[ACCESS-2030] SCIM can't update an email address if the target domain is managed by two organisations and automatically claimed by the second organisation.

Type: Bug
Resolution: Unresolved
Priority: Low
Component/s: User Sync - SCIM Maintenance
Labels:
None

Support reference count:
2
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Cloud bug fix policy

Issue Summary

SCIM can't update an email address if the target domain is managed by two organizations and automatically claimed by the second organization.

Steps to Reproduce

One domain is verified in two orgs with the parameters:
Org A: Manual

Org B: Automatic

Action: Change the managed account email in the same domain only in org A on the IDP side.
Example: ABC@123.com → DEF@123.com

2. Two domains are verified in two orgs, with parameters:

Org 1:
Domain 1: Manual

Domain 2: Manual

Org 2:
Domain 1: Not verified

Domain 2: Automatic

Action: Change the managed account email in ORG A on the IDP side - domain 1 to domain 2
{}Example: ABC@123.com → ABC@456.com

Expected Results

The email address should be successfully changed and still present in Organization 1.

That's how it works when we change the email address for managed accounts without SCIM under the same settings

Actual Results

The email address remains unchanged for a managed account. The SCIM record is not linked to an Atlassian Account, but the email attribute has been updated within SCIM DB.

MAS settings:

Is Selectively Claimed: TRUE

Should Claim Accounts By Default: FALSE

Is User Accounts File Uploaded: FALSE

SCIM verify results for the new email address:

Result: UNCLAIMABLE

Workaround

Set email domain settings in the second organization to MANUAL

mentioned in: Page Failed to load

jhaloot made changes - 19/Jul/2025 12:29 PM

Workflow

Original: JAC Bug Workflow v3 [ 4493763 ]

New: JAC Bug Workflow v4 [ 4567613 ]

SET Analytics Bot made changes - 16/May/2025 4:00 AM

Support reference count

Original: 3

New: 2

SET Analytics Bot made changes - 15/Mar/2025 4:00 AM

Support reference count

Original: 2

New: 3

SET Analytics Bot made changes - 14/Dec/2024 4:00 AM

Support reference count

Original: 1

New: 2

Krishna Turlapati Venkata made changes - 15/Nov/2024 5:24 PM

Was this caused by a recent change?		New: No [ 19032 ]
Status	Original: Needs Triage [ 10030 ]	New: Long Term Backlog [ 12073 ]

SET Analytics Bot made changes - 13/Nov/2024 4:00 AM

Support reference count

New: 1

Cole Norman made changes - 12/Nov/2024 6:37 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 963440 ]

Cole Norman made changes - 12/Nov/2024 3:27 AM

Security

Original: Atlassian Staff [ 10750 ]

Igor made changes - 11/Nov/2024 2:58 AM

Description

Original: h3. Issue Summary

SCIM can't update an email address if the target domain is managed by two organizations and automatically claimed by the second organization.
h3. Steps to Reproduce
# One domain is verified in two orgs with the parameters:
*Org A:* Manual

*Org B:* Automatic

*Action:* Change the managed account email in the same domain only in org A on the IDP side ** .
Example: [ABC@123.com|mailto:ABC@123.com] → [DEF@123.com|mailto:DEF@123.com]

2. Two domains are verified in two orgs, with parameters:

*Org 1:*
*Domain 1:* Manual

*Domain 2:* Manual

*Org 2:*
*Domain 1:* Not verified

*Domain 2:* Automatic

*Action:* Change the managed account email in ORG A on the IDP side *-* domain 1 to domain 2
{*}{{*}}Example{*}:{*} [ABC@123.com|mailto:ABC@123.com] → [ABC@456.com|mailto:DEF@123.com]
h3. Expected Results

The email address should be successfully changed and still present in Organization 1.

That's how it works when we change the email address for managed accounts without SCIM under the same settings
h3. Actual Results

The email address remains unchanged for a managed account. The SCIM record is not linked to an Atlassian Account, but the email attribute has been updated within SCIM DB.

MAS settings:

*Is Selectively Claimed:* TRUE

*Should Claim Accounts By Default:* FALSE

*Is User Accounts File Uploaded:* FALSE

*SCIM verify results for the new email address:*

*Result:* UNCLAIMABLE
h3. Workaround

Set email domain settings in the second organization to *MANUAL*

New: h3. Issue Summary

SCIM can't update an email address if the target domain is managed by two organizations and automatically claimed by the second organization.
h3. Steps to Reproduce
# One domain is verified in two orgs with the parameters:
*Org A:* Manual

*Org B:* Automatic

*Action:* Change the managed account email in the same domain only in org A on the IDP side.
Example: [ABC@123.com|mailto:ABC@123.com] → [DEF@123.com|mailto:DEF@123.com]

2. Two domains are verified in two orgs, with parameters:

*Org 1:*
*Domain 1:* Manual

*Domain 2:* Manual

*Org 2:*
*Domain 1:* Not verified

*Domain 2:* Automatic

*Action:* Change the managed account email in ORG A on the IDP side *-* domain 1 to domain 2
{*}{*}Example{*}:{*} [ABC@123.com|mailto:ABC@123.com] → [ABC@456.com|mailto:DEF@123.com]
h3. Expected Results

The email address should be successfully changed and still present in Organization 1.

