Provision and sync users from an identity provider
Make changes in your identity provider to users and groups and sync them to your Atlassian organization.
We’re currently rolling out changes that affect the content on this page. From your organization at admin.atlassian.com, if the Users list and Groups list are under the Directory tab, you have the improved user management experience. We’ll note changes for the improved experience in the content below. |
Note this difference if you have the improved user management experience: any references to “organization’s site(s)” in this section are now “organization”.
When you’ve connected to G Suite, any updates you make to user accounts in G Suite will sync to those accounts in your organization’s site(s), overwriting any changes made to the Atlassian account.
Because we automatically verify the domains of your G Suite account, you’ll be able to manage account details for users on your domains that don’t sync from G Suite. These users will receive an email informing them that their account is now managed. Learn more about managed accounts and domain verification.
If you noticed a change in your organization admin settings, it’s because we migrated all G Suite connections to a new experience starting November 11, 2020.
You’ll need to be an organization admin to access organization-level tasks like:
provisioning user groups
syncing all users to a new group or sync specific groups to your organization
enabling and disabling automatic syncing
If you’re not an organization admin and you’d like to continue administering G Suite, please reach out to an organization admin to become one.
Before you sync your G Suite, you’ll need to set up your sync settings. These settings will appear on the Setup page.
We offer a subscription to Atlassian Access with all the G Suite settings to better manage users and security. We also offer a free version of G Suite with fewer settings.
Here’s a breakdown of the different settings:
Settings | Without Atlassian Access | With Atlassian Access |
Description | Description | |
Update sync status |
Enable and disable syncing |
Enable and disable syncing |
Select users to sync | Sync all users | Sync specific groups with their users |
Deactivate accounts | When you suspend, archive, or delete accounts in your G Suite, you need to deactivate the account manually in your organization | Automatically deactivate accounts in your organization that you suspend, archive, or delete in your G Suite |
Personalize email invites | Add a personal message in an email to new users | Add a personal message in an email to new users |
User login | Users have a choice about how they log in, either with Google or with Atlassian | Require synced users to log in only with Google |
Disconnect G Suite account | When you disconnect, we don't save any of your G Suite settings. You can start syncing your users again by setting up another connection to G Suite. | When you disconnect, we don't save any of your G Suite settings. You can start syncing your users again by setting up another connection to G Suite. |
The G Suite syncing process is a one-way sync. Any changes you make to G Suite will be reflected in Atlassian. Organization admins grant product access to a synced group or groups.
To choose how to sync:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Directory > G Suite.
This step is different if you have the improved user management experience. Select Settings > G Suite.
Select Sync all
To sync all existing and future users to a new group of G Suite users. Here’s an example of syncing all groups from your G Suite to your organization.
3. Select Sync specific groups with their users
To sync specific groups with their users, you’ll need a subscription to Atlassian Access.
Syncing specific groups with their users is a more convenient form of managing users since you can assign users to a specific group. Here’s an example of syncing specific groups from your G Suite to your organization.
After a sync is complete, you need to give product access to new users.
To grant product access for new users:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Product access in the left nav.
This step is different if you have the improved user management experience. Select Products, then for the product you want to grant access to, select Manage Access.
Add groups that have new users to products.
You can enable and disable the syncing process at any time.
When you enable sync, your users sync from G Suite every 4 hours. When you disable sync, previously synced users maintain product access and your Google authentication setting still applies
When we create Atlassian accounts for new users during a sync, we automatically email them Atlassian account, product access, and login details. You can choose to add a personal message to the email with special instructions.
To automatically deactivate accounts, you’ll need a subscription to Atlassian Access.
When you suspend, archive, or delete accounts in your G Suite, we automatically deactivate those accounts in your organization.
To require users to log in with Google, you’ll need a subscription to Atlassian Access.
G Suite authentication policies apply when users log in to your Atlassian products with Google. By default, both synced and unsynced users from G Suite choose whether to log in with Google or their Atlassian account.
If you opt for requiring users to log in with Google, we’ll share this in the email invite that we send to users with other account information.
If you recently noticed a change in your authentication settings
Beginning the week of March 15th, we started migrating G Suite single sign-on and other settings to your new authentication policies.
You can configure your security settings in authentication policies. Authentication policies give you the flexibility to configure multiple security levels for different user sets within your organization.
Authentication policies also reduce risk by giving you the ability to test different single sign-on configurations on a subset of users before rolling them out to your whole company.
To enforce G Suite in an authentication policy:
If this is your first time setting up G Suite, navigate to G Suite setup.
If you’ve already set up G Suite, navigate to G Suite settings.
Select Enforce Google login for your users.
Select Edit policies and follow the prompts.
Learn more about editing authentication settings and members.
You can manage your G Suite groups, users, and product access for your organization at any time.
To manage users and product access:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Product access in the left nav.
This step is different if you have the improved user management experience. Select Products, then for the product you want to grant access to, select Manage Access.
To manage groups, go to your external G Suite to make group changes.
Note this difference if you have the improved user management experience: any references to “Atlassian site(s)” in this section are now “Atlassian organization”.
When you set up user provisioning, you may run into the situation where your groups in your Atlassian sites have the same names as groups in your identity provider (IDP).
When you sync, we’ll warn you about duplicate group names between your IDP and your Atlassian sites. You’ll then be able to accept or reject changes to group members before you sync those groups. Learn more about resolving group conflicts before you sync.
Was this helpful?