User Import and Sync
You can import users and groups from external identity providers into your organization by setting up authentication modules. This feature allows seamless integration with your existing identity management solutions. It also means you don't need to create and manage these groups and user accounts manually in YouTrack.
Currently, the following three authentication modules support user and group import:
Microsoft Entra ID (formerly Azure Active Directory)
Prerequisites
Before you begin, ensure the following:
You have administrative access to your external identity provider (Microsoft Entra ID, Okta, or JetBrains Account).
You have the required credentials and permissions to retrieve users and group data from your identity provider.
You have Low-level Write permission for your YouTrack site.
Set Up an Authentication Module
The first step is to set up an authentication module in your application to connect with the external identity provider. For detailed instructions, refer to the setup instructions for the identity management platform used by your organization.
Synchronize Users and Groups
YouTrack has two schemes for synchronizing user accounts.
The first scheme is applied during login.
Any time a user uses credentials from an external identity management platform, YouTrack synchronizes the user profile and group membership data with the information stored in the identity provider account. This synchronization is performed per user.
The second scheme is applied according to the schedule defined in the authentication module. This scheme applies to all users and groups.
If the Scheduled sync setting is enabled, you can choose from one of three predefined intervals:
Hourly
Every 3 hours
Daily at 9 AM
You can also launch the synchronization manually at any time by clicking the Sync now button in the header of the page for the authentication module connected to the identity provider.
If the setting is disabled, group memberships are still synchronized on a per-user basis during login.
The synchronization feature is only active when the authentication module is Enabled.
SCIM 2.0 Provisioning
YouTrack supports provisioning of users and groups from external identity providers using the SCIM 2.0 standard. SCIM provisioning lets your identity provider create, update, deactivate, and synchronize users and group memberships in YouTrack automatically. Changes are applied as they occur in the identity provider and do not require users to sign in again.
SCIM 2.0 provisioning is configured separately for each authentication module. Every authentication module has its own SCIM 2.0 endpoint and set of SCIM 2.0 tokens.
Provisioning applies only to users whose credentials are associated with the authentication module where SCIM 2.0 is configured.
If SCIM provisioning is supported for this authentication module, you can enable it on the SCIM 2.0 tab. When SCIM provisioning is enabled, YouTrack generates a unique SCIM 2.0 base URI for the authentication module. You must also create at least one SCIM 2.0 token that will be used to authenticate provisioning requests sent by the identity provider.
Specify both the SCIM 2.0 base URI and SCIM 2.0 token generated in YouTrack when configuring SCIM provisioning in your identity provider. The base URI identifies the provisioning endpoint, while the token authenticates provisioning requests sent by the identity provider.