Steps to Replicate

1. Configure Crowd with Azure Active Directory
   • Configuring Azure Active Directory
2. Choose specific groups from Azure AD and add the groups to the Crowd Group Filtering.
3. Synchronise the directory.
4. Add Crowd directory in any Atlassian Application (tested with Confluence)
5. Allow only specific group to authenticate to the application.
6. Synchronise the directory.
7. Get one of the user from Crowd (Azure Directory) to Login into Confluence.

Expected Behaviour

Only specific groups from Azure AD that is part of the Group Filtering added into Confluence and Crowd.

Actual Behaviour

If the user belongs to any other group in Azure AD (not part of the groups in Group Filtering) additional Group is added into Confluence and Crowd after the user Login into Confluence (or Crowd integrated application).

• crowdAzure.mp4

List of Groups in Azure AD

Synchronising the Azure AD directory in Crowd helps to remove the groups temporarily until the next user login.

Workaround

In order to mitigate the issue admins can disable membership synchronisation during user log in. Adding groups during log in can be disabled. Here are the steps to apply the workaround:

1. Check the directory ID of the Azure AD directory:

select id from cwd_directory where directory_name = 'here put directory name';

Please note that directory name is case sensitive. This query will result with ID you need in next step.

      2. Disable membership synchronisation during user log in:

insert into cwd_directory_attribute VALUES (here_put_dir_id, 'crowd.sync.group.membership.after.successful.user.auth.enabled', false);

Where here_put_dir_id is the directory ID from step 1.

The workaround doesn't require restart of Crowd.

Drawbacks of the workaround:

• Memberships won't be synchronised during user log in anymore. This means that when you add a user to group in Azure AD you'll have to sync the directory in Crowd. Synchronisation needs to be scheduled to run reasonably often.