Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1388

Deleting provisioned user at IdP does not deactivate the user on Atlassian

XMLWordPrintable

    • 39
    • Severity 3 - Minor
    • Hide

      Thank you for your feedback. This is a known issue that IDPs are not calling our Delete API. We have escalated this issue with Microsoft in the past and will continue to reach out to IDPs to address.

      In the meantime, please reach out to Microsoft Entra support: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support

      Taking this action will help escalate this issue within Microsoft so that they will take action to resolve.

      Show
      Thank you for your feedback. This is a known issue that IDPs are not calling our Delete API. We have escalated this issue with Microsoft in the past and will continue to reach out to IDPs to address. In the meantime, please reach out to Microsoft Entra support: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support Taking this action will help escalate this issue within Microsoft so that they will take action to resolve.

      Issue Summary

      Deleting a user from Identity Providers does not deactivate the user in the Atlassian directory and the SCIM data is orphaned for the user.

      Steps to Reproduce

      1. Sync a user from your IdP to the Atlassian directory via user provisioning.
      2. Delete the user directly in your IdP directory and not from the Atlassian Cloud application.
      3. This will remove the user assignment from the application and the IdP directory
      4. The next provisioning does not deactivate the account at Atlassian Cloud; The user stays active in Atlassian and the SCIM data is orphaned.

      Expected Results

      The user should get deactivated over the next provisioning cycle.

      Actual Results

      The IdP never sends further updates about the user to Atlassian Cloud, causing a desync. The Atlassian Accounts get locked in an orphaned state since the user still belongs to the provisioning scope and their Atlassian Account does not deactivate.

      Workaround

      1. Recreate the user on your IdP, add the user to the provisioning scope, and wait for it to be provisioned. Deactivate the account at the IdP and wait for this to be synced. Then delete the account from the IdP
      2. Use User provisioning REST APIs to delete the orphaned provisioning record. Reach Atlassian Support in case help is required
      3. Run manual provision on-demand after deleting the user from AD. This will deactivate the user in the Atlassian directory
      4. Delete the current SCIM user provisioning configuration from Atlassian, this will allow you to locally manage accounts on Atlassian AdminHub admin.atlassian.com, reconnect after the necessary adjustments are made

            [ACCESS-1388] Deleting provisioned user at IdP does not deactivate the user on Atlassian

            jhaloot made changes -
            Workflow Original: JAC Bug Workflow v3 [ 4226838 ] New: JAC Bug Workflow v4 [ 4567646 ]
            Andre Borzzatto made changes -
            Resolution New: Done [ 17 ]
            Status Original: Gathering Impact [ 12072 ] New: Closed [ 6 ]

            Pinned by Andre Borzzatto

            Andre Borzzatto added a comment -

            Thank you all for voting and sharing your comments in this bug report.
            We have identified that the issue was fixed in Microsoft side, causing the functionality to work now in Atlassian.

            If you are still facing similar issues, please do open a ticket with Atlassian support so we can guide you through any configuration problems that might be causing this issue in your end.

            Have a good one everybody!

            Andre Borzzatto added a comment - Thank you all for voting and sharing your comments in this bug report. We have identified that the issue was fixed in Microsoft side, causing the functionality to work now in Atlassian. If you are still facing similar issues, please do open a ticket with Atlassian support so we can guide you through any configuration problems that might be causing this issue in your end. Have a good one everybody!
            SET Analytics Bot made changes -
            Support reference count Original: 38 New: 39
            SET Analytics Bot made changes -
            Support reference count Original: 37 New: 38
            SET Analytics Bot made changes -
            Support reference count Original: 36 New: 37
            SET Analytics Bot made changes -
            Support reference count Original: 35 New: 36
            SET Analytics Bot made changes -
            Support reference count Original: 34 New: 35
            SET Analytics Bot made changes -
            Support reference count Original: 33 New: 34
            SET Analytics Bot made changes -
            Support reference count Original: 32 New: 33

              Unassigned Unassigned
              20d8b956adca Jayant Suneja
              Affected customers:
              72 This affects my team
              Watchers:
              52 Start watching this issue

                Created:
                Updated:
                Resolved: