The next step is to provision your users so you can efficiently onboard them into Miro. You will also configure your security settings in a way that aligns with your company - security is a top priority at Miro. Explore Miro provisioning and security features below.
Relevant for: Enterprise plan
License types
Decide which default license type users will have.
License type |
FLP |
Non-FLP |
||
|
Users can perform edit actions and automatically convert themselves to a Full license. |
|
|
Admins can set this license type as the default. Users can request edit access / Full licenses from the company admin. |
|
Learn more about Flexible Licensing Program.
SSO and Domain control
Determine if you want to use SSO and/or Domain control. Learn more about the security settings below.
SSO
Miro's SAML-based single sign-on (or SSO) feature will provide end-users with access to the Miro application through an identity provider (IdP) of your choice.
By utilizing SSO, you will be able to use SCIM to provision users from your IdP and Just-In-Time provisioning. Here are the how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link:
Check out the setup guidance.
Tip: To prevent a lockout, create a “break the glass user” with an email that has a domain outside of the domain listed in the SSO settings, like acmebreaktheglass@gmail.com. Otherwise, you can contact support, and they can disable SSO for the whole organization.
Domain control
Domain control is a feature that gives customers more control over their Enterprise subscription by recognizing all Miro usage within the company domain, even if the usage occurs outside of their Enterprise Subscription.
See the image below to determine which Domain control setting you want to use (Off, Auto Capture, or Full Control).
Even if you don’t plan on using Domain control, setting it up and turning it to Off can be valuable for you to see how many users exist outside of the Enterprise to determine if you need to migrate any teams.
Domain verification is necessary to enable Domain control. Please make sure you set aside time to create a new TXT record in each of your domain's DNS settings. Ensure you have access to all of these domain DNS records.
You can find more information on Domain control as well as learn how to set it up.
User provisioning
Decide how new users will join your subscription: via SCIM, Just-in-time provisioning, or manual invite.
SCIM
SCIM lets you move the general access management of Miro to your Identity Provider (e.g., OKTA or Azure AD). The main benefit is that IT can centrally manage access to multiple apps and tools from one place. If an employee leaves the company, you can deactivate that user and automatically revoke their access to all tools. To use SCIM, SSO must be enabled.
With SCIM, you can add new users in Miro and add them to a team, upgrade licenses, deactivate users, and add and modify other attributes.
Setup instructions:
- Azure AD
- OKTA
- OneLogin
- SCIM API - Other IdPs are also supported, but not out of the box. They can use our SCIM API to set this up. Miro does not offer any support with setting this up
Tip: Use the same names for the Miro teams as your group names in the IdP to prevent further configuration. In order to sync groups, the group must already exist as a team in Miro.
⚠️ If users are signing in via SSO and SCIM is turned on in Azure, they will also be provisioned via SCIM.
⚠️ Double check that the checkbox for "Send email notifications to users provisioned by SCIM" is set how you would like.
Just-in-Time
Just-in-Time (JIT) provisioning automatically adds all newly registered users from the listed domains to your Enterprise plan. If you’re a brand new user, JIT will automatically provision you to one default team in Miro. When a user logs in, they will be automatically assigned the default license type configured in your subscription and automatically added to the default team you've designated.
Learn how to set JIT up. Please note that SSO must be enabled first to use JIT.
⚠️ If your IT team has not approved the user in your IdP beforehand, the user will be locked out.
User access requests
You can define how Miro handles access requests from users within your company.
Request management
Enterprise plan Company Admins can take advantage of the request management feature and optimize the process of giving permissions to users from their company in certain cases. When a new user needs to get access to a Miro team or upgrade a license, they send a request to promote their access. Company Admins can configure the way the Admins will be notified of the request — whether to send a notification to admins or specific emails, redirect the requester to a service desk, or automatically convert their request into a ServiceNow or Jira Service Management ticket.
See how to set up request management.
Donwload the checklist
Next step: set up company and team permissions