What even is the point of having this on Enterprise?

I'm sure 99% of us are here because we want to control our Atlassian Access bill, and it's free/included in Enterprise plans for Confluence, Jira Software and JSM, so there's not even a significant use case for Enterprise

Although I suspect that's the point.......

Based on the changes sent out today it seems like this now is a thing, and is being rolled out - something we've wanted for a long time.

However unless I am mistaken it appears to be paywalled behind Enterprise
Way to screw the smaller orgs who still have users going out and creating their own unsanctioned free instances of the products...

I'd prefer to just straight up turn it off though, none of our global admins want a bunch of random "I'd like my own Trello instance" requests.
Also a bit difficult to learn more about it as the link just goes to a 404 currently.

Prevent your users from signing up for products

ROLLING OUT

With an Enterprise plan, you can now prevent your managed accounts from signing up for products on their own. When they try to sign up for a product, we send them to a page where they enter details about how they plan to use the product. You can review all your users' requests, from the Product requests page. Learn more about product requests

To prevent users from signing up for products:

1. Go to admin.atlassian.com. Select your organization if you have more than one.
2. Select Security > Product requests.
3. Select Update request settings.
4. Find the products that you want to prevent users from signing up for. For each product, select the dropdown under Request setting and select Require admin review.

@Chuck,

But then you need the password (and mfa) for all users...
Not really an option in a big company.

I tried this with users, and it worked.

You just have to login in to Log in to Trello as the user and leave thier boards (delete them if you don't have the option to leave) and delete thierr workspaces.  Instructions on how to do so are below.

[Leaving a board in Trello | Trello | Atlassian Support|https://urldefense.com/v3/__https:/support.atlassian.com/trello/docs/leaving-a-board-in-trello/__;!!IxnR!0NhM9sOlq2ltbylDJlzTALUqDKR4jOKxSc0wp9NtDMjG9Elc6L5YhECVqpIGSSiehXWxV6Hlptlfu6o_OEIxRwJLcs3k$]

[Deleting a Workspace | Trello | Atlassian Support|https://urldefense.com/v3/__https:/support.atlassian.com/trello/docs/deleting-a-workspace/__;!!IxnR!0NhM9sOlq2ltbylDJlzTALUqDKR4jOKxSc0wp9NtDMjG9Elc6L5YhECVqpIGSSiehXWxV6Hlptlfu6o_OEIxRwbkqjVS$]

Are we sure that the summer release is going to solve the Trello problem or is this only going to stop the spinning up of new "instances" or sites initially? I would hate for the first release to not address the biggest problem for most users. 

@Elizabeth Lee, as a new Atlassian Access user I'd be happy to provide feedback, thanks @David Meredith for the link! 

This seems like a lot of effort to solve the "free Trello users are chargeable on Access" problem. There should be a way to kick off (or not charge) for users that have these free Trello accounts. A future-looking approval process doesn't address that.

Same problem. We can't delete users from Trello free

We are just moving to the Cloud and right out the gate Trello users are causing us issues with our Access Count.   Makes no sense we do not have the ability to control these users account to knock them out of Trello or better yet if they are on a Free version of Trello it does not count against our access count.  

I'm happy to offer additional input and feedback.

Most customers I work with feel this pain...

I've given ACE talks and written articles on how to streamline billable users:
https://uk.devoteam.com/expert-view/atlassian-access-streamline-your-billable-users/

Volunteer here for Feedback.

I can provide feedback.  Thanks for asking,

Ravi

Hi ca57b5189732, thanks for the update, I would be happy to give feedback.

Same as Esther here. The very cause of this ticket is that our users create new instances unknowingly / unfaithfully. If we have to rely on them asking voluntarily for permission to create new instances, we might very well forget it... 

I'd be happy to provide feedback as an org admin!

@Elizabeth Lee - more than happy to provide feedback on Discovered Products.

Adam.

Hi everyone,

My name is Elizabeth, and I am a product manager working on Discovered Products. We are conducting research to improve Discovered Products, and we’re looking looking for Org Admins who would be willing to provide feedback to us about their experience with Discovered Products. Please comment here if you would like to setup a 30-minute session to discuss your thoughts.

Our feedback collection process will end July 28th, 2023. Thank you!

@griffin jones:

"Product Requests will give admins the ability to deny new product instances from being spun up through a lightweight ticketing system."

