Differences

This shows you the differences between two versions of the page.

--- wiki:connect_microsoft_azure_active_directory_atlassian_cloud [2021/02/19 15:34] – created antisa
+++ wiki:connect_microsoft_azure_active_directory_atlassian_cloud [2021/07/29 16:43] (current) – add steps and more links antisa
@@ Line 3: / Line 3: @@
 ====== Connect Microsoft Azure Active directory with Atlassian Cloud ======
   - Get Atlassian access trial
-  - verify domain > claim accounts
+  - Verify domain > Claim accounts
   - User provisioning > Create a directory
   - Login to Azure, create new directory, add test users
+  - Add custom domain name and verify to AD
   - Follow https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-provisioning-tutorial
   - Assign user/groups to the Atlassian Cloud app in Azure: Home > youraccount > Enterprise applications | All applications > Atlassian Cloud | Users and groups
-  - Add custom domain name and verify to AD
+  - Alternative to assigning users and groups is to select "Sync all users and groups" in Provision settings and then [[https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts#create-scoping-filters|limit the synced users via scoping]] in Attribute mappings
+  - Change attribute mapping for AD ''mail'' object which maps to Atlassian ''emails[type eq "work"].value'' to ''userPrincipalName'' - {{ :wiki:screenshots:azure_attribute_mapping.png?linkonly|example}}
   - Enable SAML SSO login
 https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial
+====== Troubleshooting ======
+  * If the users aren't syncing, check user attribute mappings in AD > Enterprise applications > Atlassian Cloud > Edit provisioning > Mappings > Synchronize Azure Active Directory Users to AtlassianCloud. Here, assign some default value to some or all fields, because the sync won't work if some attributes are not defined i.e. mapped correctly .
+  * Since you can only sync users with verified domains, the mappings above need to be correct, i.e. AtlassianCloud Attribute "emails[type eq "work"].value" in "Mappings" expects email from verified domain, so this can be mapped for example to "userPrincipalName" of Azure Active Directory Attribute so the user is created/synced properly.
-If the users aren't syncing, check user attribute mappings in AD > Enterprise applications > Atlassian Cloud > Edit provisioning > Mappings > Synchronize Azure Active Directory Users to AtlassianCloud. Here, assign some default value to some or all fields, because the sync won't work if some attributes are not defined i.e. mapped correctly .
+  * You will get a sync failure error in Provisioning logs if the users have the same Name field in Azure and Atlassian. So users with same value in some fields won't be synced but reported as already matched. Screenshot below {{:wiki:screenshots:ad_provision_failure.png?direct&400|}}
-Since you can only sync users with verified domains, the mappings above need to be correct, i.e. AtlassianCloud Attribute "emails[type eq "work"].value" in "Mappings" expects email from verified domain, so this can be mapped for example to "userPrincipalName" of Azure Active Directory Attribute so the user is created/synced properly.
+So edit the attribute mapping if possible or change the field value in Azure, if possible.
 ====== References ======
@@ Line 24: / Line 30: @@
   * https://community.atlassian.com/t5/Atlassian-Access-questions/Atlassian-managed-accounts-and-Azure-AD/qaq-p/1046548
   * https://confluence.atlassian.com/cloud/saml-single-sign-on-943953302.html
+  * https://community.atlassian.com/t5/Jira-questions/Azure-user-provisioning/qaq-p/1174384