Switch from SCIM to Azure AD for nested groups
Before you begin
When you switch from one identity provider to another, you want to avoid losing content mapped to users, avoid downtime, and avoid breaking something.
When you want to provision users from Azure Active Directory over SCIM, you can delete the SCIM configuration and configure Azure AD for nested groups. You’re unable to use both methods at the same time.
Here’s what you need to know before you make the switch:
Available attribute mapping
The custom integration, Azure AD for nested groups uses specific attributes to map your Azure Active Directory to your Atlassian organization. This means when you map your attributes, you can only use Azure AD’s predefined attributes. You won’t be able to map any custom attributes between Azure AD and your Atlassian organization. Check out the attribute mapping list
An organization with many groups and memberships
When you switch and connect to Azure AD for nested groups, your identity provider directory (synced through SCIM) no longer exists. This means you need to sync all your groups and users again.
After you connect Azure AD for nested groups to your Atlassian organization, the more groups and group memberships you have, the longer it takes to sync.
Existing users and groups
The users and groups in your organization keep their product access. When you complete the initial sync with Azure AD for nested groups, we match users to the ones from your identity provider with their primary email addresses. Learn about setting up sync settings
Delete user provisioning configuration
To delete user provisioning with SCIM:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Identity providers.
Select your Identity provider Directory.
From the menu, select Delete configuration.
To stop user provisioning in Microsoft Azure Active Directory:
In the Microsoft Azure platform, open the Atlassian cloud application you use for provisioning.
Select Stop provisioning.
Configure user provisioning with Azure AD for nested groups
After you delete user provisioning with SCIM, you can configure Azure AD for nested groups. Connect your Azure Active Directory
SAML single sign-on
If you configured SAML single sign-on, you need to delete it. Then when you connect the new identity provider, Azure AD for nested groups, you need to configure SAML again.
To delete SAML single sign-on:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Security > Identity providers.
Select your Identity provider Directory.
From the menu, select View SAML.
Select Delete configuration.
Learn how to configure SAML single sign-on with an identity provider
After you configure SAML, you can enforce users to log in with SAML single sign-on. Learn more about login enforcement
Was this helpful?