Uploaded image for project: 'Atlassian Access'
  1. Atlassian Access
  2. ACCESS-617

Unverified email addresses does not appear under Managed Accounts

    XMLWordPrintable

Details

    Description

      Atlassian Status Update - 23 March 2021  

      Hi everyone, 

      The feature has now been fully rolled out. Our public-facing documentation has been updated to reflect these changes.

      Also, note that we have kicked off scoping for a fast-follow functionality that would allow admins to delete accounts that have not yet been verified.  

      Best regards,

      Ilya Bagrak
      Principal Product Manager, Enterprise Cloud
      ibagrak (at) atlassian.com

      Atlassian Status Update - 24 February 2021  

      Hi everyone, 

      I am very excited to share that over the next few days we will begin to roll out a set of features to address this issue. The changes will allow admins to: 

      • see accounts with unverified emails on the Managed Accounts page
      • filter for unverified accounts on the Managed Accounts page
      • resend the verification email to any account that has not yet verified their email address. 

      Our public-facing documentation has been updated to reflect these changes ahead of the rollout. 

      Best regards,

      Ilya Bagrak
      Principal Product Manager, Enterprise Cloud
      ibagrak (at) atlassian.com

       

      Issue Summary

      When a new email address is known to Atlassian either via account creation or email change, the email address needs to be verified so that our system will know that there is a valid mailbox for the email address. If the email address is not verified, the account will not be activated and will cause the following problems.

      • Email change will not proceed.
      • User cannot login using the unverified email address.

      For managed accounts, only verified accounts will be listed. Org admins will not be able to identify that the account is unverified when their end user complains that they cannot login to Atlassian. Org admins may also consider the unverified email address as free to use for email address change when it's not.

      Steps to Reproduce

      1. Set up an AA organization and claim a domain
      2. Invite a new domain user to any Cloud site
      3. Skip the verification email for the new domain user
      4. Go to Managed Accounts in admin.atlassian.com

      Invitation pending user is not manageable via REST API as well:

      API_TOKEN="__YOUR_ORG_TOKEN__"
      AAID="5e376c2d14836c0cc108afcd"
      curl --request GET \
        --user "${USER}:${API_TOKEN}" \
        --url "https://api.atlassian.com/users/${AAID}/manage" \
        --header "Authorization: Bearer ${API_TOKEN}" \
        --header "Content-Type: application/json"
      
      {
        "key": "forbidden",
        "context": "Error: Caller must be an org admin of targeted account or be the targeted account",
        "errorKey": "forbidden",
        "errorDetail": "Error: Caller must be an org admin of targeted account or be the targeted account"
      }
      

      Expected Results

      The unverified domain account should be listed as "unverified". The admin should then have the option to send a new verification email or a password reset email.

      Actual Results

      The unverified domain accounts are unknown to the Org admins.

      Notes

      A password reset email can be used to initiate a verification in case the user missed the original verification email.

      Workaround

      If a domain account is existing in Atlassian Cloud but is not listed under the org's Managed Accounts, please contact Atlassian Support to check the status of the account.

      To allow an unverified email address to appear under Managed Accounts

      • Launch an incognito browser in Chrome and access https://id.atlassian.com/login/resetpassword
      • Send a password reset email to the domain email address
      • Request the user to access password reset email in the domain mail inbox. Set a password
      • The password reset will activate the account and it should start appearing under Managed Accounts

      For Customers using SAML SSO, password resets cannot be sent/used as authentication is enforced through the Identity Provider

      • Use the Export accounts functionality to get the user Atlassian account id
      • With this ID, navigate to your Organization's Managed Accounts, Show the Details of a Managed Account, and replace the Atlassian account ID with the one gathered from above
      • Change the Email Address of the Unverified Account and revert the change and it'll appears in Managed Accounts

      KB Unable to change user email with error saying it is already taken, but the other account is not visible in the organization 

      Attachments

        Issue Links

          Activity

            People

              06020cdda746 Sangeeta Joglekar
              rmacalinao Ramon Macalinao
              Votes:
              24 Vote for this issue
              Watchers:
              63 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: