{{tag>atlassian azure ad microsoft}}

====== Connect Microsoft Azure Active directory with Atlassian Cloud ======
  - Get Atlassian access trial
  - Verify domain > Claim accounts
  - User provisioning > Create a directory
  - Login to Azure, create new directory, add test users
  - Add custom domain name and verify to AD
  - Follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial
  - Assign user/groups to the Atlassian Cloud app in Azure: Home > youraccount > Enterprise applications | All applications > Atlassian Cloud | Users and groups
  - Alternative to assigning users and groups is to select "Sync all users and groups" in Provision settings and then [[https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts#create-scoping-filters|limit the synced users via scoping]] in Attribute mappings
  - Change attribute mapping for AD ''mail'' object which maps to Atlassian ''emails[type eq "work"].value'' to ''userPrincipalName'' - {{ :wiki:screenshots:azure_attribute_mapping.png?linkonly|example}}
  - Enable SAML SSO login
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial

====== Troubleshooting ======
  * If the users aren't syncing, check user attribute mappings in AD > Enterprise applications > Atlassian Cloud > Edit provisioning > Mappings > Synchronize Azure Active Directory Users to AtlassianCloud. Here, assign some default value to some or all fields, because the sync won't work if some attributes are not defined i.e. mapped correctly .

  * Since you can only sync users with verified domains, the mappings above need to be correct, i.e. AtlassianCloud Attribute "emails[type eq "work"].value" in "Mappings" expects email from verified domain, so this can be mapped for example to "userPrincipalName" of Azure Active Directory Attribute so the user is created/synced properly.

  * You will get a sync failure error in Provisioning logs if the users have the same Name field in Azure and Atlassian. So users with same value in some fields won't be synced but reported as already matched. Screenshot below {{:wiki:screenshots:ad_provision_failure.png?direct&400|}} 

So edit the attribute mapping if possible or change the field value in Azure, if possible.

====== References ======
  * https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes
  * https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial
  * https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem#provisioning-logs-say-users-are-skipped-and-not-provisioned-even-though-they-are-assigned
  * https://confluence.atlassian.com/cloud/user-provisioning-959305316.html
  * https://community.atlassian.com/t5/Atlassian-Access-questions/Atlassian-managed-accounts-and-Azure-AD/qaq-p/1046548
  * https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html
  * https://community.atlassian.com/t5/Jira-questions/Azure-user-provisioning/qaq-p/1174384