Verify a domain to manage accounts

Which user management experience do you have?

To check, go to your organization at admin.atlassian.com and select Directory. If the Users and Groups lists are found here, then you are using the centralized user management. Learn more about the centralized user management

We’ll note these changes in the support documentation below.

Original

Centralized

As a site administrator or organization admin, Users is found under Product site.

Original user management png

As an organization admin, Users is found under Directory tab.

Centralized user management png

 

When you claim accounts, we let users know with the domain that your organization manages their account when they go to their profile.

As an organization admin, you can verify your company’s domain to prove that you own all user accounts with that domain. Your company’s domain is everything that comes after the @ symbol in the email addresses of your users’ accounts. For example, Atlassian owns the domain atlassian.com. Note that you can’t use Atlassian Access (soon to be Atlassian Guard Standard) with a public domain as your organization doesn’t own that domain.

When you verify a domain for your organization, you do two things: 1) verify ownership of your company’s domain and 2) claim users' accounts with that domain. Verifying a domain gives you two benefits:

  • More control over the Atlassian accounts on your company’s domain – those accounts become managed accounts, which means you can edit, delete, or deactivate their accounts.

  • The ability to apply security policies to your managed accounts – you may want to require log in with two-step verification or set up SAML single sign-on so that policies from your identity provider apply to all Atlassian accounts. You can do both by subscribing to Atlassian Access (soon to be Atlassian Guard Standard).

Verified domains in your organization

Imagine your company is called Acme Inc., and it owns the acme.com and acme.co.uk domains. After you verify both domains and claim their accounts, you can go to the Managed accounts page of your Atlassian organization and edit user details. 

With a subscription to Atlassian Access (soon to be Atlassian Guard Standard), you can apply security policies to the managed accounts of your users.

You can still give product access to users with a different domain, such as sarah@vendor.com. Since these users aren't managed accounts, you won't be able to apply your security policies to them. 

Your organization consisting of managed accounts under your 2 domains.

When you claim accounts, more users than you expect may have accounts with your company’s domain. You may see accounts in your organization for users that don't use your company’s Atlassian products.

Verify ownership of your domain

You can verify ownership of your company’s domain (or multiple domains) in two ways:

  • HTTPS —Upload an HTML file to the root folder of your domain's website.

  • DNS TXT—Copy a TXT record to your domain name system (DNS).

Verify over HTTPS

To host the HTML file, you must use HTTPS and valid SSL certificate from a certificate authority (self-signed certificates won't work).

You can only verify domains with one (1) redirection to a www domain. For example, if your domain is example.com, we can verify your domain if we locate the HTML file at https://example.com/atlassian-domain-verification.html or at https://www.example.com/atlassian-domain-verification.html.

We won’t be able to verify your domain at any other location.

After verification is successful, we periodically check the verification file for security purposes. If you delete from your domain, we won't be able to tell that you still own your domain, and your domain will lose its verification status and any security policies for that domain, including SAML single sign-on

To verify your domain over HTTPS:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. From the HTTPS tab, download the atlassian-domain-verification.html file.

  4. Upload the HTML file to the root directory of your domain's webserver.

  5. Return to the Domains page of your Atlassian administration and click Verify domain.

  6. Keep your HTTPS as the method, enter the domain you want to verify in the Domain field, and click Verify domain.

If we can find the HTML file on your webserver, your domain is verified and the Claim accounts screen opens. The next section covers what to do when you land on the Claim accounts screen.

Verify over DNS

After verification is successful, we'll periodically check your DNS host for the txt record. If someone deletes or updates the txt record with incorrect information, we'll send you an email letting you know that you have a certain amount of time to update the txt record. If you don't, your domain will lose its verification status and any security policies for that domain, including SAML single sign-on, won't be effective.

To verify your domain using DNS:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. From the DNS tab, copy the txt record to your clipboard.

  4. Go to your DNS host and find the settings page for adding a new record.

  5. Select the option for adding a new record and paste the txt record to the Value field (may be named Answer or Description).

