correctly and that you don’t experience any performance issues in the future. If you’re unable to do it, you can request to increase the limit for your organization.

Here are actions you can take:

• Delete empty or unused groups

• Migrate only users that are referenced in your projects

• Change user provisioning filters on the cloud side

• Request to increase the limit

Delete empty groups

Identify empty or unused groups

When viewing this recommendation from the dashboard, select View all groups in Jira. It will take you to the user management page in your Jira instance.

Alternatively, you can go to Administration, then User management, then Groups.

Delete empty or unused groups

To delete empty groups:

1. On the Groups page, review the groups that have 0 or few users.

2. Make the list of groups that could be deleted.

3. Some empty groups might include nested groups. They’re empty only because they work as high-level containers for nested groups. Make sure to verify that you aren’t deleting such groups if they’re needed.

You can delete empty or unused groups directly in Jira, but you should also make the same changes in your external directory so the groups aren’t provisioned to cloud.

Migrate only users referenced in projects

When you migrate projects in the Jira Cloud Migration Assistant, you’ll have an option to migrate only users referenced in these projects, excluding all the rest.

Migrate only users referenced in selected projects

You can choose an option to migrate referenced users after you add projects to your migration plan.

To migrate only referenced users:

1. Create a new migration plan in the Jira Cloud Migration Assistant.

2. Select the Choose what to migrate method, so you can manually select the data.

3. In the Projects card, select some projects to be included in your plan.

4. In the Users and groups card, select the Only users and groups related to the selected projects option. Learn more about the options you can choose

You can skip selecting data in other cards, such as Roadmap plans or Apps.

Check the number of referenced users and groups

You can check the number of referenced users and groups in the pre-migration report.

To download the pre-migration report:

1. Continue through the pre-migration checks until you reach the Review your migration screen.

2. In the Logs and reports tab, download the pre-migration report.

3. Extract the archive, and look at the following files:

• Summary: The file includes the number of users and groups included in migration.

• Users and groups: The files includes the details of referenced users and groups, and the projects they’re referenced in.

Repeat these steps for all projects you want to migrate to understand how many users you’ll actually need in cloud. When viewing the pre-migration report, make a list of referenced users and groups so you can exclude them from your provisioning and syncing filters on the cloud side.

Change user provisioning filters on the cloud side

Depending on how your user provisioning and syncing filters are constructed, you might be syncing more users and groups than necessary, for example including users who are no longer needed or who never even logged in.

Here are some ideas on how to avoid that:

• Modify your LDAP (server) or SCIM (cloud) filters to exclude users and groups that are no longer needed or were fixed using other recommendations

• Making changes to users and groups in your external directory, and not only the Jira directory. This will make sure that any updated or removed users and groups won’t be provisioned to cloud

SCIM filters in Atlassian Cloud

You can’t connect an external directory directly to Atlassian Cloud. You will need to use an identity provider in-between. If you wish to modify filters, you’ll need to do it in your identity provider.

Here’s an idea on how to do this with Microsoft:

• Scoping users and groups to be provisioned with Microsoft

Here are docs for connecting Atlassian Cloud to identity provider. In some of them, like Okta, you’re able to specify who’s being synced when configuring this connection:

• Okta: Learn how to configure user provisioning with Okta

• OneLogin: Learn how to configure user provisioning for OneLogin

• Azure AD: Learn how to configure user provisioning for Azure AD

• Google Cloud:Configure user provisioning with Google Cloud

• Google Workspace: Learn how to set up user provisioning for Google Workspace

• PingFederate: Learn how to configure user provisioning for PingFederate

• JumpCloud: Learn how to configure user provisioning for JumpCloud

Learn more about user provisioning in cloud

LDAP filters in Data Center

Although it’s more important to update your filters on the cloud side, you can also do it in Data Center. This will let you delete some users more easily (for example, users with no content in Jira are deleted automatically after being excluded from syncing), and try some changes on your existing user base.

Reduce the number of users synced from LDAP to Jira

Request to increase the limit

If you’re unable to bring the number below the limit, we can manually increase the limit for your organization. You should treat this option as the last resort, because it can affect performance.

Make sure that you accept the following risks before you request the increase:

• Performance issues

• User interface issues

• User experience issues

• Issues with applying permissions to large groups

To increase the limit, raise a Support ticket for cloud Support by choosing Technical issues and bugs in the contact form with the following data: