Hi everyone - we have out JIRA Software instance linked to Microsoft Entra/SSO. 

This means we grant licences via Microsoft Entra which then maps that user licence to a default group in Atlassian.   This works really well, as anyone leaving the organisation is automatically suspended from JIRA concurrently. 

However - in trying to limit access for specific users to specific projects, I have a dilemma. In theory I can change the Browser Permission settings to limit access by group.  However if I remove those users from the default group, i'll break the SSO link. And if I create a mirror group, I have to manually maintain that every time a licence is issued/removed. 

Anyone got any ideas please? Many thanks.