Azure Active Directory is now Microsoft Entra ID (

Below, you find information to set up Microsoft Entra ID (formerly Azure AD) and our SAML SSO apps for Atlassian Data Center and Server products. If you need help or have questions, you can contact us via our helpdesk or book a free screen share session at

If you do not know if you should go with SAML2 or OpenID Connect, please see SAML2 vs. OpenID Connect

Based on your user provisioning model, pick one of the following step-by-step guides.

In most cases, we recommend to use Microsoft Entra ID (formerly Azure AD) with User Sync.

Step-by-Step Guides for SAML2

Step-by-Step Guides for OpenID Connect

Some important notes:

Which Step-by-Step Guide should you pick?

Depending on your Atlassian Data Center or Server product, you can choose from different user provisioning models. We recommend using User Sync, since it is easy to set up and maintain

In general, with Microsoft Entra ID (formerly Azure AD) we support the following ways for user provisioning:

  1. User Sync allows to sync users periodically from Azure AD, but also when they log in for the first time into your Atlassian product. See our detailed article for User Sync.
  2. Just in Time Provisioning allows creating and update users on-the-fly when they log in. A drawback for syncing groups from Azure is, that only group ids and no group names are sent.  See our detailed article for JIT.
  3. LDAP synchronisation from Active Directory. Is your instance still synchronized to your Active Directory via LDAP, you can continue to do so. Please follow the "Manual User Management" Guide in this scenario.
  4. For Manual User Management, the administrator has to create and update users on Azure and your Atlassian Data Center or Server product by hand.
    We do not recommend it. See our article on Manual User Management.

Model/FunctionAdmin EffortPro's and Con's

User Sync

  • Uses Microsoft Entra ID (formerly Azure AD) API to perform regular sync
  • Users and Groups created & updated shortly after done in Microsoft Entra ID (formerly Azure AD)
  • Users can be disabled
  • Additional attributes can be written to Jira User Properties
Just in Time Provisioning

Low, if no groups

High, with Groups from Azure
(Needs setting it up group transformation rules).

  • Creates & Updates users based on information in the SAML Response during Login
  • Users are only created on their first Login.
  • Users & Groups are updated only during SAML authentication.
  • Users cannot be marked disabled (as Azure will not complete the Authentication for a deleted/disabled User)
  • Azure AD only sends group IDs in SAML messages, not friendly names. This requires the setup of Group Transformation rules or acceptance of cryptic Group names in the Atlassian Application.

Manual User ManagementHigh 

  • Here no sync happens
  • Needs manual maintenance of 2 User bases (or is done via custom developments).