Issue Summary

Atlassian Cloud Enterprise application in Entra ID can have groups with nested groups assigned to it, but those nested groups users are just ignored and treated as not-assigned to the Atlassian Cloud application. Hence, users who are part of nested groups assigned to the Atlassian Cloud will not be able to login with SAML SSO successfully and will end up seeing below error while logging in.

Error:

Steps to Reproduce

1. As admin user in Entra ID portal, navigate to Microsoft Entra ID > Enterprise applications > Search for Atlassian Cloud application > Select Atlassian Cloud application
2. Click on Users & groups under Manage in the left panel.
3. Click on Add user/group at the top
4. Click on None Selected under User and groups
5. Search for any nested group with groups membership
6. Select group & click on Assign button at the bottom.
7. User who is part of nested group(who is not the direct member of the assigned group to the Atlassian Cloud application in Entra ID) will not be able to login successfully using SAML SSO though SAML SSO enforced on the user in Atlassian using Authentication policy.

Expected Results

When you assign a group to Atlassian cloud application in Entra ID, assignment should cascade to nested groups users and users directly in the group.

Actual Results

Atlassian Cloud enterprise application in Entra ID can have groups with nested groups assigned to it, but those nested groups users are just ignored, treated as not-assigned and only users directly in the group will have access to the Atlassian cloud application.

Workaround

1. As admin user in Entra ID portal, navigate to Microsoft Entra ID > Enterprise applications > Search for Atlassian Cloud application > Select Atlassian Cloud application.
2. Select Properties under Manage in the left panel.
3. Toggle the option to No for Assignment required?

OR

1. Add all the required users to the group(make direct members of the group) in Entra ID and assign Atlassian cloud enterprise application to the security group.