  6. Your DNS record may have the following fields:

    • Record type: Enter 'TXT'

    • Name/Host/Alias: Leave the default (@ or blank)

    • Time to live (TTL): Enter '86400'

  7. Save the record.

  8. Return to the Domains page of your Atlassian administration and click Verify domain.

  9. Keep your TXT Record as the method, enter the domain you want to verify in the Domain field, and click Verify domain.

Depending on your DNS host, it may take up to 72 hours for your domain to verify and DNS changes to take effect, which is why the domain in the Domains table will have an UNVERIFIED status. After 72 hours pass, click Verify domain next to the domain you want to verify and from the dialog that appears.

Once you have verified your domain, your domain will be in a verified state but you will not have claimed your user accounts. The next section covers what to do when you land on the Claim accounts screen.

Verify domain screen where you enter a domain and we check to verify your ownership of the dokmain

What is account claim for a domain?

As part of the domain verification process, you claim the accounts on your domain. Because anyone can create an Atlassian account, more users with your domain than you expect may have an Atlassian account. To find out which accounts on your domain have Atlassian accounts, you can export and review a list of the accounts before you claim them.

You can only claim accounts for a domain that’s verified. From the table at the bottom of the Domains page, you’ll see a VERIFIED status. If you see an UNVERIFIED status, you need to verify your domain before you can claim any accounts.

What are the different ways I can claim accounts?

When your IT team is centralized in one department, you can easily manage and claim all your accounts. We recommend you claim all the accounts from a domain because this allows you to:

  • manage users more effectively

  • apply security settings automatically to users

We claim all existing accounts and any new accounts as they are created. We can only claim accounts that are available to claim. An account is available when another organization hasn’t claimed them yet. Choose this setting if you provision accounts with SAML Just-in-time. We add new accounts to your default authentication policy.

Learn more about SAML Just-in-time

When your IT team is distributed and not in one department, you may need to only claim some accounts for a domain. When you choose to claim some accounts, you manually upload a CSV file of the accounts you want to claim.

If you provision users with your identity provider to your organization, we automatically claim the accounts.

Review accounts before you claim

Review the accounts from a domain before you claim them. To review individual accounts and the products they access, export a CSV file of the domain’s accounts.

To export a CSV file of the accounts:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Claim accounts for a domain.

  4. Select Export users.

You will receive an email with a link to the CSV file.
It may take a few minutes to receive the CSV file in your email when you have a large number of accounts. The unique download link in the email expires in 24 hours. Other organization admins can download the file with the link.

Claim accounts

You can either claim all or some accounts from a verified domain. When you choose to claim all accounts, we automatically claim accounts from a verified domain. When you choose some accounts, you decide when to manually claim some accounts from a verified domain.

To claim all accounts:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Claim accounts for a domain.

  4. Select Claim accounts.

You’ll receive an email when we’re done claiming the accounts. If you have a lot of accounts it can take awhile.

To claim some accounts:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Claim accounts for a domain.

  4. Select Claim accounts you add to a CSV file for a domain.

  5. Upload a CSV file with a single column of email accounts you want to claim.

    1. Add up to 10,000 email addresses in each CSV file.

    2. The file can't exceed 5MB.

You’ll receive an email when we’re done claiming the accounts. If you have a lot of accounts it can take awhile.

Claim accounts synced from an identity provider

When you provision users with your identity provider to your organization, we automatically claim the accounts.

Learn more about user provisioning

Claim account settings

These are your available settings for when you claim accounts for a domain.

Claim account settings

Description

Claim accounts

Claim all or some users accounts for a verified domain.

Change claim setting-automatically

Automatically claim new accounts from this domain. Choose this setting if you provision accounts with SAML Just-in-time.

Change claim setting-manually

Decide to manually claim some accounts from this domain. Claim accounts you add to a CSV file.