How exactly will this work? Will the attempt to spin up a new instance automatically create a new ticket in this proposed system, or will it rely on users creating a ticket to request a new instance? If the latter, that's not a very good solution, as it relies on the honor system. We already can't trust users to not spin up instances; why would we trust them to use this new ticketing system?

Agree with the sentiment of the other replies here particularly for Trello. Once a domain is managed the admin must have the control to lock users out and remove boards created under the domain, Relying on having the users have to login, particularly when many have left, is not a valid solution. 

The update form Atlassian in October seems to only apply to NEW instances. What about the old existing ones that need cleaned up?

This is a major fail on Trello/Atlassian’s part.  Several years and you still have not fixed it.   Bad form.  What good is an enterprise account if users can just go out and continue to create stuff outside of the Enterprise while still using an enterprise provided email address?  This is crazy.  I can’t even begin to imagine what the heck your guys were thinking. 

I don't know if the same would apply for Bitbucket, but when we first implemented Jira, we had a large number of users with prior Trello accounts which we weren't aware of once we converted them to managed accounts.

We found the easiest thing to do was to give them a bit of notice (in case they wanted to export any info) before requesting Atlassian hard-delete their accounts. Once the account was deleted, the user(s) signed back in via SSO and there were no more links to past Trello instances.

Asher,

I don't think this will help.
For example my account (with Atlassian access) still lists Bitbucket but when opening Bitbucket my only option is to create a new workspace.
I deleted all my workspaces, but Bitbucket is still being shown/billed with Atlassian access.

For my account not an issue since I'm using other Atlassian products (jira/confluence) but we also have some users only linked with bitbucket....

Stephan, they're introducing license management for Bitbucket in early 2024 for existing customers. See the latest comments from Atlassian here:

https://jira.atlassian.com/browse/ID-6733

It's not only Trello, we also have some users with Bitbucket.
And you can't delete your Bitbucket account...

@griffin - Does that only refer to PRoduct Instance? Does that include Trello because that's also a problem especially we have no control on people signing up an account. 

Add one for Trello, bam, no more problem

just like the other Toggles for

Software

Confluence

JSM

Atlas

Bah cant add image

How about a better way to manage Trello subscriptions?  It is not as straightforward as contacting the admin of a discovered product.  What happens if the admin changes the email to personal email and all users are still using the domain email addresses, what options do we have?  

The fact that there is no way to put policies around approved products and sites and Atlassian Access to work within the approved products/sites is an issue.  I do not see the enhancements covering that.   

f4ee8ec1a852, 

You can contact our support team to start the process of taking over their account and the subsequent products that they own. Please see: https://support.atlassian.com/security-and-access-policies/docs/how-to-work-with-admins-of-discovered-products/

Best,

Griffin

I'm happy that this is a 'stop the bleed' type activity / functionality... Which is nice, it'll stop things from getting worse.

However I'm sure you'll be getting feedback that there needs to be far more done to remediate the existing products that claimed domains have signed up for in the past which regularly impact on customers bills.

We've stayed tuned since Access came out. Please share with the community what next steps are being worked on to address the problem of existing users that have claimed products already.

@Griffin

What about existing products that are already costing us with unnecessary licensing with Access?

Hi everyone,

We’re excited to share our latest update on this ticket. Since our last post, we’ve made significant progress, and plan to ship the first iteration of this feature this summer.

In early 2023, we presented our proposed solution, named Product Requests, to our Customer Advisory Board (CAB). Our CAB has highlighted their need to control managed users' and user-generated instances for some time, and we’re happy with our upcoming feature capabilities. Product Requests will give admins the ability to deny new product instances from being spun up through a lightweight ticketing system.

We plan to ship Product Requests in late summer 2023. Stay tuned for more, and thanks for the feedback and engagement.

Best,

Griffin

Atlassian does not understand enterprise support. This is another example.  Frustrating!

Thank you both so much. It is ridiculous. I am currently removing products created by people no longer with the company and the hoops you have to jump through are insane. Being admin should mean complete control - not only control over certain things and in other areas users can do what they like!

Lisa, I opened a helpdesk request with Atlassian and had them send me an export of the directory. Then I sorted on users that had Trello.

I then called Atlassian billing and was informed that due to their privacy policy, each individual user must respond and personally ask via email to have your Trello account deleted.

