[ACCESS-1478] Domain unclaim should work with provisioned/synced accounts

Type: Suggestion
Resolution: Unresolved
Component/s: Domain Claim - Maintenance
Labels:
None

Support reference count:
73
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

Problem

When attempting to unclaim a managed account, the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.

Admins must currently deprovision a user first, and then they can unclaim them.

Why this is important

Many identity providers don't support an easy way to deprovision a user (e.g. they don't call Atlassian's "Deactivate A User" API endpoint without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.

Workaround

The provisioning link needs to be removed to allow the account to be un-claimed. Note that unsyncing a user always causes them to lose all synced groups.

Break the provisioning link for the de-provisioned account using any of the options below.
1. Manually call the Delete user in SCIM DB API endpoint.
2. Manually call Atlassian's user provisioning "Deactivate a User" API to delete the SCIM user record and unlink the account. Please see this KB article on how to identify the SCIM record for an account.
3. In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked.
4. Ask Atlassian support to delete the SCIM user record and unlink the account.
Reactivate the un-linked Atlassian Account via Managed Accounts administration.
Un-claim the account via the Domain administration.

is related to

ACCESS-1564 Provisioning a user should respect domain claim settings

Gathering Interest

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(7 mentioned in)

SET Analytics Bot made changes - 4 hours ago

Support reference count

Original: 72

New: 73

SET Analytics Bot made changes - Yesterday

Support reference count

Original: 71

New: 72

Kat N made changes - 2 days ago

Remote Link

New: This issue links to "Page (Confluence)" [ 1015799 ]

SET Analytics Bot made changes - 02/May/2025 4:00 AM

Support reference count

Original: 70

New: 71

SET Analytics Bot made changes - 11/Apr/2025 4:00 AM

Support reference count

Original: 69

New: 70

SET Analytics Bot made changes - 05/Apr/2025 4:00 AM

Support reference count

Original: 68

New: 69

SET Analytics Bot made changes - 03/Apr/2025 11:41 PM

Support reference count

Original: 67

New: 68

Tyler B [Atlassian] made changes - 02/Apr/2025 4:11 PM

Description

Original: h3. Problem

When attempting to [unclaim a managed account|https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/#Unclaim-accounts], the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.

Admins must currently deprovision a user first, and then they can unclaim them.
h3. Suggested solution

Unclaiming should automatically deprovision a user.
h3. Why this is important

Many identity providers don't support an easy way to deprovision a user (e.g. they don't call [Atlassian's "Deactivate A User" API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.
h3. Workaround

The provisioning link needs to be removed to allow the account to be un-claimed.

# Break the provisioning link for the de-provisioned account using any of the options below.
## Manually call the [Delete user in SCIM DB API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-admin-apis/#api-group-admin-apis].
## Manually call [Atlassian's user provisioning "Deactivate a User" API|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] to delete the SCIM user record and unlink the account. Please see this [KB article|https://confluence.atlassian.com/cloudkb/how-to-filter-users-in-provisioning-scim-using-rest-api-1108090980.html] on how to identify the SCIM record for an account.
## In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked.
## Ask Atlassian support to delete the SCIM user record and unlink the account.
# Reactivate the un-linked Atlassian Account via Managed Accounts administration.
# Un-claim the account via the Domain administration.

New: h3. Problem

When attempting to [unclaim a managed account|https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/#Unclaim-accounts], the error "Account can only be unclaimed by identity provider" is generated if the user is provisioned.

Admins must currently deprovision a user first, and then they can unclaim them.
h3. Suggested solution

Unclaiming should automatically deprovision a user.
h3. Why this is important

Many identity providers don't support an easy way to deprovision a user (e.g. they don't call [Atlassian's "Deactivate A User" API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] without deleting the identity provider profile, or just outright don't ever call that API endpoint). This results in admins having to resort to less-than-ideal methods for deprovisioning a user (detailed below) that are time consuming.
h3. Workaround

The provisioning link needs to be removed to allow the account to be un-claimed. Note that unsyncing a user always causes them to lose all synced groups.

# Break the provisioning link for the de-provisioned account using any of the options below.
## Manually call the [Delete user in SCIM DB API endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-admin-apis/#api-group-admin-apis].
## Manually call [Atlassian's user provisioning "Deactivate a User" API|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-scim-directory-directoryid-users-userid-delete] to delete the SCIM user record and unlink the account. Please see this [KB article|https://confluence.atlassian.com/cloudkb/how-to-filter-users-in-provisioning-scim-using-rest-api-1108090980.html] on how to identify the SCIM record for an account.
## In many identity providers, deleting the identity provider account while the account is assigned to the Atlassian Cloud App will cause the user to be delinked.
## Ask Atlassian support to delete the SCIM user record and unlink the account.
# Reactivate the un-linked Atlassian Account via Managed Accounts administration.
# Un-claim the account via the Domain administration.

Tyler B [Atlassian] made changes - 02/Apr/2025 4:11 PM

Summary

Original: Domain unclaim should work with provisioned accounts

New: Domain unclaim should work with provisioned/synced accounts

SET Analytics Bot made changes - 29/Mar/2025 4:00 AM

Support reference count

Original: 66

New: 67

Assignee:: Aneita

Reporter:: Tyler B [Atlassian]

Votes:: 34 Vote for this issue

Watchers:: 38 Start watching this issue

Created:: 03/Mar/2023 3:37 AM

Updated:: 4 hours ago

Details

Description

Problem

Suggested solution

Why this is important

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates