Basic Authentication cannot be disable after configuring SSO with Microsoft Azure AD
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After configuring SSO using Microsoft Azure AD, disabling Basic Authentication fails with an error
Diagnosis
On performing the steps to disable Basic Authentication an error occurs
In Jira, select Administration
> System > Authentication methods (in earlier versions named SSO 2.0).- Next to the default authentication method, select Actions > Edit.
- Clear the Show default login form checkbox.
Cause
When configuring SSO in Jira using the Atlassian SSO App, specific steps are required to add new authentication under the Jira authentications tab. This will enable SSO as an additional login method and allow you to disable basic auth. For example, refer to the step Configure SAML on Jira.
On configuring Single Sign on using a third-party addon, it's important to note that this process does not require to create a new SSO authentication under the Jira authentications tab. The SSO configurations are managed within the add-on configuration page itself. Consequently, disabling basic authentication might not be possible.
Solution
In such cases where SSO is configured using a third-party addon, it is recommended to consult with the vendor on how to enforce user login via SSO exclusively. For example, when using Microsoft Azure Active Directory single sign-on for Jira plugin, you can enable the "Force Azure Login" option from the plugin. This action will allow users to sign in solely through their SSO credentials and disable the default login form for access.