Articles in this section

Admin Deployment Guide. Part 2: User provisioning and security

Vlada
  • Updated

The next step is to provision your users so you can efficiently onboard them into Miro. You will also configure your security settings in a way that aligns with your company - security is a top priority at Miro. Explore Miro provisioning and security features below.

Relevant for: Enterprise plan

License types

Decide which default license type users will have.
License type
  
FLP
  
Non-FLP





Free






  
Users can perform edit actions and automatically convert themselves to a Full license.
If a user is invited by another member to edit a board in the account, the license will be converted to Full.
Admins and users will not receive a notification when their license is converted to Full.
  




Users can only view or comment.



Free
Restricted




  
Admins can set this license type as the default. Users can request edit access / Full licenses from the company admin.
If you choose this default license, Admins should expect a higher volume of license requests.
  



These licenses can only be assigned when joining an organization without any available Full licenses.
Learn more about Flexible Licensing Program.

 

SSO and Domain control

Determine if you want to use SSO and/or Domain control. Learn more about the security settings below.

SSO

Miro's SAML-based single sign-on (or SSO) feature will provide end-users with access to the Miro application through an identity provider (IdP) of your choice.
By utilizing SSO, you will be able to use SCIM to provision users from your IdP and Just-In-Time provisioning. Here are the how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link:

Check out the setup guidance.
Tip: To prevent a lockout, create a “break the glass user” with an email that has a domain outside of the domain listed in the SSO settings, like acmebreaktheglass@gmail.com. Otherwise, you can contact support, and they can disable SSO for the whole organization.

Domain control

Domain control is a feature that gives customers more control over their Enterprise subscription by recognizing all Miro usage within the company domain, even if the usage occurs outside of their Enterprise Subscription.

See the image below to determine which Domain control setting you want to use (Off, Auto Capture, or Full Control).domain_control_setup.png

Even if you don’t plan on using Domain control, setting it up and turning it to Off can be valuable for you to see how many users exist outside of the Enterprise to determine if you need to migrate any accounts.

Domain verification is necessary to enable Domain control. Please make sure you set aside time to create a new TXT record in each of your domain's DNS settings. Ensure you have access to all of these domain DNS records. 

You can find more information on Domain control as well as learn how to set it up.

 

User provisioning

Decide how new users will join your account: via SCIM, Just-in-time provisioning, or manual invite.

SCIM

SCIM lets you move the general access management of Miro to your Identity Provider (e.g., OKTA or Azure AD). The main benefit is that IT can centrally manage access to multiple apps and tools from one place. If an employee leaves the company, you can deactivate that user and automatically revoke their access to all tools. To use SCIM, SSO must be enabled.

With SCIM, you can add new users in Miro and add them to a team, upgrade licenses, deactivate users, and add and modify other attributes.

Setup instructions:

  • Azure AD
  • OKTA
  • OneLogin
  • SCIM API - Other IdPs are also supported, but not out of the box. They can use our SCIM API to set this up. Miro does not offer any support with setting this up
Tip: Use the same names for the Miro teams as your group names in the IdP to prevent further configuration. In order to sync groups, the group must already exist as a team in Miro.
⚠️ If users are signing in via SSO and SCIM is turned on in Azure, they will also be provisioned via SCIM.
⚠️ Double check that the checkbox for "Send email notifications to users provisioned by SCIM" is set how you would like.

Just-in-Time

Just-in-Time (JIT) provisioning automatically adds all newly registered users from the listed domains to your Enterprise account. If you’re a brand new user without a Miro account, JIT will automatically provision a user to one default team in Miro. When a user logs in, they will be automatically assigned the default license type configured in your subscription and automatically added to the default team you've designated.

Learn how to set JIT up. Please note that SSO must be enabled first to use JIT.

⚠️ If your IT team has not approved the user in your IdP beforehand, the user will be locked out.

 

User access requests

You can define how Miro handles account access requests from users within your company.

Request management

Enterprise plan Company Admins can take advantage of the request management feature and optimize the process of giving permissions to users from their company in certain cases. When a new user needs to get access to a Miro team or upgrade a license, they send a request to promote their access. Company Admins can configure the way the Admins will be notified of the request — whether to send a notification to admins or specific emails, redirect the requester to a service desk, or automatically convert their request into a ServiceNow or Jira Service Management ticket.

request_management_settings.png

See how to set up request management.

 

Donwload the checklist
Next step: set up company and team permissions
Was this article helpful?
Yes, thanks Not really
Sorry about that! Why wasn't the article helpful?
If you would like to get a reply from the Miro Support team, please create a ticket here
Thank you for your feedback!
Error! Please try later...
Return to top

Related articles