-
Suggestion
-
Resolution: Unresolved
-
6
-
Problem :
In Azure AD, admins can configure attributes for matching between the source and target systems. The following attribute mapping setup can be configured.
| Azure Active Directory Attribute | AtlassianCloud Attribute | Matching precedence |
|---|---|---|
| emails[type eq "work"].value | 1 | |
| userName | 2 |
In this specific setup, Azure will try to query the emails[type eq "work"].value SCIM attribute for matching purposes but this will fail because we do not support this filter on Atlassian side.
Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com"
Operation: GET
Response Status Code: BadRequest
This is quite confusing for admins for the following reasons
- userName is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts. The SCIM username value is not easily visible to Atlassian organization administrators.
- emails[type eq "work"].value is the attribute that dictates the email address value for the Atlassian account. This is visible to Atlassian organization administrators.
Suggestion :
Support emails[type eq "work"].value as a filter on the SCIM Users endpoint
Workaround
Do not match the emails[type eq "work"].value attribute in Azure AD attribute mapping.
| Azure Active Directory Attribute | AtlassianCloud Attribute | Matching precedence |
|---|---|---|
| userName | 1 | |
| emails[type eq "work"].value | <EMPTY> |