@Ste Wright thnaks for your reply

Based on your comment and if you are 100% sure that we cannot claim multiple domain.

Your option 1 is absolutely not possible in our company as we work with more than 500 external subcontractor account around the world and our security policy is strict on this

Your option 2 : 
Please note that our subcontractors account do not have any Atlassian account as they do not use it for their own purpose and so do not have as well any own Atlassian Access

The way Access has been think of by Atlassian is weird and consider you simply work only for one instance of yours. But in todays world we work with many people around the world for which we simply want them access to our centralize tool

What else ? does anything else can be done ?

regards

Hi @serge calderara 

You can claim multiple domains - but as I say, only one Org can claim each domain. That isn't to say you can't have multiple instances under that Org (eg. multiple separate Jira instances).

If the vendors do not have their own Atlassian Access Org, you could...

• Claim and manage their domain, and...
• Setup authentication policies to ensure you're only managing and paying for the relevant users

This might be an option you could consider?

It will claim every user though under each email domain, regardless if they are working on your instance or otherwise.

Ste

@Ste Wright , thnaks for your reply.

Our single company will handle a single our ORg with only one a single Jira instance which is our own

1. We can add their domain for verification in our ORG after asking them to place the respective TXT records

You said :
"It will claim every user though under each email domain, regardless if they are working on your instance or otherwise."

This is exactly what we are not allowed to do because we do not want to manage their account in our ORG

What is not clear in what I try to explain ?

Hi @serge calderara 

Then your option is to use the external user security as I mentioned above.

Ste

@Ste Wright thanks for your reply.

So the way I understand when you use external user security is that :

1. Users that belongs to my domain on Azure Active directory I will manage them directly from the AD, correct ?
   
   
2. For other external users that you attached from an invitation, then they are stored as Local account, which is equivalent to so called Internal directory in data center equivalent , correct ?
   
   
3. Let say that bob@global.inc  an external user consultant want to get access to our ORG jira. Then we send him an invitation that he will accept. 
   At this time does his original company account will still be his external domaine or does bob@global.inc will become and converted into an Atlassian account ?

Thanks for your reply on those still open question
regards

Hi @serge calderara 

1. Yes, for any domain you "manage" you can manage user access through AD. See this help page on user provisioning for more information. 
2. Yes - but you would not have ownership over their details (eg. name). Either the user directly, or another Org, would have this ownership. You'd have access over just instance-level access/permissions.
3. Bob would need an Atlassian account to access your instance - whether that's a new one Bob creates, or their existing account if one exists. Each user essentially has "one" Atlassian account per email address - which can then access one or multiple Atlassian instances.

Ste

hello @Ste Wright , thanks for your reply

its getting more clear, still have few last question to cover all my case.

So to summarize :

Q1 - All accounts which has been claimed and which belongs to my own company verified domain, remains all Microsoft account from our Azure AD . They are not converted as Atlassian account as used as there are. Still correct ?

Q2- Lets consider this case where bob@global.inc is working for us and is handle as an external account in our ORG. If Bob is also working for an other customer which use also Jira cloud, does bob will be able to work with both customers ?

Q3 - Lets' consider this other case where I verify more than one domain .
        - I verify and claim account on our own domain
        - I verify then domains in our ORG of  2 external subcontractors Vendor1.com and Vendor2.com and then claim accounts for those domains. Both Vendor1 and       Vendor2 have there own Azure Active Directory for managing their respective accounts.
So I guess in this scenario I guess I would have 3 directory sync entries :
 One for our domain and 1 for each of those Vendor1 and 2.  And each accounts are manage by each respective Vendor AD.
Is this Correct ?

Q4 : In the scenario describe in Q3, if Vendor1 and Vendor2 are working also for other customers and we as we have claimed their domain and accounts in our ORG, does Vendor1 and Vendor1 will be able to work as part of an other customer Jira cloud ?

What is confusing me here is that we have so called Atlassian account and Microosft Account from Identity provider and what I do not want is that when domains gets validated, Microsoft Accounts became Atlassian account.

Can you confirm that it is not the case and MS acounts remains MS accounts ?

Thanks for your comments

Hi @serge calderara 

1. Whilst the users' access, etc can be handled from Azure AD, each user will get an Atlassian account. It's just that these accounts are managed by your organisation, letting you activate, deactivate, change their details, etc.
2. Bob would have one Atlassian account which could have access to multiple instances - including yours, and other companies.
3. It is possible to connect multiple identity providers, but only on Enterprise Plans. This is confirmed on this help page.
4. Even if you claim their domain the vendors could still be granted access to other instances (as could your company's users) - it just means you have "ownership" over their accounts, so could activate/deactivate them across all instances from a central location, etc.
5. Your Microsoft Accounts don't become Atlassian Accounts - the Atlassian Accounts are in addition to, not in place of, the other accounts.

Ste

@Ste Wright ,

Thanks for your reply.

Let me explain this last case that his implanted today with our subcontractors.

• In our Azure AD domain for mycompany.com we have all our company users as a normal way.
  
  
  
• Then in our Azure Identify provider, we have also subcontractors account idnetified as GUEST user with there respective email user1@vendor1.com user2@vendor2.com, etc
  
  
• When we run a sync to our current Jira DataCenter all users from different groups get sync event those from user1@vendor1.com user2@vendor2.com which can then connect using SSO and their company email adress and password 
  
  
• user1@vendor1.com user2@vendor2.com are manged by their respective company IT identidy provider

Note : The way external GUEST are added to our AD is because we have setup and Fedration of Trust for their domain and are able to join after an invite is sent

Question :
What are the best practice to implement our current config to Jira cloud by keeping our GUEST access policy in place ?

Any suggestion ?

Hi @serge calderara

I'd recommend contacting Atlassian directly just to ensure either if this is possible, or what the best alternative is.

You can contact...

• Atlassian Support - https://support.atlassian.com/contact/#/
• Sales - https://www.atlassian.com/enterprise/contact?formType=product-features

Ste

@Ste Wright 

ok I will thanks for all your reply which help me to understand a bit better this wierd integration

rgards

hello @Ste Wright ,

I face to an issue that I sure you can help.
We have made a test in verifying our domain and Acess report 25 accounts thta we claim on that domaine in order for them to be able to sign-in using SSO

Question:
If a userB from that domain and part of the AD, which has not been claimed early as he did not get any atlassian account.

How that UserB request access and get claimed ?

regards

@David Friedrich thanks for your reply but it is not make my mind clear based on the scenario I have describe

To explain again, our Jira is connected to our Single and unique Identity provider which is our Azure Active directory.

All our external subcontrators accounts are part of our AD but as GUEST accounts, which means their own account are manage by their respective company active Directory.

We do not want to manage external subcontractor accounts in our potential Jira cloud.

So the main point is as below :

Q1 : DO I have to verify Each domain of external subcontractor even if we do not want to claim their account ?

Q2 : Let say we validate each external agency subcontractor domain in addition to ours, but we do not claim any account from external users. What will happen when our unique Identidy Provider Azure AD will send users account to Jira cloud, does those external users will be still valid and enbale even if they did not get claimed ?

IMPORTANT :
We MUST use only our unique Azure ID where external GUEST account will belong to on demand

Thanks for your comment on 

regards

 @serge calderara  Hi Serge, 

Were you able to find answers to those question ? specially the last Q2 ? 

We are in same situation as you, and we are not able to make Guest accounts working using SSO, even if we claim the accounts on Jira. 

Were you able to connect your guest users using SSO using verified domains ? 

Thanks for your answer