I emailed them to reply to all on the email for the helpdesk request and ask that thier Trello account be deleted and it worked.

The fact that Atlassian provides no way other that this for administrators or end users to delete their Trello accounts is ridiculous.

Thanks,

Chuck

Lisa, if you're using Atlassian Access, go to https://admin.atlassian.com/ then click on "Directory" and in the "Product access" dropdown, choose "Trello". This will list any users who have signed up to Trello using your managed domain accounts. 

How can we see how many Trello accounts are out there created by people with our domains that we manage - why are they not shown with the discovered products?

Really need this feature, it's crazy that we're being asked to pay for Atlassian Access fees for old Trello accounts that are no longer being used! Will we be given a refund for all of the additional Atlassian Access fees we've paid?

As the Org/Site Admin of my account, it's honestly hard to comprehend that I do not have the ability to block staff in our domain from adding products. We subscribe to Atlassian Access as well, and given the substantial cost of that, it is seriously lacking in functionality and control. Very disappointing that this ticket has been running for 3 years, regardless of the necessity of it. Please Atlassian, stop working on new bells and whistles until you can make the core system do the basics.

Not having this basic level of control, on an expensive cloud app is like leaving the door to your apartment open, trusting the other building residents won't let themselves in. You wouldn't do it at home, don't force your subscribing org admins to do it with our accounts.

If you can't practice zero trust.... you are completely out of touch with modern workplace technology and information security and that is just not acceptable. 

I'm sorry if this sounds harsh, but come one... seriously. Security and administrative control by those of us paying for these tenancies has to take higher priority.

Adminssss, where are you? were you sleeping on these product features?

It's like you have a nice house, nice car, want to show everybody, and brag about it, but you lost the fking key to the house! It's embarrassing. 

This issue being left unresolved for so long is costing Atlassian Access users money that shouldn't need to be spent, wasted on the fact we don't have the control we need over our own verified domains.

This has thrown a massive spanner in the works for my organisation's migration from JSM Server to Cloud. I no longer am confident the migration can proceed with this issue outstanding.

According to Atlassian's documentation, a user is not considered billable if:

• "They have a Jira Service Management portal customer account (portal customers who have an Atlassian account are covered by Atlassian Access features, but only agents count as unique billable users)."

However, if any of my 2,500+ customers (in addition to people who have long left the company) have at any point over the past 4 years decided to sign up for a free Trello account they are inexplicably regarded as billable. This is not clearly articulated in Atlassian's documentation - documentation which me and it would appear, countless others have relied on to inform their migration efforts and budgets.

Needless to say I was shocked to see hundreds of inactive Trello accounts across my domain regarded as billable users on Atlassian Access with no ability to unlink Trello or manage the accounts without killing access to all Atlassian products (thereby removing customer portal access!)

How is it possible that a product claiming to provide 'enhanced governance' and 'enterprise-grade access management' can allow any staff member to just create a free Trello account at any time and subsequently result in us getting charged without our knowledge? 

Consumers have the right to expect certain things when they purchase a product or service. In Australia these rights are protected under consumer law. It is evident in this ticket that Atlassian's marketing around Access does appear to be incongruent with what is actually being provided in the product. It feels misleading.

Please provide an update on what is happening with this issue.

Is this on a roadmap we can see anywhere? this is a huge problem still

Bump

Bump

Please prioritize this item! 

It is very important that our Org Admins be able to control managed users' associated sites and products.

Bump

Bump.

This is a serious headache for our organization, we as Org Admins should at least have the ability to delete these...

plz fix k thx bai 

We need, please provide it.

Bump!!

Bump this as a priority, please.

Same here. We are paiyng for that...

Big problem for us as well, becoming a nightmare.

This is desperately needed. My organization's users create Jira and Confluence instances without even realizing it. It's a nightmare to get control.  

Adding this summarized response here in addition to feedback provided on CA-2265367. Note that some of this has been altered to be more generalized, more specific details on how this is impacting our organization can be found in the private ticket.