Unclaim accounts

When you unclaim accounts, you no longer manage the accounts. We remove the accounts from your authentication policies. Users don’t lose their product access.

Remove domain

When you remove a domain from your list of verified domains, you no longer manage the users with that domain and the users don’t appear on your Managed account page or in your authentication policies.

Available to claim

Accounts that have not been claimed and so could be claimed by any organization admin.

Change claim settings

You can claim new accounts in two different ways, either automatically or manually.

Claim new accounts automatically

When you are claiming new accounts manually and want to claim automatically, we add new accounts to your default authentication policy.

To claim new accounts automatically:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Change claim setting for a domain.

  4. Select Automatically claim new accounts.

Claim some new accounts manually

When you are claiming new accounts automatically and want to claim them manually, we no longer claim new accounts when they’re created.

To claim new accounts manually:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Change claim setting for a domain.

  4. Select Manually claim new accounts.

The next time you want to manually claim accounts, upload a CSV file with a single column of email accounts you want to claim.

  • Add up to 10,000 email addresses in each CSV file.

  • The file can't exceed 5MB.

Unclaim accounts

When you unclaim accounts, you no longer manage the accounts and we remove the accounts from your authentication policies. Even though these accounts are no longer managed, users still keep their product access.

To unclaim accounts:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Select Unclaim accounts for a domain.

  4. Upload a CSV file with a single column of email accounts you want to unclaim.

    1. Add up to 10,000 email addresses in each CSV file.

    2. The file can't exceed 5MB.

When you unclaim accounts, we notify users on their profiles that your organization no longer manages their accounts.

If you need to, you can claim the accounts again.

Remove a verified domain

When you remove a domain from your list of verified domains, we no longer manage the users with that domain and the users won't appear on your Managed account page or in their authentication policies. Users must log in with their email and password.

If the domain you remove is associated with an identity provider, we remove the domain from your identity provider directory.

To remove a verified domain:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. From your domain in the Domains table, select Remove domain, next to the domain, and verify you want to remove it.

When you remove the domain, we let users know that your organization no longer manages their accounts.

Notify claimed user accounts

When you claim or unclaim accounts, we let users know that your organization manages or no longer manages their accounts in two ways:

  1. Notifications – Users receive updates in the product.

  2. Profile and visibility – Users manage personal account information.

Notification of managed account
Banner on a profile page notifying the user that an admin now mangages their account

Change your domain name

You may want to change your name if you need to change the address of your company website and the emails associated with its domain. Here are some of the common reasons you may want to change your domain:

  • Your company acquired another company

  • Your company is rebranding

  • Your company was sold to another company

A few factors determine the path you take when you change your domain name and email addresses:

  • How you provision users to Atlassian: with an identity provider using System for Cross-Domain Identity Management (SCIM) or by inviting users manually

  • How users log in with SAML single sign-on

  • Whether you want a domain change for the same, new, or a different Atlassian organization

When you change your domain name, you’re also changing the domain name in your user’s email addresses, for example, abc@domain.com to abc@newdomain.com. Changing the domain in your existing Atlassian accounts allows you to keep the same account history.

Procedures to change domain
For a smooth transition, follow the instructions based on the setup that applies to you. This way, you’ll avoid:

  • Losing access to your admin controls in admin.atlassian.com

  • Users losing access to historical data from their “old” domain and account

  • Users being unable to log in with SAML single sign-on

  • Users waiting 14 days to access accounts for the new domain name

Procedures for changing and moving domains

Depending on how you manage your users dictates the process you’ll follow. You have two paths to choose from. Select the one that works for how you provision users:

  1. Manually invite users to Atlassian

  2. Automatically provision users to Atlassian through SCIM

Change or move a domain when you manually invite users

To change domain names and email accounts, you need to verify your old and new domains and claim their accounts in the same Atlassian organization.

To change a domain name:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Verify your new domain and claim its email accounts.

