The issue is where this product feature belongs. It is a feature of the Atlassian Access product.   It is included in the Enterprise subscription. But I believe this is the first time Atlassian has added a feature to Access and only offered it to Enterprise subscriptions (where Access is automatically included) and not the consumer who pays for the Access product separately.  

I'm not saying I agree that this should be an Enterprise-only feature, but for everyone who's complaining that there's no point to it since enterprise already has unlimited Access, remember that there are other considerations at the enterprise level besides cost. Shadow IT can be a security issue as well, and for us, at least, that's definitely a reason to have this functionality available.

Access is a product that is sold separately. This is an enhancement to manage the addition of products that directly impact Access costs.   So what is the purpose of adding this to the enterprise only where Access is already included and the enterprise users have unlimited instance use rights? 

The product team has no clue about the benefit of the enhancement to the user community they serve! 

the whole Desire for this is to prevent JSM customers from then consuming an Acccess license.  we ahve 30,000  customers in JSM and if they decide to go  starta  free trello account it will then cause them to consume a Access license. this is a POOR design at best.
if this is roled out for enterprise (which has unlimited Acccess license)  it is near pointless.

the fact this is enterprise only is an EXTREME money grab.

Team,

A customer has the following question about the new feature, could you please help?

Will this feature grant org admins control over these already created sites?
How will this integrate

time line? this is insane this does not exist already.

For those of us on bundled release tracks, when can we expect to see the request for products settings in our admin panel? 

I take it this is the feature we are talking about:

https://support.atlassian.com/organization-administration/docs/manage-your-users-requests-for-products/

Alltho i am sure Enterprise customers will appreciate the ability to handle there ShadowIT better, this is a problem for everyone that uses Atlassian Cloud products. Ontop of the security implications, there is the fact that the current system actually bills us for the usage of products that the admins of Atlassian cloud solutions have no control over.

Atlassian access is included in a Enterprise subscription, so this feature effectively only solves a small part of the problem that most of the comments in this thread actually have - and have pined there hope on this feature to solve.

Can we get a confirmation on weather this feature just "rolls out first" to enterprise customers. Or if it will stay "enterprise only", if the latter, is there other features in the pipeline lat will actually solve the problem of Atlassian Access billing outside Administrators controls. Or is it 100% intentional that we have to babysit Atlassian cloud daily to not get unpleasant surprises ?

Thanks @Robert Condon. I'll try it.

The most reliable method to remove Trello users I have found:

1. Raise a request with Atlassian to break/remove the SCIM link for the user
2. Once this is done, you can edit the email address (I add _OLD)
3. Move the user to a non-billable policy
4. Re-provision the user
   They will get a new Atlassian account that is not linked to the Trello account

This is far from ideal because:

• You will need to reassign all Jira/Confluence items
• They will not be able to access between steps 2-4 (which in my organisation can take at least a few hours

The advantage is you retain the Trello account and can amend to any email address in case of needing to access again in future, and remains instead of being deleted

How can you tell the users themselves to delete their trello account? According to the  link [Delete your Trello account | Trello | Atlassian Support|https://support.atlassian.com/trello/docs/deleting-your-trello-account/] you have to delete the Atlassian account and that is NOT possible, they have access to other products.

no, for my understanding, this is only to prevent users from creating new products. 

Will this feature make possible for us to disable Trello users?

Use cases:

1. People unintentionally or for exploring purpose joined Trello and they don't actually need it.
2. People needed it in the past, and they don't need it any more.

While I'm glad that I've been able to limit the creation of Team-based projects to myself and those in a small group, I'm deeply troubled that just anyone can stumble upon the settings that allow them to create an whole new instance. I've had this happen twice now in the two years that I've been a site and org admin for our subdomains, and learning that a salesperson or a support agent has either accidentally or intentionally created an entirely new instance where they are lord and master is simply unacceptable. In order to mitigate this situation I need to request access, then teach them how to make me an org admin, and then remove the instance entirely.

Pay walling the ability to prevent this is, in my opinion, atrocious. 

Please enable possibility in / for Trello for users to be unsubscribed / deactivated in any way, to avoid unnecessary costs for users who don't need Trello anymore or didn't ever use it / just logged in there (for any reason.

