Managing user access in Atlassian Cloud can become complex, especially when integrating with Identity Providers (IDPs) for user provisioning via SCIM (System for Cross-domain Identity Management). A common challenge arises when users who were initially synchronized through your IDP become deactivated after moving them from a group synchronized with Atlassian.
Due to the SCIM link, simply reactivating them within Atlassian’s admin hub might not be straightforward. This article provides practical solutions to unlock these deactivated users and restore their access to your valuable Atlassian tools like Jira and Confluence.
Understanding the Challenge
When user provisioning is set up via SCIM, your IDP (such as Azure AD or PingIdentity) becomes the source of truth for user accounts. Deactivating a user with a managed account in the IDP or moving them from an actively synchronized group to an unsynchronized one (e.g., due to a role change within the company) often leads to deactivation in Atlassian. However in these cases, reactivating them through Atlassian isn’t possible due to the existing SCIM link. This can leave administrators in a frustrating situation, unable to grant access to necessary tools.
Two Solutions to Unlock Your Atlassian Users
Currently, there are two primary methods to resolve this issue and unlock your deactivated Atlassian users who were initially synchronized via an IDP:
Solution 1: Engaging Atlassian Support to Unlink or Delete the SCIM Record
This is often the simplest approach if you prefer to not directly interact with APIs. By contacting Atlassian Support, their team can manually unlink or delete the SCIM record associated with the deactivated user account.
How it works
Once the SCIM record is removed, the account transitions into a “managed account” within Atlassian. This means you gain direct control over the account from the Atlassian admin hub (admin.atlassian.com), and you’ll be able to reactivate the user from there.
When to choose this solution
Solution 2: Utilizing the User Provisioning API to Delete the SCIM Record
For administrators who prefer a more direct and potentially faster solution, Atlassian provides a User Provisioning API that allows you to programmatically delete the SCIM record.
Prerequisites
Steps to Delete the SCIM Record via API
https://api.atlassian.com/scim/directory/{Directory_ID}/Users?emails.value={user's email}
{Directory_ID}
with your actual Directory ID and {user's email}
with the deactivated user’s email address. This request will return user details, including their id
(which is the SCIM ID).{Directory_ID}
with your Directory ID and {SCIM_ID}
with the SCIM ID you obtained in the previous step: https://api.atlassian.com/scim/directory/{Directory_ID}/Users/{SCIM_ID}
After Deleting the SCIM Record
Once the SCIM record is successfully deleted, the user account will become a managed account in Atlassian. You can then navigate to your Atlassian admin hub and reactivate the user account directly.
Future Improvement: Removing SCIM via UI
Atlassian is aware of this challenge and has a feature request logged to provide the ability to remove synced accounts and groups from the Directory directly through the user interface:
https://jira.atlassian.com/browse/ACCESS-1021
This feature request is currently in the “Gathering Interest” state. We encourage you to vote on it and add your comments to help prioritize this improvement. Following the feature request will also keep you updated on its progress.
Conclusion
Dealing with deactivated Atlassian users synchronized via IDP requires specific steps due to the SCIM integration. Whether you involve Atlassian Support or utilize the User Provisioning API, you can effectively unlock these accounts and restore user access. And staying informed about upcoming features like the ability to manage SCIM links through the UI will further streamline user management in the future.
Did you find this article interesting? Does it match your skill set? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.