This enhancement is critical. Need this feature to remove manual task for Enterprise solution, up voted

There is a need to manage Org admins and Site Admins through Active Directory (AD) groups. Currently, an Org admin has the ability to promote any user to Org admin or Site Admin, which poses a security risk. This is because each organisation member may follow different processes for adding or removing organisation permissions. Additionally, this flexibility can lead to various issues during audits at the enterprise level.

Managing users through Active Directory (AD) groups addresses two key issues.

1. You no longer need to manually add permissions for each individual user. Once a user is added to the AD group, they automatically inherit all the associated permissions, simplifying the process.
2. Every enterprise has an approved process for adding members to an AD group, often using tools like ServiceNow or Jira. By leveraging this established process, the operational overhead for Atlassian Administrators is significantly reduced.

We push all users including admins with special admin accounts to SCIM/SSO. Entra ID allows us to do automated periodic review of groups and memberships. Being unable to assing site and org admin roles to SCIM groups means we have to manually manage and review access to those which are the most improtant priviledges in the org.

If it's helpful to anyone in this thread, we've released an app to fix this issue. The Admin Automation app allows your to sync users from any group, into any other group, e.g.

1. You can sync an IdP group, IdP-Admins, into the site-admins or org-admins group.
2. You can sync an IdP group into any of the Atlassian default product groups.
3. You can sync users from the jira-users group into the confluence-users group, ensuring that Jira users always have access to Confluence as well.
4. You can remove any user from jira-users or confluence-users, if they're not in your special 'All users' group. This is a simple and quick way to ensure new users can't get access/invited to any products without being in your 'key' group.

Hopefully it can help some of the people on this thread!

-Kieren
Co-Founder @ Smol Software | Ex-Atlassian

Surprising you can use groups to control so many lower level items, but the "keys to the kingdom" are not protected in this way!  If a hardcoded org admin added others, we have no way of tracking or knowing that until it's too late.

This is a critical infosec ask where privileged access to be govern by a IDP system's group.

I upvote the need for Group that are SCIM provisioning enabled for Org Admins. This will remove the security loophole of a disgruntled org admin modifying  the security policies prior to his/her departure.

Thanks Pablo Bastos for raising this.