...There’s currently a huge gap between what seems like an overstepping sales practice vs. maintaining Enterprise security & governance controls. Some of the comments here call these problems out, although the compliance & controls issues seem to be mixed in with other customers who are frustrated about Trello licensing. Want to make sure that IT controls & compliance concerns are not lost on whoever is working on this issue, which is that users of a corporate-owned domain (@contoso.com for example) are allowed to completely bypass controls & governance in order to spin up new environments within Atlassian on their own in a matter of seconds. This process completely bypasses HIPAA protections and MFA/SSO controls put in place for the corporate-owned domain and happens in a way that administrators who own that domain have zero ability to take control of new sites as they are spun up. The fact that Atlassian acknowledges this in the following article honestly just adds insult to injury: https://support.atlassian.com/organization-administration/docs/what-is-the-impact-of-shadow-it-on-my-organization/

Atlassian’s sales and product teams have created this provisioning problem, acknowledge its existence, and provide no solution. They are obviously aware of what they are doing, and instead of offering a safe alternative for their Enterprise-grade customers, they instead have continued to acknowledge and promote “shadow IT” provisioning by treating corporate-owned domain email addresses as potential new customers instead of as governed identities...

This has been picked up but has been any progress made?

Many of our Trello accounts are inactive or for people that have left the company with disabled accounts so are being billed for Access, like others we need a way to controll this so we are only paying for services we are using. We can't depend on users managing this.

We really need a way to remove Trello users or minimally being able to stop them from signing up and consuming licences unnecessary. if consuming Atlassian licence is necessary for  Trello users, we should be able to have a way to block them from doing so in the first place Without affecting them having other product access to Atlassian (ie: Portal Customer) We are planning to put all users to internal accounts and essentially becoming a managed account, however by doing so we actual lose control for trello (ie: User signing up get an Atlassian licence consumed immediately) This is not an effective way to manage billing. 

Yes, please provide an update on this. These additional admin privileges are a necessity. 

Not sure if this would help, but we've found a 'way' for users to remove themselves from Trello products (from being Access billable users in case they only have access to Trello).

Here's the guide: Navigate users to remove themselves from Trello (Atlassian Access billing 'issue')

@Hugh Jinhyun Kim you're correct that the only option is to deactivate the user, but you can keep the SSO.

You have to change the mail address associated to the Trello user, deactivate the user, and create a new brand user (with the same mail) via User Provisioning.

The workaround I used in similar occasions is:

• Contact Atlassian so that they can break the SCIM link for the user using Trello (for ex. peter.parker@acme.com)
• Once the SCIM link is broken, you can now change the mail address of the user (for ex. peter.parker_OLD@acme.com)
• Deactivate the user 
  • this will deactivate the user associated to Trello
• On the next User Provisioning a new brand user will be created for peter.parker@acme.com
  • assign Jira/Confluence licenses
  • enable SSO

This is helpful for brand new Cloud instances, so that you won't have data associated to users.

Otherwise you should migrate data too (for ex. where the user is Assignee, Reporter, ecc...)

This is far from being easy and smooth, I still can't understand how Atlassian is not aware of this (probably they are).

We have users who used Trello free version long before 2021, and admin can't even remove their product on Atlassian Access. It just eats up the bill and do nothing. Users don't even know if they used the Trello.. And the only option is to deactivate. To deactivate I have to remove them from SSO, which defeats the purpose of having Atlassian Access.

Please have administrators to be able to control products of managed users.

My friends at Atlassian, just adding to the pile again.

We can't have our users ingest licenses for Atlassian access because they want to trial Trello.  We love the fact that our users have our service portal available on SSO free of any charge, this is incredible and an awesome user experience.

The issue is that they have a lovely trial experience using Trello on a whim, then a grumpy administrator (me in this case) has to pull them out of Single Sign On so they have yet another password to remember.  They can't even get rid of Trello without me deleting their Atlassian account and re-syncing them with our IDP - what the hell.

The other alternative is to pivot on your Atlassian Access pricing models, and I don't want to insinuate this but it makes me feel like you are getting your bang for the buck for organizations who blindly agree to thousands of access licenses so they don't have to feed and water this problem.  Globally everywhere is looking at costs and I'm sorry to say this, it's not going to be palatable anymore so please don't just pin a comment from October thinking this will satisfy us that you've got this on your radar.

Coming from a place of care, every large SaaS provider worth their salt allows checks and balances on this stuff... you're going to get left behind.  Not to mention the glaringly obvious management and data black holes this causes with regulatory groups.

