Available for: Enterprise plan
Set up by: Company-level admin
The guide provides steps to configure provisioning for Miro Enterprise accounts. For general information about the Miro SCIM feature please see here.
The Miro SCIM API is used by SSO partners to help provision, manage users and teams (groups). SAML based SSO must be properly set up and be functional in your Miro Enterprise account before you start configuring automated provisioning. The instructions on how to set up SSO can be found here.
When calling the SCIM API, you will need to provide an API Token. Take the token from your account Security settings or request the token from your Customer Success Manager at Miro.
Adding Enterprise Application to Azure
- Choose Enterprise applications on the left panel of Azure admin center (if you do not see the Enterprise applications item, choose Azure Active Directory first, then locate the Enterprise applications item on the side panel):
- Find the All applications section and choose the New application option:
- In the Add your own app section choose Non-gallery application and provide a name for the new app. We suggest using Miro SCIM Provisioner to make the app easily recognizable:
- Click Add in the bottom right corner of the page.
Setting up Provisioning
Once the application is created, you will see its settings:
- Choose the Provisioning item on the left panel and then change Provisioning Mode from Manual to Automatic:
- Provide Admin Credentials:
- Use https://miro.com/api/v1/scim/ as Tenant URL
- Provide the Secret Token you received from Miro team.
- Click Test Connection button right below the Secret Key edit box.
If the connection passes the test, you will get the following notification:
If there is no confirmation, double-check the Tenant URL and make sure that it is not blocked by firewalls and any other traffic interceptors inside your network, as well as make sure the API Token is correct.
- Save the configuration:
Miro SCIM API makes use of a part of metadata Azure AD attaches to users and groups. This sections explains required mappings between Miro SCIM API and Azure AD attributes.
- Choose the Provisioning tab on the left side, then click Synchronize Azure Active Directory Users to customappsso:
- Default mappings are expected to be enough. However, double-check that synchronization is enabled for users and all required methods (Create, Update, Delete) are ON:
|Azure AD attribute||Attribute|
|emails[type eq "work"].value|
- Choose the Provisioning tab on the left, then click Synchronize Azure Active Directory Groups to customappsso:
- Default mappings are expected to be enough. Check that synchronization is enabled for groups and uncheck Create and Delete methods - note that Miro SCIM API does not support creating and deleting teams:
- Click Save.
User and Group Assignments
Miro SCIM Provisioning can help you to provision and de-provision users to your Enterprise account, as well as to automatically distribute them across teams. Users or Groups from Azure Active Directory should be assigned to Miro SCIM Provisioner application to be automatically managed in Miro. To assign users and groups to the application, follow the steps below.
We recommend provision users through assigning groups. In that case, when user is removed from all assigned groups in Azure AD, the same user will be removed from all teams in Miro. To deactivate a user in your Enterprise account, deactivate them in Azure AD, which will send a corresponding request to Miro. To delete a user from Miro, use the Active Users page in Miro.
- Choose Provisioning tab on the left. In the Settings section make sure the scope is set to the one you expect to be synced with Miro. We suggest using "Sync only assigned users and groups".
- Choose User and groups tabs on the left panel, then click Add user:
- On the Add assignment screen, choose Users and groups tab, then select users and groups from the list:
- Click Select, then Assign buttons.
- Assigned users and groups will appear in the list:
Enabling and disabling provisioning
When the initial set up is complete, change the Provisioning Status to enable the provisioning.
- Choose Provisioning tab on the left again and click On at the bottom of the page
- Click Save. This will start the initial provisioning that might take some time. Go back in about 20 minutes and check the bottom of the page for the status.
Whenever needed, choose the Off option to disable the provisioning.