I wonder what type of brand damage this is doing to Trello. We've completely hard-blocked it in our environment now and everyone knows to stay away from it.

What may have been considered a temporary malfunction is now clearly defined as a forced sale.

I guess now you have to legally contest or leave.

@Asher Francis - this is the Asana model.  

In Asana, users on a team can literally invite anyone, and hit or exceed the license cap.  Billing Owners/Admins have zero ability to stop it.  Nice to see Atlassian is following other's poor leads on this one.  

I'm honestly still not sure how Atlassian are getting away with not fixing this for all users, regardless of what plan they're on.

They are forcing their customers to pay more for users who sign up for FREE software, where those users have NO IDEA that what they're signing up for is not technically free, because it contributes to a bill somewhere else.

I'm pretty sure what they're doing is actually illegal, and should it be investigated, they would be in a lot of trouble.

This is primarily an Access issue and it should have been rolled to all Access clients. Atlassian is trying to find a tiered version for Access and forcing people to go to Enterprise- shame on them.

Agreed with the recent comments.  This should at minimum be included as part of Atlassian Access.  

> Hi everyone, We’re excited to share our latest soltion for this ticket. Guess what... In order to let you pay less by restricting usage of other Atlassian tools for your own users, we let you pay more to get this exciting new Product Request feature... Win win, or? 

Maybe I missed an update, was there an announcement somewhere that I missed about this being Enterprise-only?

If so, I'm with everyone else in being very disappointed with this implementation. This would seem like a money grab one way or another, either extra costs to Atlassian are slipped in through unsanctioned sites or the forced upgrade to Enterprise.

@konstantinos Tekelis 
Here's the original Notification:       

Prevent your users from signing up for products

ROLLING OUT

With an Enterprise plan, you can now prevent your managed accounts from signing up for products on their own. When they try to sign up for a product, we send them to a page where they enter details about how they plan to use the product. You can review all your users' requests, from the Product requests page. Learn more about product requests
"

@atlassian,   

The  "Learn More" about this request page appears to be down:

This is ridiculous, no where was it mentioned it would be only for Enterprise plans. Make this make sense Atlassian!!

For  Enterprise plan only!!!    

So all of us who are "premium" plan have to continue suffering the consequences of a badly designed system that allows users to continue to spin new instances and increasing our Atlassian access bill.  

Your using a problem YOU created to market your enterprise plan.    I'm not interested in an upgrade.   I want you to fix your badly designed system.   I shouldn't have to pay more to get a bug fixed.    

For  Enterprise plan only!!!    

So all of us who are "premium" plan have to continue suffering the consequences of a badly designed system that allows users to continue to spin new instances and increasing our Atlassian access bill.  

Your using a problem YOU created to market your enterprise plan.    I'm not interested in an upgrade.   I want you to fix your badly designed system.   I shouldn't have to pay more to get a bug fixed.    

..................................

Agreed - this should be a feature for all Atlassian Access subscriber orgs, not just Enterprise.

@Griffin Jones, your Atlassian Update - 15 May 2023 doesn't mention it being for Enterprise users ONLY, so is it just that Enterprise users are getting it FIRST? If so, what's the ETA for other tiers? If it's to be ONLY Enterprise users EVER, then agree with @Robert Condon and other commenters. 

If it's really only for Enterprise level users: Very big thumbs down ... Atlassian, are you serios

What even is the point of having this on Enterprise?

I'm sure 99% of us are here because we want to control our Atlassian Access bill, and it's free/included in Enterprise plans for Confluence, Jira Software and JSM, so there's not even a significant use case for Enterprise

Although I suspect that's the point.......

Based on the changes sent out today it seems like this now is a thing, and is being rolled out - something we've wanted for a long time.

However unless I am mistaken it appears to be paywalled behind Enterprise
Way to screw the smaller orgs who still have users going out and creating their own unsanctioned free instances of the products...

I'd prefer to just straight up turn it off though, none of our global admins want a bunch of random "I'd like my own Trello instance" requests.
Also a bit difficult to learn more about it as the link just goes to a 404 currently.

