Automatic Account Management


Using a cloud identity provider is a straightforward way to enable automated account management in Workplace.

To enable this configuration, the following is required:

  • Your organization uses a cloud identity provider that integrates with Workplace
  • You have integrated your master identity store (e.g., Microsoft Active Directory or Oracle Directory Server) with the cloud identity provider to synchronize user accounts

To enable user account management via a cloud provider, you'll need to configure your cloud identity provider to synchronize user accounts to Workplace.

Using a cloud identity provider with Workplace involves these data flows:

  • You maintain your master identity store as people join and depart your organization.
  • An agent or plugin from the cloud identity provider synchronizes changes from your master identity store into a cloud replica.
  • Account changes are synchronized between your cloud identity provider and Workplace.

Configure Workplace for G Suite or Microsoft Azure AD

This type of configuration for automatic provisioning does not currently support filtering. If you need to filter which accounts are created in Workplace from your identity provider, please follow the instructions in the Configure an Identity Provider for Workplace section.

Configuring Workplace to manage accounts with G Suite and Microsoft Azure AD automatically is easy to set up with the following steps:

  1. Navigate to the Setup tab in the Admin Panel.
  2. Choose to Connect G Suite or Connect Microsoft Azure AD.
  3. Follow instructions in the popup window to give permission to have accounts in Workplace managed from your identity provider.

Configure an Identity Provider for Workplace

Workplace offers integrations to manage users accounts with supported cloud identity providers. These providers have built integrations with the Account Management API to provision, update and deactivate user accounts on your behalf.

Create Application with the Manage Accounts permission

Follow the steps here as a system administrator to create a custom integration app to provision user accounts. These steps will provide you with the following values:

  • Access Token: The access token that allows an application to manage accounts.
  • SCIM URL: The API endpoint that a cloud application will use to manage accounts.
  • Community ID: The ID of your organization, which allows a cloud application to differentiate between Workplace instances. You can retrieve your community ID from the Graph API, by making a HTTP GET request to with a valid app access token.
Note: The access token will only be presented just after the application was created. You can always generate a new access token by editing the app and click on the "Reset Token" button.

Configure your Cloud Identity Provider

Configure your IdP using the values obtained above. Specific guides for supported IdPs can be found below.

G Suite (formerly Google Apps)

Microsoft Azure AD

Okta Cloud

OneLogin Cloud Directory Service

Ping Identity