Connecting Microsoft Entra ID to Atlassian Guard using automatic user provisioning (Option 2) is the fastest way to sync users into your Atlassian Cloud organization without manual SCIM configuration. In our guide, we walk you through the entire process step by step, from initial setup to running a safe pilot sync – so you can avoid common pitfalls like broken logins, incorrect permissions, and licensing issues.
This approach is especially critical for enterprise setups where one wrong sync can disrupt access across your entire organization.
In our video, Marvin, a Technical Support Engineer in DevOps at Resolution, demonstrates exactly how to configure and execute this sync safely:
Understanding Option 2: Automatic User Provisioning
Atlassian offers two methods for connecting Microsoft Entra ID (formerly Azure AD) to Atlassian Guard. Option 1 involves a manual SCIM and SAML configuration, which provides more flexibility and does not flatten nested groups. Option 2, which is the focus of our video, takes a streamlined approach: you sign in with Microsoft, grant access, and Atlassian sets up the sync automatically. This is the fastest path to getting your users provisioned into your Atlassian Cloud organization.
One important behavior to understand with Option 2 is that nested groups get flattened, but the memberships within those groups are preserved. Syncing runs automatically on a default interval of every 4 hours, though this can be adjusted later.
Prerequisites Before You Begin
Before starting the automatic provisioning setup, you need to verify a few things to ensure a smooth configuration:
- You must be an organization admin in Atlassian.
- You need Atlassian Guard Standard enabled for your organization.
- You must be using the correct Entra tenant, connecting the wrong tenant will sync the wrong users entirely.
Step-by-Step: Setting Up Automatic User Provisioning
Navigating to the Identity Provider Settings
To begin, go to admin.atlassian.com and select the site or organization where you want to add your identity provider. From there, navigate to Security, then User Security, and finally Identity Providers. From the available options, choose Microsoft Azure AD.
Selecting Option 2 and Connecting Microsoft
You will be prompted to give your directory a name. After naming it, select Option 2: Automatically set up user provisioning and click Add. You will receive a notification that the directory has been added. The next step is to sign in with your Microsoft account. Choose the correct account and, depending on your tenant settings, you may need to click approve or provide consent. Once completed, you will be redirected back to the user sync configuration page in Atlassian.
Configuring Sync Settings
Automatic Syncing Interval
At the top of the configuration page, you will see the option to disable automatic syncing. For production environments, it is recommended to keep automatic syncing enabled. The default interval is every 4 hours, but you can adjust this to 1 hour, 2 hours, or 24 hours depending on your organization’s needs.
Filtering by Domain
If your Entra ID tenant contains more than one domain, it is strongly recommended that you filter your sync to include only the specific domains you need. This prevents users from unintended domains being synced into your Atlassian instance. Select only the domains that are relevant to your organization.
Selecting Users to Sync
You have two choices for selecting which users get synced. You can sync all users from your Entra ID tenant, or you can choose specific groups and their users. The second option is highly recommended, especially during your initial setup. By selecting specific groups, you can search for a group in Entra ID and only members of that group will be provisioned. This is the foundation of running a safe pilot sync.
Choosing the User Identifier
The next configuration option is how Atlassian identifies your users. You can choose between the User Principal Name (UPN) or the email address. This decision depends on your specific setup and whether every member in your Entra ID has an email address assigned. Critically, when you later configure single sign-on (SSO), you must choose the same identifier option here, mismatched identifiers are one of the most common causes of login failures.
Email Notifications
By default, Atlassian sends an email to users once they have been provisioned. If you prefer not to notify users during the pilot phase, you can turn email notifications off before syncing. This is a useful option when you are testing and do not want to create confusion among users who are not yet expected to access the platform.
Running Your First Sync
Group Size Limitation
Before clicking sync, be aware of an important limitation: each group can have a maximum of 10,000 users. If any of your groups exceed this limit, you will need to split them into smaller groups; otherwise, the sync will fail.
Starting the Sync
When you click sync, a confirmation window will appear showing your selected domains and configuration. Pay close attention to the important warning: once you start syncing, you cannot stop it. You can edit settings later, and changes will be applied by the next sync cycle, but the syncing process itself is permanently on. This is why you should treat your first sync like production, start with a small pilot group, verify results, and then expand.
After clicking Start Syncing, you will see that the sync is in progress. For a small pilot group, this should complete relatively quickly. Once finished, you will receive a notification confirming the sync was successful.
Common Gotchas After Syncing
There are two critical issues to be aware of after your first sync completes:
- SSO Timing: Atlassian requires that you complete a sync before you can set up single sign-on. Do not attempt to configure SSO before your first sync has finished successfully.
- App Access: Syncing users into your Atlassian organization is not the same as granting them product access. Newly synced groups may still need to be assigned access to products like Jira or Confluence. Syncing users does not automatically grant product access, this must be configured separately.
Recommended Next Steps
After completing your initial sync, follow these recommended steps to ensure a safe and successful rollout:
- Pilot with one group: Start small so you can verify everything works correctly without affecting your entire user base.
- Verify identifiers, domains, and memberships: Double-check that users are being matched correctly and that the right groups and domains are synced.
- Move on to single sign-on and enforcement: Once your pilot is validated, proceed to configuring SSO and enforcing authentication policies across your organization.
Key Takeaways for a Safe Entra ID to Atlassian Guard Integration
Option 2 provides a fast path to connecting Entra ID with Atlassian Guard: connect, consent, configure sync settings, and sync. However, speed should not come at the expense of safety. Always start with a pilot group, verify your domains and user identifiers, and remember that syncing users is a separate step from granting product access in Jira, Confluence, or any other Atlassian application. By following the process outlined in our video, you can confidently provision users into your Atlassian Cloud organization without risking broken logins, incorrect permissions, or licensing issues.
