Manage your organization’s Atlassian accounts
Gain control over your employee's Atlassian accounts.
Which user management experience do you have?
To check, go to your organization at admin.atlassian.com and select Directory. If the Users and Groups lists are found here, then you are using the centralized user management. Learn more about the centralized user management
We’ll note these changes in the support documentation below.
Original | Centralized |
As a site administrator or organization admin, Users is found under Product site. | As an organization admin, Users is found under Directory tab. |
As an organization admin, you can verify your company’s domain to prove that you own all user accounts with that domain. Your company’s domain is everything that comes after the @ symbol in the email addresses of your users’ accounts. For example, Atlassian owns the domain atlassian.com. Note that you can’t use Atlassian Guard Standard with a public domain as your organization doesn’t own that domain.
When you verify a domain for your organization, you do two things:
Verify ownership of your company’s domain
Claim users' accounts with that domain.
Verifying a domain gives you two benefits:
More control over the Atlassian accounts on your company’s domain – those accounts become managed accounts, which means you can edit, delete, or deactivate their accounts.
The ability to apply security policies to your managed accounts – you may want to require log in with two-step verification or set up SAML single sign-on so that policies from your identity provider apply to all Atlassian accounts. You can do both by subscribing to Atlassian Guard Standard.
When you claim accounts, we let users know with the domain that your organization manages their account when they go to their profile.
For example, imagine your company is called Acme Inc., and it owns the acme.com and acme.co.uk domains. After you verify both domains and claim their accounts, you can go to the Managed accounts page of your Atlassian organization and edit user details.
With a subscription to Atlassian Guard Standard, you can apply security policies to the managed accounts of your users.
You can still give product access to users with a different domain, such as sarah@vendor.com. Since these users aren't managed accounts, you won't be able to apply your security policies to them.
You can verify ownership of your company’s domain (or multiple domains) using these methods:
HTTPS — Upload an HTML file to the root folder of your domain's website.
DNS TXT — Copy a TXT record to your domain name system (DNS).
Google Workspace or Microsoft Entra ID (previously Microsoft Azure AD) — Connect these identity providers to your Atlassian organization, and any domains associated with the identity provider will be automatically verified for your organization. Learn how to connect and sync users and groups from your identity provider
To host the HTML file, you must use HTTPS and valid SSL certificate from a certificate authority (self-signed certificates won't work).
You can only verify domains with one (1) redirection to a www domain. For example, if your domain is example.com, we can verify your domain if we locate the HTML file at https://example.com/atlassian-domain-verification.html or at https://www.example.com/atlassian-domain-verification.html.
We won’t be able to verify your domain at any other location.
After verification is successful, we periodically check the verification file for security purposes. If you delete from your domain, we won't be able to tell that you still own your domain, and your domain will lose its verification status and any security policies for that domain, including SAML single sign-on.
To verify your domain over HTTPS:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
From the HTTPS tab, download the atlassian-domain-verification.html file.
Upload the HTML file to the root directory of your domain's webserver.
Return to the Domains page of your Atlassian administration and click Verify domain.
Keep your HTTPS as the method, enter the domain you want to verify in the Domain field, and click Verify domain.
If we can find the HTML file on your webserver, your domain is verified and the Claim accounts screen opens. The next section covers what to do when you land on the Claim accounts screen.
After verification is successful, we'll periodically check your DNS host for the txt record. If someone deletes or updates the txt record with incorrect information, we'll send you an email letting you know that you have a certain amount of time to update the txt record. If you don't, your domain will lose its verification status and any security policies for that domain, including SAML single sign-on, won't be effective.
To verify your domain using DNS:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
From the DNS tab, copy the txt record to your clipboard.
Go to your DNS host and find the settings page for adding a new record.
Select the option for adding a new record and paste the txt record to the Value field (may be named Answer or Description).
Your DNS record may have the following fields:
Record type: Enter 'TXT'
Name/Host/Alias: Leave the default (@ or blank)
Time to live (TTL): Enter '86400'
Save the record.
Return to the Domains page of your Atlassian administration and click Verify domain.
Keep your TXT Record as the method, enter the domain you want to verify in the Domain field, and click Verify domain.
Depending on your DNS host, it may take up to 72 hours for your domain to verify and DNS changes to take effect, which is why the domain in the Domains table will have an UNVERIFIED status. After 72 hours pass, click Verify domain next to the domain you want to verify and from the dialog that appears.
Once you have verified your domain, your domain will be in a verified state but you will not have claimed your user accounts. The next section covers what to do when you land on the Claim accounts screen.
If you’re having issues verifying your domain, we’ve provided guidance to common problems and questions at the bottom of this page.
You should use more than one method to verify you own your company’s domain. This is especially important if you use third-party tools to manage your accounts and depend on authentication policies.
When you verify your domain with multiple methods, you reduce the risk of your domain becoming unverified. For example, using both DNS and HTTPS verification methods means you have a backup, and your domain will remain verified even if one verification method expires.
To verify your domain with additional methods:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
Original: Select Directory > Domains.
Centralized: Select Settings > Domains.
