Problem Definition:

In this scenario, approved domains are configured on the organization linked to a cloud site with Jira Service Management (JSM) enabled. The org admin has set up the approved domains setting to allow users on certain domains, or any domain, to request access with admin approval. Documentation: Approved domains

When a portal-only customer is not logged in and tries to access the cloud site (XXXXX.atlassian.net) instead of the JSM portal URL (XXXXX.atlassian.net/servicedesk/customer/portals), they are redirected to log in using their Atlassian account. Once they log in, if the site's user access settings are set to require admin approval, the end user will be prompted to submit an access request.

The access request submitted by the user will appear in the user access request section, where the admin can review and either approve or deny the request. This is the expected flow for an Atlassian account. However, the issue arises when the "customer" (end user) is not recognized as a portal-only account holder on that same site.

If a portal-only customer is already logged in to the portal at XXXXX.atlassian.net/servicedesk/customer/portals and then navigates to XXXXX.atlassian.net, the end user is redirected back to the JSM portal. In this scenario, the cloud site can validate the end user's entitlement and redirect them back to the JSM portal.

Suggested Solution: 
The portal-only customer should be redirected to the Service Desk portal even when they access the root cloud site URL. This will help prevent users from submitting requests to the admin. Additionally, it would be helpful to add validation to the request products flow. For instance:

• If a customer logs in using an Atlassian account successfully on XXXXX.atlassian.net, logic could be added to check the end user's Atlassian account email address against the list of registered portal-only accounts.

• If there is a match, the end user should be redirected to the JSM portal with a message stating that they are a portal-only user and can only access the JSM portal.
   
  Why it is important: 
   
  Portal-only customers are external users, and there are typically thousands of them. If they accidentally access the direct cloud site URL and log in with their Atlassian account, the admin could be inundated with thousands of access requests in the user access settings, which can be overwhelming to review daily.

An end user might have an Atlassian account for other purposes (e.g., Trello) but use a portal-only account to access the JSM portal on a specific cloud site.
 
Workarounds: * Migrate all portal-only customers to an Atlassian account by using this document: Migrate a portal-only customer to Atlassian account  (The drawback is that if the customer has configured portal-only SAML, it will no longer function) OR

• Set up a custom domain for the Jira Service Management portal, allowing portal-only customers to use the custom domain URL to redirect to the Jira Service Management URL, thereby preventing them from using the direct cloud URL by using the document: Set up the custom domain  (This feature requires Jira Premium, Confluence Premium, or a Jira Service Management Standard plan) OR
• Advise the users to only use the full Jira Service Management URL, e.g. XXXXX.atlassian.net/servicedesk/customer/portals