Set up sync settings

The ability to connect Microsoft Azure AD to Atlassian and begin syncing your nested group structure is available to participants in an early access program. Azure AD for nested groups will be generally available soon. Check updates on progress for release date


After you connect to Azure AD you can set up sync settings to enable automatic syncing, select users and groups to sync, choose domains to be verified, and send emails to new user accounts.

Set up user syncing

To set up user syncing:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select your identity provider directory.

The settings appear only if you haven’t started a sync yet. If you only see the sync status, select Edit to view and edit the settings.

User limit for group sync

You can sync up to 10,000 users to a group at a time. For example, if you have 20,000 users in a group, you need to split the 20,000 users into 2 groups, each with 10,000 users. You can then sync each group of 10,000. You can add other groups in subsequent syncs

Available sync settings

Setting

Description

Set sync status

  • Enable automatic syncing

After you start the sync, we sync your users every 4 hours. To enable automatic syncing, select Sync after you saved the settings.

  • Disable automatic syncing

When you disable automatic syncing you need to manually sync.

Select domains to verify

During a sync, we verify your domains from Azure AD and then claim accounts under these domains. Only users from verified domains can sync. External users are an exception because they always sync regardless of the domain they belong to.

A domain needs to meet the following requirements to be verified:

  • Must not be used by any other organization

  • Must have the Verified status in Azure AD

You have two options

  • Verify all available domains

We verify all domains from Azure AD that meet the requirements.

  • Verify only specific domains

Specify domains to be verified before saving settings

Select users to sync

  • Sync all users and groups

We sync all users and groups that exist in Azure AD. When you create new users and groups in Azure AD, they are included in the next sync.

  • Sync specific groups and their users

You can select groups you want to sync. We sync these groups, with their users and nested groups. When you create new users and nested groups, they are included in the next sync.

We flatten the nested groups and keep their memberships.

Send email to users

During a sync, we create accounts for new users. You can choose whether to send an email to users about their new accounts.

Start syncing users and review the details

Sync users

To start syncing your users, select Sync. We show you a confirmation message with the details of your sync, including:

  • Groups and domains to be synced

  • Any changes from the previous sync, such as groups you removed

Once you start the sync, you won’t be able to stop it. You can edit the sync settings, but your changes apply to the next sync.

Save and sync later

If you’d like to only save your settings, select Save and sync later. You need to select Sync to enable automatic syncing.

To enable automatic syncing:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select your identity provider directory.

  4. Select Enable automatic syncing.

  5. Select Sync.

User login

You must set up and complete a sync before you can set up SAML single sign-on.

By default, users can choose to log in with their Microsoft or Atlassian accounts. You can require users to log in with their Microsoft account through SAML single sign-on. Learn how to Require users to log in with SAML single sign-on
Before you set up SAML, you must complete a sync to claim your domains.
Learn about configuring SAML for your identity provider

Product access

Synced users count towards your bill depending on the groups they belong to. Users that belong to groups with product access count toward your bill. If a group didn’t exist before syncing, you need to grant the group product access after syncing.

Product access for previously synced groups

When groups and users you previously synced are not in your latest sync, we remove product access for them.

When you decide to sync these groups again, you need to grant them product access. You can avoid granting product access again when you choose to sync all previously synced groups from your identity provider.

You can monitor the status of your ongoing and previous sync. Learn about managing user sync

 

Additional Help