Prevent your users from signing up for products

ROLLING OUT

With an Enterprise plan, you can now prevent your managed accounts from signing up for products on their own. When they try to sign up for a product, we send them to a page where they enter details about how they plan to use the product. You can review all your users' requests, from the Product requests page. Learn more about product requests

To prevent users from signing up for products:

1. Go to admin.atlassian.com. Select your organization if you have more than one.
2. Select Security > Product requests.
3. Select Update request settings.
4. Find the products that you want to prevent users from signing up for. For each product, select the dropdown under Request setting and select Require admin review.

@Chuck,

But then you need the password (and mfa) for all users...
Not really an option in a big company.

I tried this with users, and it worked.

You just have to login in to Log in to Trello as the user and leave thier boards (delete them if you don't have the option to leave) and delete thierr workspaces.  Instructions on how to do so are below.

[Leaving a board in Trello | Trello | Atlassian Support|https://urldefense.com/v3/__https:/support.atlassian.com/trello/docs/leaving-a-board-in-trello/__;!!IxnR!0NhM9sOlq2ltbylDJlzTALUqDKR4jOKxSc0wp9NtDMjG9Elc6L5YhECVqpIGSSiehXWxV6Hlptlfu6o_OEIxRwJLcs3k$]

[Deleting a Workspace | Trello | Atlassian Support|https://urldefense.com/v3/__https:/support.atlassian.com/trello/docs/deleting-a-workspace/__;!!IxnR!0NhM9sOlq2ltbylDJlzTALUqDKR4jOKxSc0wp9NtDMjG9Elc6L5YhECVqpIGSSiehXWxV6Hlptlfu6o_OEIxRwbkqjVS$]

Are we sure that the summer release is going to solve the Trello problem or is this only going to stop the spinning up of new "instances" or sites initially? I would hate for the first release to not address the biggest problem for most users. 

@Elizabeth Lee, as a new Atlassian Access user I'd be happy to provide feedback, thanks @David Meredith for the link! 

This seems like a lot of effort to solve the "free Trello users are chargeable on Access" problem. There should be a way to kick off (or not charge) for users that have these free Trello accounts. A future-looking approval process doesn't address that.

Same problem. We can't delete users from Trello free

We are just moving to the Cloud and right out the gate Trello users are causing us issues with our Access Count.   Makes no sense we do not have the ability to control these users account to knock them out of Trello or better yet if they are on a Free version of Trello it does not count against our access count.  

I'm happy to offer additional input and feedback.

Most customers I work with feel this pain...

I've given ACE talks and written articles on how to streamline billable users:
https://uk.devoteam.com/expert-view/atlassian-access-streamline-your-billable-users/

Volunteer here for Feedback.

I can provide feedback.  Thanks for asking,

Ravi

Hi ca57b5189732, thanks for the update, I would be happy to give feedback.

Same as Esther here. The very cause of this ticket is that our users create new instances unknowingly / unfaithfully. If we have to rely on them asking voluntarily for permission to create new instances, we might very well forget it... 

I'd be happy to provide feedback as an org admin!

@Elizabeth Lee - more than happy to provide feedback on Discovered Products.

Adam.

Hi everyone,

My name is Elizabeth, and I am a product manager working on Discovered Products. We are conducting research to improve Discovered Products, and we’re looking looking for Org Admins who would be willing to provide feedback to us about their experience with Discovered Products. Please comment here if you would like to setup a 30-minute session to discuss your thoughts.

Our feedback collection process will end July 28th, 2023. Thank you!

Agree with the sentiment of the other replies here particularly for Trello. Once a domain is managed the admin must have the control to lock users out and remove boards created under the domain, Relying on having the users have to login, particularly when many have left, is not a valid solution. 

The update form Atlassian in October seems to only apply to NEW instances. What about the old existing ones that need cleaned up?

This is a major fail on Trello/Atlassian’s part.  Several years and you still have not fixed it.   Bad form.  What good is an enterprise account if users can just go out and continue to create stuff outside of the Enterprise while still using an enterprise provided email address?  This is crazy.  I can’t even begin to imagine what the heck your guys were thinking. 

