The next step is to provision your users so you can efficiently onboard them into Miro. You will also configure your security settings in a way that aligns with your company - security is a top priority at Miro. Explore Miro provisioning and security features below.
Relevant for: Enterprise plan
Decide which default license type users will have.
Users can edit, and are automatically upgraded to a Full license when creating a board, editing a shared board, invited to edit a board, granted board co-ownership, or added to a project as editor.
SSO and Domain control
Determine if you want to use SSO and/or Domain control. Learn more about the security settings below.
Miro's SAML-based single sign-on (or SSO) feature will provide end-users with access to the Miro application through an identity provider (IdP) of your choice.
By utilizing SSO, you will be able to use SCIM to provision users from your IdP and Just-In-Time provisioning. Here are the how-tos for the most popular identity platform solutions that provide a pre-configured Miro application link:
Check out the setup guidance.
Tip: To prevent a lockout, create a “break the glass user” with an email that has a domain outside of the domain listed in the SSO settings, like firstname.lastname@example.org. Otherwise, you can contact support, and they can disable SSO for the whole organization.
Domain control is a feature that gives customers more control over their Enterprise subscription by recognizing all Miro usage within the company domain, even if the usage occurs outside of their Enterprise Subscription.
See the image below to determine which Domain control setting you want to use.
Even if you don’t plan on using Domain control, setting it up and turning it to Off can be valuable for you to see how many users exist outside of the Enterprise to determine if you need to migrate any teams.
Domain verification is necessary to enable Domain control. Please make sure you set aside time to create a new TXT record in each of your domain's DNS settings. Ensure you have access to all of these domain DNS records.
You can find more information on Domain control as well as learn how to set it up.
Decide how new users will join your subscription: via SCIM, Just-in-time provisioning, or manual invite.
SCIM lets you move the general access management of Miro to your Identity Provider (e.g., OKTA or Azure AD). The main benefit is that IT can centrally manage access to multiple apps and tools from one place. If an employee leaves the company, you can deactivate that user and automatically revoke their access to all tools. To use SCIM, SSO must be enabled.
With SCIM, you can add new users in Miro and add them to a team, upgrade licenses, deactivate users, and add and modify other attributes.
- Azure AD
- SCIM API - Other IdPs are also supported, but not out of the box. They can use our SCIM API to set this up. Miro does not offer any support with setting this up
Tip: Use the same name for your Miro team and your IdP group name. In order to sync groups, the group name and the Miro team name must be identical.
⚠️ If users are signing in via SSO and SCIM is turned on in Azure and Miro, they will also be provisioned via SCIM.
⚠️ Double check that the checkbox for "Send email notifications to users provisioned by SCIM" is set how you would like.
Just-in-Time (JIT) provisioning automatically adds all newly registered users from the listed domains to your Enterprise plan. If you’re a brand new user, JIT will automatically provision you to one default team in Miro. When a user logs in, they will be automatically assigned the default license type configured in your subscription and automatically added to the default team you've designated.
Learn how to set JIT up. Please note that SSO must be enabled first to use JIT.
⚠️ If your IT team has not approved the user in your IdP beforehand, the user will be locked out.
User access requests
You can define how Miro handles access requests from users within your company.
When a user wishes to upgrade a license, needs SSO support, or requires access to an organization or team, they send a request to their admin. Company admins can configure how these requests are received — whether they're sent to all admin emails, specific emails, the requestor is redirected to a service desk, or the request is automatically converted into a ServiceNow or Jira Service Management ticket. Company admins can customize how admins are notified based on each type of user request.
Learn how to set up request management.
Next step: set up company and team permissions