Provision and sync users from an identity provider
Make changes in your identity provider to users and groups and sync them to your Atlassian organization.
After you connect to Azure AD you can set up sync settings to enable automatic syncing, select users and groups to sync, choose domains to be verified, and send emails to new user accounts.
To set up user syncing:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Identity providers.
Select your identity provider directory.
The settings appear only if you haven’t started a sync yet. If you only see the sync status, select Edit to view and edit the settings.
You can sync up to 10,000 users to a group at a time. For example, if you have 20,000 users in a group, you need to split the 20,000 users into 2 groups, each with 10,000 users. You can then sync each group of 10,000. You can add other groups in subsequent syncs
Setting | Description |
---|---|
Set sync status |
After you start the sync, we sync your users every 4 hours. To enable automatic syncing, select Sync after you saved the settings.
When you disable automatic syncing you need to manually sync. |
Select domains to verify | During a sync, we verify your domains from Azure AD and then claim accounts under these domains. Only users from verified domains can sync. External users are an exception because they always sync regardless of the domain they belong to. A domain needs to meet the following requirements to be verified:
You have two options
We verify all domains from Azure AD that meet the requirements.
Specify domains to be verified before saving settings |
Select users to sync |
We sync all users and groups that exist in Azure AD. When you create new users and groups in Azure AD, they are included in the next sync.
You can select groups you want to sync. We sync these groups, with their users and nested groups. When you create new users and nested groups, they are included in the next sync. We flatten the nested groups and keep their memberships. |
Send email to users | During a sync, we create accounts for new users. You can choose whether to send an email to users about their new accounts. |
Sync users
To start syncing your users, select Sync. We show you a confirmation message with the details of your sync, including:
Groups and domains to be synced
Any changes from the previous sync, such as groups you removed
Once you start the sync, you won’t be able to stop it. You can edit the sync settings, but your changes apply to the next sync.
Save and sync later
If you’d like to only save your settings, select Save and sync later. You need to select Sync to enable automatic syncing.
To enable automatic syncing:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Identity providers.
Select your identity provider directory.
Select Enable automatic syncing.
Select Sync.
You must set up and complete a sync before you can set up SAML single sign-on.
By default, users can choose to log in with their Microsoft or Atlassian accounts. You can require users to log in with their Microsoft account through SAML single sign-on. Learn how to Require users to log in with SAML single sign-on
Before you set up SAML, you must complete a sync to claim your domains.
Learn about configuring SAML for your identity provider
Synced users count towards your bill depending on the groups they belong to. Users that belong to groups with product access count toward your bill. If a group didn’t exist before syncing, you need to grant the group product access after syncing.
When groups and users you previously synced are not in your latest sync, we remove product access for them.
When you decide to sync these groups again, you need to grant them product access. You can avoid granting product access again when you choose to sync all previously synced groups from your identity provider.
You can monitor the status of your ongoing and previous sync. Learn about managing user sync
Was this helpful?