Summary

Once you connect your identity provider to your Atlassian organization via User Provisioning, you manage all user attributes and group memberships from your identity provider.

You can update these user attributes from your identity provider:

• Display name: This is a combination of a user’s first and last name. If you update the display name it also overwrites the attributes for first and last name.

• Email address

• Organization

• Job title

• Timezone

• Department

• Preferred language

When you update an email address from a verified or unverified domain to an unverified domain it:

• Removes the user from groups provisioned by SCIM

• May cause the user to lose product access granted in the SCIM group

To make sure users aren’t removed from product access groups, claim the unverified domain in your Atlassian organization first.

Also, the SCIM link for the Managed Account is broken and the new (unverified email) gets linked to the SCIM id instead. No AA will be created for this new user.

This essentially means that the email address update happened on SCIM but not on Atlassian

Diagnosis

In the Provisioning logs we see:

Email update to unmanaged user with ID <SCIMid>, primary email user@abc.com, unlinked any associated atlassian account.

Cause

Managed to Unmanaged email address update is not supported in Atlassian

Solution

1. Update the email address through provisioning sync: For this, the Org Admins would need to claim the destination domain in the same Org as the Primary domain making this domain Managed by the Organisation or,
2. Push the new emails of the users as fresh accounts and not update the emails of the Managed accounts on the IDP. This will push the user@abc.com as a fresh Externally Managed user and a new Atlassian Account will get created for this user. The issue with this approach is that the user will end up having two Atlassian Account one Managed (old) and new Externally provisioned account user@abc.com.