-
Bug
-
Resolution: Unresolved
-
High
-
15
-
Minor
-
Issue Summary
User provisioning not updating the account <--> group association in a specific scenario.
Steps to Reproduce
- Create a new user in Azure - make sure it is disabled
- Create a group in Azure and assign this group to the user
- Assign "Atlassian Cloud" app to the group created in step 2
- User provisioning will create the Group in Atlassian but user will not be added to it as Azure will say the object is not active in source
- Enable the user in Azure
- User provisioning will not change anything in Atlassian
- I had to do on demand provisioning for the user - this did create the user in Atlassian but in default group (all members ...) but not in the group to which user is added in Azure!
Expected Results
Account should be added to the group once the user is enabled in Azure
Actual Results
Account is not added to the expected group
Workaround
Re-add the user to the impacted group in Azure (and do an on-demand provisioning)
[ACCESS-1384] User provisioning not updating the group - account association
You can use Provisioning on demand to fix this without having to update the user:
- In Azure/Entra ID select provision on demand
- Select the group the user is missing from in Atlassian Cloud
- Select to provision specific users
- Select up to 5 impacted users
The provisioning will say the group was skipped due to RedundantImport, but the add member operation will still take place for the missing members.
All comments
Thank you for your feedback. This is a known issue that IDPs are not calling our Create API. We have escalated this issue with Microsoft in the past and will continue to reach out to IDPs to address.
In the meantime, please reach out to Microsoft Entra support: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support
Taking this action will help escalate this issue within Microsoft so that they will take action to resolve.
You can use Provisioning on demand to fix this without having to update the user:
- In Azure/Entra ID select provision on demand
- Select the group the user is missing from in Atlassian Cloud
- Select to provision specific users
- Select up to 5 impacted users
The provisioning will say the group was skipped due to RedundantImport, but the add member operation will still take place for the missing members.
This is impacting our IAM cycle for the whole Atlassian suite.
I suggest the bug gets some attention soon since I am sure other companies are affected
This bug effects all Enterprise customers
We really need to get this working,
It is creating tons of more work for the onboarding team
Any news on this one?
This is stil an issue for us and I am sure other companies as well
Workaround takes about an hour to fix for each user because of the sync
Cheers
Per
dae5a2657689 this seems like an issue on the Azure side. If they sent a PATCH request with that user then there is an issue on our side if they didnt send the user then we cant do anything. Can you confirm for me that Azure sent a group PATCH request when the user was deactivated (should be available in Azure logs) otherwise please let me know the times for the following event in UTC and I can look through the requests for this directory and track down whether or not they sent a PATCH request when the deactivated user was added.
1. when the user was added to the group in a deactivated state in Azure AD.
Thanks!
- Ritwik
Can't understand how a big tech company like Atlassian can't have direct contacts for things like this. We pay a lot of $ for Atlassian, same for Microsoft and still need to open multiples cases for features that are "standalone" in every other SaaS solution.