The SCIM provisioning piece is usually where it falls apart first. Even when both sides have Atlassian Access, the external org's IdP doesn't cleanly federate, so you end up with manually provisioned guest accounts that nobody deactivates when the contractor rolls off. Infosec says no to that, and they're right.

The harder part in defense/aerospace is data residency and CUI handling. Jira Cloud will never be on the approved list for anything touching export-controlled data, so you're back to Data Center on-prem — and now you're asking a prime contractor to open VPN tunnels to a supplier's DC instance, which their network team will reject outright. The "let's just use email" fallback isn't laziness, it's often the path of least compliance resistance.

What's the typical org size on the contractor side — are these large primes with mature IAM programs or mid-tier suppliers who barely have SSO themselves?