-
Bug
-
Resolution: Fixed
-
Low
-
None
-
2
-
Severity 3 - Minor
-
Issue Summary
The G Suite integration enables admins to let users decide how to log in: either with Google, or with their email + Atlassian password + (eventually) the Atlassian 2SV.
If users want to login with Atlassian, and have 2SV (2FA) enforced by the org admin, the admin can't exclude a single user from 2SV (so that the user is able to reset it)
Steps to Reproduce
- Claimed domain, Atlassian Access, managed accounts
- Enforce 2SV for everyone
- Connect G Suite, but allow users to chose how they want to log in.
- One user needs to reset their 2SV
Expected Results
The admin should be able to exclude only that user from 2SV, just as it's the case with non-provisioned accounts
Actual Results
The Atlassian organization shows that account as provisioned and the admin is asked to go to the identity provider for 2SV, when in fact it's the Atlassian 2SV that needs to be reset
Workaround
The admin can only disable the enforcement of 2SV for everyone, to allow that particular user to reset it.
Authentication policies might help solve this issue, but currently this functionality is not rolled out to 100% of organizations.
- relates to
-
AXW-1178 Loading...
[ACCESS-1017] Accounts synced from GSuite can't have their Atlassian 2SV reset
We implemented a button on a managed user's page where an admin can reset a user's 2SV (2FA). It's accessible when using Gsuite, but will not show up if the org does not have flexible authentication policies enabled. Instead, a message is shown to direct admins to their Google Workspace Admin console to manage their user's 2SV / 2FA there. I believe this should solve the issue presented here.
@phani just to be clear. That approach would still require an admin to move the user to an optional 2SV auth policy, right?
In that case it's basically the same as the previous workaround, meaning the user has to be excluded from 2SV enforcement.
Although this way you won't spam every user with emails about the updated 2SV policy, so that is better.
From an admin perspective it would be great if we could just reset the 2SV for a user in the admin interface. This would prevent them from having to keep track of the reset progress and having to enforce 2SV again (when the reset has been completed).
the user can try this approach:
If the user still can log in via Google, they can log in and go to https://id.atlassian.com/manage-profile/security/two-step-verification page to reset their 2SV (Generate new emergency key), and then try to log in.
They need to keep track of the emergency keys until the admin resets the 2SV for that user.
If the user cannot log in via Google (or any IDP), then the admin has to reset the settings, and the button is not yet provided in the UI.
Looks like UI is not providing this feature to disable 2sv for IDP synced users.
pwang@atlassian.com / njayasankar@atlassian.com please take a look at this use case
Thanks,
Phani
Can you please let me know what the admin is seeing in the `Managed Accounts` page of the user. AFAIK, the `Disable two-step verification` button should be displayed if the user is part of an Optional-2sv auth policy but has the 2SV enabled on the user's side.
If the admin is able to see that button, it can be used to reset the 2sv of the individual user. I am meanwhile testing the case where the user is Google-synced to confirm this.
ajagalpure26780379bc17 this issue is not resolved even with the rollout of Authentication Policies.
The org admin can create a new authentication policy that does not enforce 2FA and add the users there. However, the user will be in an authentication policy with 2FA set to Optional, but the 2FA will still be ON, as the admin never manually excluded the user from 2FA. (it's "optional" but it's ON)
Since the accounts are synced from Google, in the administration area the admin can't exclude that account from 2FA.
As per this comment I am closing this ticket.
If you disagree with the closing of this ticket, please add a comment here saying why and we can reopen it.