One of my clients implemented JSM/Jira/Confluence Cloud last year, including EntraID/AD integration with Guard/Access last spring. We determined this past January that a number of problems they were having were related to this issue: Users were able to SSO login using their Microsoft accounts for months while Groups were not syncing between Entra and Guard, causing automatic provisioning and role-based authorization to be incorrect. This is a bizarre failure state for a paid product that integrates with one's IdP: AuthN works, AuthZ silently doesn't.
This could be resolved either by (ideally) eliminating the need for that OAuth step as part of SAML integration (most systems, including Atlassian Crowd IIRC, use one of the other – not both) or minimally when that big pink box appears on the Identity Provider screen in Guard to indicate it hasn't synced, it should send an email notification to the Org Administrators - every time the sync fails.
Related: [PCS-370005]
Suggestion
One of my clients implemented JSM/Jira/Confluence Cloud last year, including EntraID/AD integration with Guard/Access last spring. We determined this past January that a number of problems they were having were related to this issue: Users were able to SSO login using their Microsoft accounts for months while Groups were not syncing between Entra and Guard, causing automatic provisioning and role-based authorization to be incorrect. This is a bizarre failure state for a paid product that integrates with one's IdP: AuthN works, AuthZ silently doesn't.
This could be resolved either by (ideally) eliminating the need for that OAuth step as part of SAML integration (most systems, including Atlassian Crowd IIRC, use one of the other – not both) or minimally when that big pink box appears on the Identity Provider screen in Guard to indicate it hasn't synced, it should send an email notification to the Org Administrators - every time the sync fails.
Related: [PCS-370005]