Switch from SCIM to Azure AD for nested groups

Before you begin

When you switch from one identity provider to another, you want to avoid losing content mapped to users, avoid downtime, and avoid breaking something.

When you want to provision users from Azure Active Directory over SCIM, you can delete the SCIM configuration and configure Azure AD for nested groups. You’re unable to use both methods at the same time.

Here’s what you need to know before you make the switch:

Available attribute mapping

The custom integration, Azure AD for nested groups uses specific attributes to map your Azure Active Directory to your Atlassian organization. This means when you map your attributes, you can only use Azure AD’s predefined attributes. You won’t be able to map any custom attributes between Azure AD and your Atlassian organization. Check out the attribute mapping list

An organization with many groups and memberships

When you switch and connect to Azure AD for nested groups, your identity provider directory (synced through SCIM) no longer exists. This means you need to sync all your groups and users again.

After you connect Azure AD for nested groups to your Atlassian organization, the more groups and group memberships you have, the longer it takes to sync.

Existing users and groups

The users and groups in your organization keep their product access. When you complete the initial sync with Azure AD for nested groups, we match users to the ones from your identity provider with their primary email addresses. Learn about setting up sync settings

Delete user provisioning configuration

To delete user provisioning with SCIM:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select your Identity provider Directory.

  4. From the menu, select Delete configuration.

To stop user provisioning in Microsoft Azure Active Directory:

  1. In the Microsoft Azure platform, open the Atlassian cloud application you use for provisioning.

  2. Select Stop provisioning.

Configure user provisioning with Azure AD for nested groups

After you delete user provisioning with SCIM, you can configure Azure AD for nested groups. Connect your Azure Active Directory

SAML single sign-on

If you configured SAML single sign-on, you need to delete it. Then when you connect the new identity provider, Azure AD for nested groups, you need to configure SAML again.

To delete SAML single sign-on:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Security > Identity providers.

  3. Select your Identity provider Directory.

  4. From the menu, select View SAML.

  5. Select Delete configuration.

Learn how to configure SAML single sign-on with an identity provider

After you configure SAML, you can enforce users to log in with SAML single sign-on. Learn more about login enforcement

 



Still need help?

The Atlassian Community is here for you.