Problem

When attempting to unclaim a managed account, the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.

Admins must currently deprovision a user first, and then they can unclaim them.

Suggested solution

Unclaiming should automatically deprovision a user.

Why this is important

Many identity providers don't support an easy way to deprovision a user (e.g. they don't call Atlassian's "Deactivate A User" API endpoint without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.

Workaround

The provisioning link needs to be removed to allow the account to be un-claimed. Note that unsyncing a user always causes them to lose all synced groups.

1. Break the provisioning link for the de-provisioned account using any of the options below. 
   1. Manually call the Delete user in SCIM DB API endpoint.
   2. Manually call Atlassian's user provisioning "Deactivate a User" API to delete the SCIM user record and unlink the account. Please see this KB article on how to identify the SCIM record for an account.
   3. In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked.
   4. Ask Atlassian support to delete the SCIM user record and unlink the account.
2. Reactivate the un-linked Atlassian Account via Managed Accounts administration.
3. Un-claim the account via the Domain administration.