Currently, Atlassian organizations utilizing Atlassian Guard and Domain Verification can prevent "Shadow IT" by showing a "Login to existing site" popup when managed users try to sign up for new products.

However, internal testing has revealed a significant gap: this protection only triggers for users who already hold a licensed "User" or "Agent" role in a product.

The Problem:
Managed users who are assigned only the JSM Customer role (or other specialty roles like Stakeholder or Access Admin) are treated as external users by the discovery/signup flow. When these users visit home.atlassian.com/apps or direct signup URLs, they do not see the "Login to existing site" popup. Instead, they are routed to the "Try it now" flow, allowing them to create new, unmanaged instances using their managed corporate identity.

Why this is important:
Large enterprise customers (some with 60,000+ JSM-only users) rely on Atlassian Guard for centralized governance. If a managed user is recognized as part of the organization for SSO/SCIM purposes, they should also be recognized by the product creation controls to ensure they are directed to existing corporate sites rather than creating new ones.

Requested Change:
Modify the "Join Existing Product" logic to recognize the Managed Account status regardless of the specific product roles assigned. If an account is managed, it should always be prompted to join existing instances before being allowed to create a new one.