I don't know if the same would apply for Bitbucket, but when we first implemented Jira, we had a large number of users with prior Trello accounts which we weren't aware of once we converted them to managed accounts.

We found the easiest thing to do was to give them a bit of notice (in case they wanted to export any info) before requesting Atlassian hard-delete their accounts. Once the account was deleted, the user(s) signed back in via SSO and there were no more links to past Trello instances.

Asher,

I don't think this will help.
For example my account (with Atlassian access) still lists Bitbucket but when opening Bitbucket my only option is to create a new workspace.
I deleted all my workspaces, but Bitbucket is still being shown/billed with Atlassian access.

For my account not an issue since I'm using other Atlassian products (jira/confluence) but we also have some users only linked with bitbucket....

Stephan, they're introducing license management for Bitbucket in early 2024 for existing customers. See the latest comments from Atlassian here:

https://jira.atlassian.com/browse/ID-6733

It's not only Trello, we also have some users with Bitbucket.
And you can't delete your Bitbucket account...

@griffin - Does that only refer to PRoduct Instance? Does that include Trello because that's also a problem especially we have no control on people signing up an account. 

Add one for Trello, bam, no more problem

just like the other Toggles for

Software

Confluence

JSM

Atlas

Bah cant add image

How about a better way to manage Trello subscriptions?  It is not as straightforward as contacting the admin of a discovered product.  What happens if the admin changes the email to personal email and all users are still using the domain email addresses, what options do we have?  

The fact that there is no way to put policies around approved products and sites and Atlassian Access to work within the approved products/sites is an issue.  I do not see the enhancements covering that.   

f4ee8ec1a852, 

You can contact our support team to start the process of taking over their account and the subsequent products that they own. Please see: https://support.atlassian.com/security-and-access-policies/docs/how-to-work-with-admins-of-discovered-products/

Best,

Griffin

I'm happy that this is a 'stop the bleed' type activity / functionality... Which is nice, it'll stop things from getting worse.

However I'm sure you'll be getting feedback that there needs to be far more done to remediate the existing products that claimed domains have signed up for in the past which regularly impact on customers bills.

We've stayed tuned since Access came out. Please share with the community what next steps are being worked on to address the problem of existing users that have claimed products already.

@Griffin

What about existing products that are already costing us with unnecessary licensing with Access?

Hi everyone,

We’re excited to share our latest update on this ticket. Since our last post, we’ve made significant progress, and plan to ship the first iteration of this feature this summer.

In early 2023, we presented our proposed solution, named Product Requests, to our Customer Advisory Board (CAB). Our CAB has highlighted their need to control managed users' and user-generated instances for some time, and we’re happy with our upcoming feature capabilities. Product Requests will give admins the ability to deny new product instances from being spun up through a lightweight ticketing system.

We plan to ship Product Requests in late summer 2023. Stay tuned for more, and thanks for the feedback and engagement.

Best,

Griffin

Atlassian does not understand enterprise support. This is another example.  Frustrating!

Thank you both so much. It is ridiculous. I am currently removing products created by people no longer with the company and the hoops you have to jump through are insane. Being admin should mean complete control - not only control over certain things and in other areas users can do what they like!

Lisa, I opened a helpdesk request with Atlassian and had them send me an export of the directory. Then I sorted on users that had Trello.

I then called Atlassian billing and was informed that due to their privacy policy, each individual user must respond and personally ask via email to have your Trello account deleted.

I emailed them to reply to all on the email for the helpdesk request and ask that thier Trello account be deleted and it worked.

The fact that Atlassian provides no way other that this for administrators or end users to delete their Trello accounts is ridiculous.

Thanks,

Chuck

Lisa, if you're using Atlassian Access, go to https://admin.atlassian.com/ then click on "Directory" and in the "Product access" dropdown, choose "Trello". This will list any users who have signed up to Trello using your managed domain accounts. 

How can we see how many Trello accounts are out there created by people with our domains that we manage - why are they not shown with the discovered products?

Really need this feature, it's crazy that we're being asked to pay for Atlassian Access fees for old Trello accounts that are no longer being used! Will we be given a refund for all of the additional Atlassian Access fees we've paid?