  4. Make sure your old domain is still verified and claim its email accounts.

  5. To manually change the old email to the new email.

    1. Go to Directory> Managed accounts.

    2. Select the user and change to a new email.

  6. To automate the domain name change in your emails.

    1. Use REST API set email.

Move a domain and its email accounts to a new organization

You may want to move a domain from an existing to a new organization. In this case, you’ll need to schedule downtime. When you move a domain, we don’t apply Atlassian Access (soon to be Atlassian Guard Standard)security features for the same accounts in the existing organization.

To move a domain to a new organization:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Remove the new domain from your existing organization.

  4. In the new organization, verify the new domain and claim its email accounts.

Change or move a domain when you provision users with SCIM

To change domain names and email accounts, you need to verify your old and new domains and claim their accounts in the same Atlassian organization.

To change a domain name:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Verify the new domain that your email accounts will be moved to.

  4. Check that you’ve verified the old domain and claimed its email accounts.

  5. Make sure the old email accounts are in your identity provider.

  6. Sync old accounts from your identity provider to Atlassian.

  7. After you sync, change emails in your identity provider to the new domain to keep the history of the old accounts.

Move a domain and its email accounts to a new organization

You may want to move a domain from an existing to a new organization. In this case, you’ll need to schedule downtime. When you move a domain, we don’t applyAtlassian Access (soon to be Atlassian Guard Standard) security features for the same accounts in the existing organization.

To move a domain:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. This step is different depending on your user management experience:
    - Original: Select Directory > Domains.
    - Centralized: Select Settings > Domains.

  3. Remove the new domain from your existing organization.

  4. In the new organization, verify and claim accounts for the domain you want to move.

  5. Make sure all the email accounts for your new domain are in your identity provider.

  6. Connect your identity provider to your new organization.

  7. Sync the email accounts from your identity provider to Atlassian.

Move domains with SAML SSO

For users to log in with SAML, you’ll need to do an additional step to enable SAML SSO on the new domain in the new organization. We recommend you contact Atlassian support to remove the SAML identity of all the users on the old domain.

Maintain your verified domain

This section discusses issues that may arise when verifying a domain.

You have multiple domains or subdomains

You can verify multiple domains and subdomains under a single organization. All you need to do is to repeat the steps on this page with each domain that want to claim. Because we don’t automatically verify sub domains, such as us.acme.com and eu.acme.com, you need to manually verify each subdomain as well.

Another organization already verified the domain

If someone else has already verified the domain, we’ll display a warning message letting you know. In this situation, someone at your company might have verified the domain under another organization. We recommend that you find an admin of that organization and ask them to remove the domain from its list of verified domains. If you aren't sure who to ask, contact support.

A CMS manages your website

You may not be able to directly add a file to your website's root folder. As a workaround, you can copy the verification token from the downloaded file and publish it to an existing page that's less than 256kB in the same location (https://example.com/atlassian-domain-verification.html). This way should successfully verify your domain.

You're using Google Workspace

Your users authenticate with Google. Because you verify your domain as part of your integration with Google, you can't verify your domain from your site. If you want to verify your domain, you'll need to disconnect the G Suite integration.

If your users for another domain aren't connected through Google Workspace, you can still verify that domain and subscribe to Atlassian Access (soon to be Atlassian Guard Standard) security policies for that domain.

You want to verify a domain that you don't own

To protect the privacy and security of Atlassian's users, it's not possible to verify domains that you don't own.

If you'd like to apply Atlassian Access (soon to be Atlassian Guard Standard) security policies for these users, ask them to change their email address to a domain that you can then verify, or invite them to create Atlassian accounts that use email addresses from the domain.

Remove a verified domain

When you remove a domain from your list of verified domains, the users with that domain are no longer managed and won't appear on your Managed account page.

To remove a verified domain, click Remove next to the domain and verify that you want to remove it. We let the users know that your organization no longer manages their accounts in two places:

  1. Notifications – Users receive updates in the product.

  2. Profile and visibility – Users manage personal account information.

 

Additional Help