Select the domain you want to verify.
Select Add verification method.
Select the tab for the verification method you want to use.
Follow the instructions to verify your domain with your chosen method.
You can’t verify a domain with the same verification method more than once. When you add new verification methods, only available methods will be shown.
Your domain verification status may change over time. When this happens, it’s important to know how to resolve issues quickly to keep your domain verified and your managed accounts intact.
Here’s an overview of each status and its meaning:
Status | Description |
---|---|
Verified |
|
Unverified |
|
Verified (missing token) |
|
Verified (expires soon) |
|
After we verify you own a domain, you’ll be prompted to claim accounts associated with the domain so you can manage them.
When you claim accounts, you may see more users than you expect already have Atlassian accounts. You may even see accounts in your organization for users who don't use your company’s Atlassian products. This is because anyone can create an Atlassian account.
To find out which accounts on your domain have Atlassian accounts, you can export and review a list of the accounts before you claim them. See ‘Review accounts before you claim’ below for instructions on how to do this.
When your IT team is centralized in one department, you can easily manage and claim all your accounts. We recommend you claim all the accounts from a domain because this allows you to:
manage users more effectively
apply security settings automatically to users
We claim all existing accounts and any new accounts as they are created. We can only claim accounts that are available to claim. An account is available when another organization hasn’t claimed them yet. Choose this setting if you provision accounts with SAML Just-in-time. We add new accounts to your default authentication policy.
Learn more about SAML Just-in-time
When your IT team is distributed and not in one department, you may need to only claim some accounts for a domain. When you choose to claim some accounts, you manually upload a CSV file of the accounts you want to claim.
If you provision users with your identity provider to your organization, we automatically claim the accounts.
Review the accounts from a domain before you claim them. To review individual accounts and the products they access, export a CSV file of the domain’s accounts.
To export a CSV file of the accounts:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Claim accounts for a domain.
Select Export users.
You will receive an email with a link to the CSV file.
It may take a few minutes to receive the CSV file in your email when you have a large number of accounts. The unique download link in the email expires in 24 hours. Other organization admins can download the file with the link.
You can either claim all or some accounts from a verified domain. When you choose to claim all accounts, we automatically claim accounts from a verified domain. When you choose some accounts, you decide when to manually claim some accounts from a verified domain.
To claim all accounts:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Claim accounts for a domain.
Select Claim accounts.
You’ll receive an email when we’re done claiming the accounts. If you have a lot of accounts it can take awhile.
To claim some accounts:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Claim accounts for a domain.
Select Claim accounts you add to a CSV file for a domain.
Upload a CSV file with a single column of email accounts you want to claim.
Add up to 10,000 email addresses in each CSV file.
The file can't exceed 5MB.
You’ll receive an email when we’re done claiming the accounts. If you have a lot of accounts it can take awhile.
You can only claim accounts from a domain you own, a verified domain. You’re unable to claim accounts from domain you don’t own, an unverified domain.
You can claim accounts manually or automatically from a verified domain. You may want to only claim some accounts; you can claim these accounts manually.
When you want to claim your accounts from your identity provider you need to verify the domain for the account.
When you sync users from the identity provider, we automatically claim the accounts.
Learn more about user provisioning
These are your available settings for when you claim accounts for a domain.
Claim account settings | Description |
---|---|
Claim accounts | Claim all or some users accounts for a verified domain. |
Change claim setting-automatically | Automatically claim new accounts from this domain. Choose this setting if you provision accounts with SAML Just-in-time. |
Change claim setting-manually | Decide to manually claim some accounts from this domain. Claim accounts you add to a CSV file. |
Unclaim accounts | When you unclaim accounts, you no longer manage the accounts. We remove the accounts from your authentication policies. Users don’t lose their product access. |
Remove domain | When you remove a domain from your list of verified domains, you no longer manage the users with that domain and the users don’t appear on your Managed account page or in your authentication policies. |
Available to claim | Accounts that have not been claimed and so could be claimed by any organization admin. |
You can claim new accounts in two different ways, either automatically or manually.
When you are claiming new accounts manually and want to claim automatically, we add new accounts to your default authentication policy.
To claim new accounts automatically:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Change claim setting for a domain.
Select Automatically claim new accounts.
When you are claiming new accounts automatically and want to claim them manually, we no longer claim new accounts when they’re created.
To claim new accounts manually:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Change claim setting for a domain.
Select Manually claim new accounts.
The next time you want to manually claim accounts, upload a CSV file with a single column of email accounts you want to claim.
Add up to 10,000 email addresses in each CSV file.
The file can't exceed 5MB.
When you unclaim accounts, you no longer manage the accounts and we remove the accounts from your authentication policies. Even though these accounts are no longer managed, users still keep their product access.
To unclaim accounts:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Select Unclaim accounts for a domain.
Upload a CSV file with a single column of email accounts you want to unclaim.
Add up to 10,000 email addresses in each CSV file.
The file can't exceed 5MB.
When you unclaim accounts, we notify users on their profiles that your organization no longer manages their accounts.
If you need to, you can claim the accounts again.