As the Org/Site Admin of my account, it's honestly hard to comprehend that I do not have the ability to block staff in our domain from adding products. We subscribe to Atlassian Access as well, and given the substantial cost of that, it is seriously lacking in functionality and control. Very disappointing that this ticket has been running for 3 years, regardless of the necessity of it. Please Atlassian, stop working on new bells and whistles until you can make the core system do the basics.

Not having this basic level of control, on an expensive cloud app is like leaving the door to your apartment open, trusting the other building residents won't let themselves in. You wouldn't do it at home, don't force your subscribing org admins to do it with our accounts.

If you can't practice zero trust.... you are completely out of touch with modern workplace technology and information security and that is just not acceptable. 

I'm sorry if this sounds harsh, but come one... seriously. Security and administrative control by those of us paying for these tenancies has to take higher priority.

Adminssss, where are you? were you sleeping on these product features?

It's like you have a nice house, nice car, want to show everybody, and brag about it, but you lost the fking key to the house! It's embarrassing. 

This issue being left unresolved for so long is costing Atlassian Access users money that shouldn't need to be spent, wasted on the fact we don't have the control we need over our own verified domains.

This has thrown a massive spanner in the works for my organisation's migration from JSM Server to Cloud. I no longer am confident the migration can proceed with this issue outstanding.

According to Atlassian's documentation, a user is not considered billable if:

• "They have a Jira Service Management portal customer account (portal customers who have an Atlassian account are covered by Atlassian Access features, but only agents count as unique billable users)."

However, if any of my 2,500+ customers (in addition to people who have long left the company) have at any point over the past 4 years decided to sign up for a free Trello account they are inexplicably regarded as billable. This is not clearly articulated in Atlassian's documentation - documentation which me and it would appear, countless others have relied on to inform their migration efforts and budgets.

Needless to say I was shocked to see hundreds of inactive Trello accounts across my domain regarded as billable users on Atlassian Access with no ability to unlink Trello or manage the accounts without killing access to all Atlassian products (thereby removing customer portal access!)

How is it possible that a product claiming to provide 'enhanced governance' and 'enterprise-grade access management' can allow any staff member to just create a free Trello account at any time and subsequently result in us getting charged without our knowledge? 

Consumers have the right to expect certain things when they purchase a product or service. In Australia these rights are protected under consumer law. It is evident in this ticket that Atlassian's marketing around Access does appear to be incongruent with what is actually being provided in the product. It feels misleading.

Please provide an update on what is happening with this issue.

Is this on a roadmap we can see anywhere? this is a huge problem still

Bump

Bump

Please prioritize this item! 

It is very important that our Org Admins be able to control managed users' associated sites and products.

Bump

Bump.

This is a serious headache for our organization, we as Org Admins should at least have the ability to delete these...

While this is in progress, is there a way to discount users who are added to product sites that are not under our control from Atlassian access charges?

plz fix k thx bai 

We need, please provide it.

Bump!!

Bump this as a priority, please.

Same here. We are paiyng for that...

Big problem for us as well, becoming a nightmare.

This is desperately needed. My organization's users create Jira and Confluence instances without even realizing it. It's a nightmare to get control.  

Adding this summarized response here in addition to feedback provided on CA-2265367. Note that some of this has been altered to be more generalized, more specific details on how this is impacting our organization can be found in the private ticket.

...There’s currently a huge gap between what seems like an overstepping sales practice vs. maintaining Enterprise security & governance controls. Some of the comments here call these problems out, although the compliance & controls issues seem to be mixed in with other customers who are frustrated about Trello licensing. Want to make sure that IT controls & compliance concerns are not lost on whoever is working on this issue, which is that users of a corporate-owned domain (@contoso.com for example) are allowed to completely bypass controls & governance in order to spin up new environments within Atlassian on their own in a matter of seconds. This process completely bypasses HIPAA protections and MFA/SSO controls put in place for the corporate-owned domain and happens in a way that administrators who own that domain have zero ability to take control of new sites as they are spun up. The fact that Atlassian acknowledges this in the following article honestly just adds insult to injury: https://support.atlassian.com/organization-administration/docs/what-is-the-impact-of-shadow-it-on-my-organization/

Atlassian’s sales and product teams have created this provisioning problem, acknowledge its existence, and provide no solution. They are obviously aware of what they are doing, and instead of offering a safe alternative for their Enterprise-grade customers, they instead have continued to acknowledge and promote “shadow IT” provisioning by treating corporate-owned domain email addresses as potential new customers instead of as governed identities...

