409 error when attempting to update email address via user provisioning
Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.
Summary
Upon changing a synced managed account's email address via user provisioning, the following message is displayed at the Troubleshooting log tab under User provisioning:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"409","scimType":"uniqueness","detail":"Resource [USER]: with email[example@example.com] already exists."
Diagnosis
Since removing the user from a site will not delete the account, it is possible to review it at the organization level. To do so, the following steps can be done:
It is necessary to be an organization administrator to access this part.
- Go to https://admin.atlassian.com and select the organization with the domain verified for the account in question.
- Under the organization, select Directory > Managed accounts
- Search for the user's account
Can't find the account?
If the account is not visible at the directory level, this might indicate that it is still unverified. In this case, the following can be checked:
- The account needs to authenticate/log-in at the Atlassian account first in order to be verified.
- The account needs to confirm its creation in the inbox, which is a process that is part of the Atlassian account creation.
- The account is not properly linked with the identity provider side, avoiding the authentication to happen and finish the verification.
Cause
Although the email change is performed on the identity provider side, an email address can only be tied to a single Atlassian account. If the change coming from the identity provider points to a different user, the update will not be propagated. To move forward with the change, it is necessary to free the already existing email address.
Solution
After identifying the account, to free its email address and sync the change one of the alternatives below can be used:
- Completely delete the managed account, which will go through a 14 days grace period. Once this time passes, try to change the email again
- Change the user's email to a dummy email so it will allow the identity provider's change to be synced.