@Griffin Jones

Can we at least get some kind of ETA or time frame? This is ridiculous, we haven't heard a peep out of Atlassian since October about this issue. 5 months ago!!
People comment on this ticket almost daily with their frustrations and yet - nothing.
This ticket has been open for over three years. That isn't even close to how old some of the tickets I've seen are, which is a very scary thought. How long till this is fixed? 4 years? 5? ....10? 

Yes - this is a problem - where i found users who no longer work for my company have created their own instances but i have no over-sight or permissions to be able to close it down. 

I think the ultimate control is that Org Admins must approve the creation of new products/sites.

This issue ticket looks like more a blog than a real tracking issue of a professionnel company.

@atlassian, where should we open the Issue ticket in order to have it taken in charge ?

+1 here too, we also have "shadow" sites, we don't want to have. IT should have the full control of the instances - so we want to restrict our Domain-Members so they can't create a instance without permission.

Not being able to restrict the creation of new "shadow IT" sites puts us in a difficult situation, where IT controls & governance are being bypassed for end-user convenience. As a customer who relies on Enterprise licensing for HIPAA compliance & multi-site capabilities, this one setting allows our employees to bypass all of our controls. This is a significant compliance issue, and isn't something Atlassian should just brush under the rug in order to appease their sales team! Please allow us to restrict non-admins from creating new sites in Jira & Confluence. At a minimum pop up a warning that they may be violating company policies by not going through approved channels. As others have repeatedly said, not having control here is hurting your enterprise customers.

This feature is desperately needed, dare I say it, mandatory for large Enterprise customers. It would be good to provide some timeframes on when it will become available so your customers can adjust their plans accordingly.

Same here. We had close to 20 'bogus' sites also. Again unsecured which was big concern for us. We also found employees using their company email addresses while doing outside contract work at other companies' Jira sites.

+1 here. It appears that our organisation has about 20 "shadow" (external) sites of Jira, Confluence etc.
This is for us a major concern because of IP-related content, security etc.
People who set up those sites usually don't have expert knowledge on how to manage and secure their sites.
This is something that should be left to the IT department.
We should have the ability to block the possibility to create those external sites. Furthermore it would be welcome if Atlassian displays a message or so forwarding them to the organisation's IT department when someone tries to create a site.

This needs to be fixed quickly - Thank you. 

Any update when can we expect this!!

Do you guys have a potential release date on this yet? I have a customer dealing with an issue as well.

WHEN ???

Favor providenciar a liberação de podermos através da console, desativar o produto TRELLO e os demais, pois não faz sentido, criarmos um procedimento para solicitar aos usuários que façam este tipo de exclusão.

Por sermos administradores da console, temos que ter a opção de desativar os produtos dos usuários quando for necessário.

Aqui na empresa, não é permitido o uso do TRELLO, por determinação da área de Segurança Corporativa.

Favor, acelerar esta atividade o mais rápido possível, pois isso este provisionamento conta como licença e isso gera custo desnecessário para a nossa organização. Temos no momento 889 acessos que precisam ser desativados com URGÊNCIA.

Obs.: Comunicados já estão sendo realizados quanto a não utilização do TRELLO com o e-mail corporativo, para que não tenhamos mais casos.

We have found the following workaround: we asked all users whom we detected have a free Trello account to log in and delete all their Trello workspaces (not their account since they cannot delete that). So basically when leaving an empty Trello account with no workspaces seems to count as no Trello product access any more and will stop counting towards Atlassian Access licenses. Maybe this helps someone.

It's really necessary!!! Please enable ASAP!!!

It is also a security risk.

this feature is needed asap please

So, we are not able to remove users WE manage from external managed sites via access? But we have to pay for them, even if they are only e.g., Jira SM customers who actually do not have a payed license in our internal Environment.

Wow, this is a great loophole, a money printing machine! I bet Atlassian Access is the fastest growing product of Atlassian! No one sued you guys for this?

This creates unprofitable churn for everyone. When something like this gets approved and an app starts in our system, we need to track down the people and explain the process which means we shut down the trial. Then Atlassian has left a bad and embarrassing taste in the users mouth so they go elsewhere. 

We have deployed Jira Service Management with premium subscription but we have been suprised that we have being be billed for Trello and Bitbucket personal's accounts or free and the IT budget allowed for Atlassian has been exeeded and the Top Management are really upsets !