This has been picked up but has been any progress made?

Many of our Trello accounts are inactive or for people that have left the company with disabled accounts so are being billed for Access, like others we need a way to controll this so we are only paying for services we are using. We can't depend on users managing this.

We really need a way to remove Trello users or minimally being able to stop them from signing up and consuming licences unnecessary. if consuming Atlassian licence is necessary for  Trello users, we should be able to have a way to block them from doing so in the first place Without affecting them having other product access to Atlassian (ie: Portal Customer) We are planning to put all users to internal accounts and essentially becoming a managed account, however by doing so we actual lose control for trello (ie: User signing up get an Atlassian licence consumed immediately) This is not an effective way to manage billing. 

Yes, please provide an update on this. These additional admin privileges are a necessity. 

Not sure if this would help, but we've found a 'way' for users to remove themselves from Trello products (from being Access billable users in case they only have access to Trello).

Here's the guide: Navigate users to remove themselves from Trello (Atlassian Access billing 'issue')

@Hugh Jinhyun Kim you're correct that the only option is to deactivate the user, but you can keep the SSO.

You have to change the mail address associated to the Trello user, deactivate the user, and create a new brand user (with the same mail) via User Provisioning.

The workaround I used in similar occasions is:

• Contact Atlassian so that they can break the SCIM link for the user using Trello (for ex. peter.parker@acme.com)
• Once the SCIM link is broken, you can now change the mail address of the user (for ex. peter.parker_OLD@acme.com)
• Deactivate the user 
  • this will deactivate the user associated to Trello
• On the next User Provisioning a new brand user will be created for peter.parker@acme.com
  • assign Jira/Confluence licenses
  • enable SSO

This is helpful for brand new Cloud instances, so that you won't have data associated to users.

Otherwise you should migrate data too (for ex. where the user is Assignee, Reporter, ecc...)

This is far from being easy and smooth, I still can't understand how Atlassian is not aware of this (probably they are).

We have users who used Trello free version long before 2021, and admin can't even remove their product on Atlassian Access. It just eats up the bill and do nothing. Users don't even know if they used the Trello.. And the only option is to deactivate. To deactivate I have to remove them from SSO, which defeats the purpose of having Atlassian Access.

Please have administrators to be able to control products of managed users.

My friends at Atlassian, just adding to the pile again.

We can't have our users ingest licenses for Atlassian access because they want to trial Trello.  We love the fact that our users have our service portal available on SSO free of any charge, this is incredible and an awesome user experience.

The issue is that they have a lovely trial experience using Trello on a whim, then a grumpy administrator (me in this case) has to pull them out of Single Sign On so they have yet another password to remember.  They can't even get rid of Trello without me deleting their Atlassian account and re-syncing them with our IDP - what the hell.

The other alternative is to pivot on your Atlassian Access pricing models, and I don't want to insinuate this but it makes me feel like you are getting your bang for the buck for organizations who blindly agree to thousands of access licenses so they don't have to feed and water this problem.  Globally everywhere is looking at costs and I'm sorry to say this, it's not going to be palatable anymore so please don't just pin a comment from October thinking this will satisfy us that you've got this on your radar.

Coming from a place of care, every large SaaS provider worth their salt allows checks and balances on this stuff... you're going to get left behind.  Not to mention the glaringly obvious management and data black holes this causes with regulatory groups.

@Griffin Jones

Can we at least get some kind of ETA or time frame? This is ridiculous, we haven't heard a peep out of Atlassian since October about this issue. 5 months ago!!
People comment on this ticket almost daily with their frustrations and yet - nothing.
This ticket has been open for over three years. That isn't even close to how old some of the tickets I've seen are, which is a very scary thought. How long till this is fixed? 4 years? 5? ....10?