Deutsch Español Français 日本語 Português do Brasil

Articles in this section

Admin Deployment Guide. Part 2: User provisioning and security

Vlada
  • Updated

The next step is to provision your users so you can efficiently onboard them into Miro. You will also configure your security settings in a way that aligns with your company - security is a top priority at Miro. Explore Miro provisioning and security features below.

Relevant for: Enterprise plan

License types

Decide which default license type users will have. 
License type
  
Flexible Licensing Program
  
Non-flexile licensing






Free






  
Users can edit, and are automatically upgraded to a Full license when creating a board, editing a shared board, invited to edit a board, granted board co-ownership, or added to a project as editor.

Admins and users will not receive a notification when their license is converted to Full.
  





Users can only view or comment.






Free
Restricted





  

Users can view and comment, and license upgrade requests are sent to the Admin when a user tries to create a board or project, tries to edit a shared board, is invited to edit a board, or is assigned board ownership.


If you choose this default license, admins should expect a higher volume of license requests.
  





These licenses can only be assigned when all Full licenses are used.

 

SSO and Domain control

Determine if you want to use SSO and/or Domain control. Learn more about the security settings below.

SSO

Miro's SAML-based single sign-on (or SSO) feature will provide end-users with access to the Miro application through an identity provider (IdP) of your choice.
By utilizing SSO, you will be able to use SCIM to provision users from your IdP and Just-In-Time provisioning. Here are the how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link:

Check out the setup guidance.
Tip: To prevent a lockout, create a “break the glass user” with an email that has a domain outside of the domain listed in the SSO settings, like acmebreaktheglass@gmail.com. Otherwise, you can contact support, and they can disable SSO for the whole organization.

Domain control

Domain control is a feature that gives customers more control over their Enterprise subscription by recognizing all Miro usage within the company domain, even if the usage occurs outside of their Enterprise Subscription.

See the image below to determine which Domain control setting you want to use.

Even if you don’t plan on using Domain control, setting it up and turning it to Off can be valuable for you to see how many users exist outside of the Enterprise to determine if you need to migrate any teams.

Domain verification is necessary to enable Domain control. Please make sure you set aside time to create a new TXT record in each of your domain's DNS settings. Ensure you have access to all of these domain DNS records. 

You can find more information on Domain control as well as learn how to set it up.

Domain-Control-admin-deployment-guide.jpg

User provisioning

Decide how new users will join your subscription: via SCIM, Just-in-time provisioning, or manual invite.

SCIM

SCIM lets you move the general access management of Miro to your Identity Provider (e.g., OKTA or Azure AD). The main benefit is that IT can centrally manage access to multiple apps and tools from one place. If an employee leaves the company, you can deactivate that user and automatically revoke their access to all tools. To use SCIM, SSO must be enabled.

With SCIM, you can add new users in Miro and add them to a team, upgrade licenses, deactivate users, and add and modify other attributes.

Setup instructions:

  • Azure AD
  • OKTA
  • OneLogin
  • SCIM API - Other IdPs are also supported, but not out of the box. They can use our SCIM API to set this up. Miro does not offer any support with setting this up
Tip: Use the same name for your Miro team and your IdP group name. In order to sync groups, the group name and the Miro team name must be identical.
⚠️ If users are signing in via SSO and SCIM is turned on in Azure and Miro, they will also be provisioned via SCIM. 
⚠️ Double check that the checkbox for "Send email notifications to users provisioned by SCIM" is set how you would like.

Just-in-Time

Just-in-Time (JIT) provisioning automatically adds all newly registered users from the listed domains to your Enterprise plan. If you’re a brand new user, JIT will automatically provision you to one default team in Miro. When a user logs in, they will be automatically assigned the default license type configured in your subscription and automatically added to the default team you've designated.

Learn how to set JIT up. Please note that SSO must be enabled first to use JIT.

⚠️ If your IT team has not approved the user in your IdP beforehand, the user will be locked out.

 

User access requests

You can define how Miro handles access requests from users within your company.

Request management

When a user wishes to upgrade a license, needs SSO support, or requires access to an organization or team, they send a request to their admin. Company admins can configure how these requests are received — whether they're sent to all admin emails, specific emails, the requestor is redirected to a service desk, or the request is automatically converted into a ServiceNow or Jira Service Management ticket. Company admins can customize how admins are notified based on each type of user request. 

Learn how to set up request management.

Request_management.png

Donwload the checklist
Next step: set up company and team permissions
Was this article helpful?
Yes, thanks Not really
Sorry about that! Why wasn't the article helpful?
If you would like to get a reply from the Miro Support team, please create a ticket here
Thank you for your feedback!
Error! Please try later...
Return to top

Related articles