Created 2020. Disappointing to see it took two years to reach in-progress status - An estimated timeframe would be nice. This gap will ultimately kill Atlassian for our company if not closed. 

It would be enough to give options on which accounts to actually claim in the process. Why would I want to claim Trello accounts from former employees that haven't used the product since 2016 anyway? 

From an org owner I don't care, if a user creates their own organizations. However, there is a problem. We have users (assigned to other policy than non-billable) that are Customers to Service Desk and they can create their OWN orgs with products. That adds to OUR org's billing.

Therefore, I am not asking to restrict freedom on creating own organizations. If that is your policy that is fine. However, that adds to our billing. So you - Atlassian - do not have right to bill us for users that we have no control over. If you want to leave the freedom that is fine, but do not touch our credit card! 

Explanations I got from support of admin being informed about user creating a new org - again that is an information past the moment you added to our billing. If we are five people that maybe viable. But we are a 10 per month growing for last 3 years - this is not a sustainable solution. 

As an admin

I would like to be asked for an approval before user adds products to our billing

So I don't need to monitor my billing account and have control over my spendings or have an option to reject it.

OR

As an admin

I would like to know that no user can create an account behind my back (ex. when I am on vacation) 

So I can have full control over user creation and billing within my own org. 

FYI - we found this loop hole, and we are resigning from Atlassian Access because of it. We tested and raised it as an issue. After a week we know that there is less work for us not to have Atlassian Access than have it. Ridiculous!!! 

Why would Atlassian hurry to fix a problem that is very  profitable to them?    

I have so many users who sign up for "FREE"  trello.   These users are not getting informed that their company will be charged for Atlassian Access and Atlassian Site administrators are not getting notified when the Atlassian Access bill user base increases  due to users using their company email on non-company endorsed Atlassian products like trello or Bitbucket in my case. 

The number of "unauthorized" Atlassian Access charges on my bill now surpass the legitimate ones.     This is crazy! 

I'd like to join the 992 other people screaming into the void on this thread.

So, Atlassian's chargeable flagship enterprise access tool, Atlassian Access, doesn't allow enterprises to reliably manage access to Atlassian's products? And hasn't been addressed in 2 1/2 years?

The product manager for Atlassian Access ought to be pilloried for this.

https://support.atlassian.com/requests/PCS-148294

https://getsupport.atlassian.com/browse/PCS-148258

Are there any updates?

I have similar issue since one year ago and no acceptable solution has been provided by Atlassian. Bills should reflect what administrators allows or not within a directory, here it's open bar for a end user to try a product and then Atlassian send the bill to the administrators... Atlassian Access billing policies should evolve not to impact Administrators or organization. Easily free products should not be included in Access billing like "non billable policy"

We have noticed an issue that auto signed users getting added to our ganization and billed for those users. Here we would like to have a feature to bill only those users admin invited similar like Github. Further discussion with Support, I was informed that this feature in consideration and development by this time recomeded to use non billable users policy. When I had a check I noticed we should opt additional service called Atlassian Access and pay for it. I feel like it is not accepatable, we should have some option to control billed users or have provision to add non billable users without any additional cost. Please sreview and support 

I have a similar issues, we are paying for Atlassian access for users that have a trello account they dont even use anymore.

Should be possible to have full control over managed accounts and all the Atlassian products they have on the managed account

Happy New Year Atlassian!

Just had an excellent email from you saying that I have exceeded my Atlassian Access tier.  Some of our adventurous users have installed Trello over the holidays and bounced us back over our licensed amount.

Will 2023 be the year where the penny drops and we can stop our users from dictating our licensing unknowingly?

My New Years' resolution is to remain positive with you guys, so starting off strong! 💪🏻 You can do it, we believe in you!

We have users with only Free Trello license that are in the provisioning scope of our identity provider (AzureAD) and with that, they are counted in Atlassian Access billing. 

In the managed accounts, I can't disable trello for users.

The most of them are not using it. More of 30 people have last login time before 2021.

If I exclude them from the provisioning, they can't access other products as a customer. For exemple, we use Jira Service Management as an Helpdesk for our internal factory.
So, it's not a solution for us.

You force us to pay for something we're not using.

We are using Access and experiencing the same issue with Basic END USERS creating new products. Why is this still only a Suggestion!!!!