When you claim or unclaim accounts, we let users know that your organization manages or no longer manages their accounts in two ways:
Notifications – Users receive updates in the product.
Profile and visibility – Users manage personal account information.
You may want to change your name if you need to change the address of your company website and the emails associated with its domain. Here are some of the common reasons you may want to change your domain:
Your company acquired another company
Your company is rebranding
Your company was sold to another company
A few factors determine the path you take when you change your domain name and email addresses:
How you provision users to Atlassian: with an identity provider using System for Cross-Domain Identity Management (SCIM) or by inviting users manually
How users log in with SAML single sign-on
Whether you want a domain change for the same, new, or a different Atlassian organization
When you change your domain name, you’re also changing the domain name in your user’s email addresses, for example, abc@domain.com to abc@newdomain.com. Changing the domain in your existing Atlassian accounts allows you to keep the same account history.
Procedures to change domain
For a smooth transition, follow the instructions based on the setup that applies to you. This way, you’ll avoid:
Losing access to your admin controls in admin.atlassian.com
Users losing access to historical data from their “old” domain and account
Users being unable to log in with SAML single sign-on
Users waiting 14 days to access accounts for the new domain name
Depending on how you manage your users dictates the process you’ll follow. You have two paths to choose from. Select the one that works for how you provision users:
Manually invite users to Atlassian
Automatically provision users to Atlassian through SCIM
To change domain names and email accounts, you need to verify your old and new domains and claim their accounts in the same Atlassian organization.
To change a domain name:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Verify your new domain and claim its email accounts.
Make sure your old domain is still verified and claim its email accounts.
To manually change the old email to the new email.
Go to Directory> Managed accounts.
Select the user and change to a new email.
To automate the domain name change in your emails.
You may want to move a domain from an existing to a new organization. In this case, you’ll need to schedule downtime. When you move a domain, we don’t apply Atlassian Guard Standardsecurity features for the same accounts in the existing organization.
To move a domain to a new organization:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Remove the new domain from your existing organization.
In the new organization, verify the new domain and claim its email accounts.
To change domain names and email accounts, you need to verify your old and new domains and claim their accounts in the same Atlassian organization.
To change a domain name:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Verify the new domain that your email accounts will be moved to.
Check that you’ve verified the old domain and claimed its email accounts.
Make sure the old email accounts are in your identity provider.
Sync old accounts from your identity provider to Atlassian.
After you sync, change emails in your identity provider to the new domain to keep the history of the old accounts.
You may want to move a domain from an existing to a new organization. In this case, you’ll need to schedule downtime. When you move a domain, we don’t applyAtlassian Guard Standard security features for the same accounts in the existing organization.
To move a domain:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
Remove the new domain from your existing organization.
In the new organization, verify and claim accounts for the domain you want to move.
Make sure all the email accounts for your new domain are in your identity provider.
Connect your identity provider to your new organization.
Sync the email accounts from your identity provider to Atlassian.
Move domains with SAML SSO
For users to log in with SAML, you’ll need to do an additional step to enable SAML SSO on the new domain in the new organization. We recommend you contact Atlassian support to remove the SAML identity of all the users on the old domain.
When you remove a domain from your list of verified domains, we no longer manage the users with that domain and the users won't appear on your Managed account page or in their authentication policies. Users must log in with their email and password.
If the domain you remove is associated with an identity provider, we remove the domain from your identity provider directory.
To remove a verified domain:
Go to admin.atlassian.com. Select your organization if you have more than one.
This step is different depending on your user management experience:
- Original: Select Directory > Domains.
- Centralized: Select Settings > Domains.
From your domain in the Domains table, select Remove domain, next to the domain, and verify you want to remove it.
When you remove the domain, we let users know that your organization no longer manages their accounts.
This section discusses issues that may arise when verifying a domain.
You can verify multiple domains and subdomains under a single organization. All you need to do is to repeat the steps on this page with each domain that want to claim. Because we don’t automatically verify sub domains, such as us.acme.com and eu.acme.com, you need to manually verify each subdomain as well.
If someone else has already verified the domain when trying to set a claim setting, we’ll display a warning message letting you know. In this situation, someone at your company might have verified the domain under another organization. We recommend that you choose to claim manually. If you want to claim automatically or aren't sure, contact support.
You may not be able to directly add a file to your website's root folder. As a workaround, you can copy the verification token from the downloaded file and publish it to an existing page that's less than 256kB in the same location (https://example.com/atlassian-domain-verification.html). This way should successfully verify your domain.
Your users authenticate with Google. Because you verify your domain as part of your integration with Google, you can't verify your domain from your site. If you want to verify your domain, you'll need to disconnect the G Suite integration.
If your users for another domain aren't connected through Google Workspace, you can still verify that domain and subscribe to Atlassian Guard Standard security policies for that domain.
To protect the privacy and security of Atlassian's users, it's not possible to verify domains that you don't own.
If you'd like to apply Atlassian Guard Standard security policies for these users, ask them to change their email address to a domain that you can then verify, or invite them to create Atlassian accounts that use email addresses from the domain.
Was this helpful?