That's how it works when we change the email address for managed accounts without SCIM under the same settings
h3. Actual Results

The email address remains unchanged for a managed account. The SCIM record is not linked to an Atlassian Account, but the email attribute has been updated within SCIM DB.

MAS settings:

*Is Selectively Claimed:* TRUE

*Should Claim Accounts By Default:* FALSE

*Is User Accounts File Uploaded:* FALSE

*SCIM verify results for the new email address:*

*Result:* UNCLAIMABLE
h3. Workaround

Set email domain settings in the second organization to *MANUAL*

Igor made changes - 11/Nov/2024 2:58 AM

Description

Original: h3. Issue Summary

SCIM can't update an email address if the target domain is managed by two organizations and automatically claimed by the second organization.

Scenarios:
# One domain is verified in two orgs with the parameters:
*Org A:* Manual

*Org B:* Automatic

*Action:* Change the managed account email in the same domain only in org A.
Example: [ABC@123.com|mailto:ABC@123.com] → [DEF@123.com|mailto:DEF@123.com]

2. Two domains are verified in two orgs, with parameters:

*Org 1:*
*Domain 1:* Manual

*Domain 2:* Manual

*Org 2:*
*Domain 1:* Not verified

*Domain 2:* Automatic

*Action:* Change the managed account email in ORG A *-* domain 1 to domain 2
*Example:* [ABC@123.com|mailto:ABC@123.com] → [ABC@456.com|mailto:DEF@123.com]

This is reproducible on Data Center: (yes) / (no)
h3. Steps to Reproduce
# One domain is verified in two orgs with the parameters:
*Org A:* Manual

*Org B:* Automatic

*Action:* Change the managed account email in the same domain only in org A on the IDP side ** .
Example: [ABC@123.com|mailto:ABC@123.com] → [DEF@123.com|mailto:DEF@123.com]

2. Two domains are verified in two orgs, with parameters:

*Org 1:*
*Domain 1:* Manual

*Domain 2:* Manual

*Org 2:*
*Domain 1:* Not verified

*Domain 2:* Automatic

*Action:* Change the managed account email in ORG A on the IDP side *-* domain 1 to domain 2
\{*}{{*}}Example{*}:{*} [ABC@123.com|mailto:ABC@123.com] → [ABC@456.com|mailto:DEF@123.com]
h3. Expected Results

The email address should be successfully changed and still present in Organization 1.

That's how it works when we change the email address for managed accounts without SCIM under the same settings
h3. Actual Results

The email address remains unchanged for a managed account. The SCIM record is not linked to an Atlassian Account, but the email attribute has been updated within SCIM DB.

MAS settings:

*Is Selectively Claimed:* TRUE

*Should Claim Accounts By Default:* FALSE

*Is User Accounts File Uploaded:* FALSE

*SCIM verify results for the new email address:*

*Result:* UNCLAIMABLE
h3. Workaround

Set email domain settings in the second organization to *MANUAL*

New: h3. Issue Summary

SCIM can't update an email address if the target domain is managed by two organizations and automatically claimed by the second organization.
h3. Steps to Reproduce
# One domain is verified in two orgs with the parameters:
*Org A:* Manual

*Org B:* Automatic

*Action:* Change the managed account email in the same domain only in org A on the IDP side ** .
Example: [ABC@123.com|mailto:ABC@123.com] → [DEF@123.com|mailto:DEF@123.com]

2. Two domains are verified in two orgs, with parameters:

*Org 1:*
*Domain 1:* Manual

*Domain 2:* Manual

*Org 2:*
*Domain 1:* Not verified

*Domain 2:* Automatic

*Action:* Change the managed account email in ORG A on the IDP side *-* domain 1 to domain 2
{*}{{*}}Example{*}:{*} [ABC@123.com|mailto:ABC@123.com] → [ABC@456.com|mailto:DEF@123.com]
h3. Expected Results

The email address should be successfully changed and still present in Organization 1.

That's how it works when we change the email address for managed accounts without SCIM under the same settings
h3. Actual Results

The email address remains unchanged for a managed account. The SCIM record is not linked to an Atlassian Account, but the email attribute has been updated within SCIM DB.

MAS settings:

*Is Selectively Claimed:* TRUE

*Should Claim Accounts By Default:* FALSE

*Is User Accounts File Uploaded:* FALSE

*SCIM verify results for the new email address:*

*Result:* UNCLAIMABLE
h3. Workaround

Set email domain settings in the second organization to *MANUAL*

Igor created issue - 11/Nov/2024 2:55 AM

Assignee:: Unassigned

Reporter:: Igor

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 11/Nov/2024 2:55 AM

Updated:: 16/May/2025 4:00 AM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates