28. 03. 2025 Alessandra Castiglioni Atlassian, Azure

Unlock Atlassian Users: Reactivating IDP-Synced Managed Accounts

Managing user access in Atlassian Cloud can become complex, especially when integrating with Identity Providers (IDPs) for user provisioning via SCIM (System for Cross-domain Identity Management). A common challenge arises when users who were initially synchronized through your IDP become deactivated after moving them from a group synchronized with Atlassian.

Due to the SCIM link, simply reactivating them within Atlassian’s admin hub might not be straightforward. This article provides practical solutions to unlock these deactivated users and restore their access to your valuable Atlassian tools like Jira and Confluence.

Understanding the Challenge

When user provisioning is set up via SCIM, your IDP (such as Azure AD or PingIdentity) becomes the source of truth for user accounts. Deactivating a user with a managed account in the IDP or moving them from an actively synchronized group to an unsynchronized one (e.g., due to a role change within the company) often leads to deactivation in Atlassian. However in these cases, reactivating them through Atlassian isn’t possible due to the existing SCIM link. This can leave administrators in a frustrating situation, unable to grant access to necessary tools.

Two Solutions to Unlock Your Atlassian Users

Currently, there are two primary methods to resolve this issue and unlock your deactivated Atlassian users who were initially synchronized via an IDP:

Solution 1: Engaging Atlassian Support to Unlink or Delete the SCIM Record

This is often the simplest approach if you prefer to not directly interact with APIs. By contacting Atlassian Support, their team can manually unlink or delete the SCIM record associated with the deactivated user account.

How it works

Once the SCIM record is removed, the account transitions into a “managed account” within Atlassian. This means you gain direct control over the account from the Atlassian admin hub (admin.atlassian.com), and you’ll be able to reactivate the user from there.

When to choose this solution

You’re not comfortable using APIs
You only have a few users to unlock
You need immediate assistance and prefer direct support

Solution 2: Utilizing the User Provisioning API to Delete the SCIM Record

For administrators who prefer a more direct and potentially faster solution, Atlassian provides a User Provisioning API that allows you to programmatically delete the SCIM record.

Prerequisites

User Provisioning API Token: You’ll need your User Provisioning API token. This token is generated within your Atlassian organization’s admin settings on the “IDP” page, under the User provisioning section (usually accessible via three dots).
- Important Note: If you regenerate this token, you MUST update the Atlassian Cloud application within your Azure AD enterprise apps (or your respective IDP configuration) with the new token. This token is crucial for ongoing synchronization between your IDP and Atlassian.

Steps to Delete the SCIM Record via API

Identify the Directory ID: Locate your SCIM Directory ID. You can usually find this within your Atlassian organization’s admin settings under the “IDP” section.
Obtain the SCIM ID of the User: Use the following GET request to find the SCIM ID associated with the deactivated user’s email address: https://api.atlassian.com/scim/directory/{Directory_ID}/Users?emails.value={user's email}
Replace {Directory_ID} with your actual Directory ID and {user's email} with the deactivated user’s email address. This request will return user details, including their id (which is the SCIM ID).
Delete the SCIM Record: Make a DELETE call to the following API endpoint, replacing {Directory_ID} with your Directory ID and {SCIM_ID} with the SCIM ID you obtained in the previous step: https://api.atlassian.com/scim/directory/{Directory_ID}/Users/{SCIM_ID}
Authentication: For both the GET and DELETE API calls, you’ll need to authenticate using a bearer token. This is the User Provisioning API token you generated earlier.

After Deleting the SCIM Record

Once the SCIM record is successfully deleted, the user account will become a managed account in Atlassian. You can then navigate to your Atlassian admin hub and reactivate the user account directly.

Future Improvement: Removing SCIM via UI

Atlassian is aware of this challenge and has a feature request logged to provide the ability to remove synced accounts and groups from the Directory directly through the user interface:

https://jira.atlassian.com/browse/ACCESS-1021

This feature request is currently in the “Gathering Interest” state. We encourage you to vote on it and add your comments to help prioritize this improvement. Following the feature request will also keep you updated on its progress.

Conclusion

Dealing with deactivated Atlassian users synchronized via IDP requires specific steps due to the SCIM integration. Whether you involve Atlassian Support or utilize the User Provisioning API, you can effectively unlock these accounts and restore user access. And staying informed about upcoming features like the ability to manage SCIM links through the UI will further streamline user management in the future.

These Solutions are Engineered by Humans

Did you find this article interesting? Does it match your skill set? Our customers often present us with problems that need customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.