Leverage Microsoft Entra ID to provision, deprovision, and manage user profiles in your Smartsheet plan.
USM Content
Overview
All new users provisioned through Entra ID have Viewer permissions with the ability to take a qualifying action and become Provisional Members upon creation. The only exception to this rule is the System Admin role, which you can provision as non-Member (Viewer). Additionally, you can only upgrade or downgrade existing users through the Seat types and true-up page in Admin Center.
Provisional Members have the same access to features as regular Members, but only for a limited time. Learn more about Provisional Members.
Prerequisites
System Admins and an IT Administrator can set up Active Directory with Smartsheet. As long as they're also Entra ID administrators, System Admins can manage users (provision, de-provision, change user profile information, and roles) through Active Directory.
- Contact your Smartsheet account representative or Smartsheet Support to enable this capability for your organization’s plan.
- Take the Entra ID and Smartsheet Integration online training.
Connect Entra ID with Smartsheet
Use this SCIM URL to configure Entra ID integration: https://scim.smartsheet.com/v2/
EU accounts should use this one instead: https://scim.smartsheet.eu/v2/
- Sign in to Smartsheet with System Admin credentials.
- In Smartsheet, generate an API token under Account > Apps and Integrations > API Access > Generate new access token. The token generated runs with your credentials—this is a password to your account. Treat it as such.
- In Entra ID, work with your IT administrator to enable the Smartsheet gallery tile with the application ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270.
Configure user provisioning and deprovisioning to Smartsheet
Refer to the following resources to learn how to configure the Entra ID provisioning service. This setup enables you to create, update, and deactivate users and groups in Smartsheet according to their assignments within your directory:
- Configure automatic user provisioning for Smartsheet in Entra ID
- Information about the Entra ID service, its functions, and common inquiries
Deprovisioned users get deactivated. Deactivated users can't sign in to Smartsheet and are no longer assigned a Member designation, and that Member designation is available for you to reassign.
If you wish to delete their Smartsheet account:
- Deactivate the Entra ID integration with Smartsheet.
- Manually remove the user in Admin Center.
About existing groups in Entra ID or Smartsheet
The Entra ID provisioning service only updates users you assign to the Smartsheet app. Assign users by including them in specified role-mapped Entra ID groups.
- If you don't add users to any Smartsheet role groups in Entra ID, they aren't updated or affected within the Smartsheet app.
- If you assign users to a Smartsheet role group in Entra ID, but they get provisioned into Smartsheet as a result, and later removed from that group, they're deactivated during the next provisioning cycle.
- If a Smartsheet user has an account in Entra ID but isn’t assigned to any Entra ID groups mapped to Smartsheet roles, Entra ID ignores the user during provisioning.
User list report
To download your current user list:
- In Admin Center, select the Menu icon in the top-left corner.
- Navigate to Users and Groups > User Roles and Reports.
- Select More Actions > User List. See Admin Center: Access additional user controls for more info. Use this list to assign users the correct roles in Entra ID. This ensures all users are provisioned to your account when logging in to Smartsheet for the first time.
In this report, you can find the following fields:
- Name
- Status
- Division
- Department
- Cost Center
Division, Department, and Cost Center data populate through your Active Directory service. If data exists for these fields, it shows in the User List report. If data doesn't exist from the Directory Service, the fields are blank in the User List report.
The data in the report should automatically sync with the Directory Service, although the Directory Service determines the exact refresh rate.
Keep this in mind
After the setup, be careful when making significant changes, such as manual or scripted bulk modifications. Improperly prepared scripts may cause unintentional deprovisioning when used with the Entra ID Integration. If you have questions or require further assistance with making significant changes, contact Support.
LCM Content
Overview
Smartsheet allows you to provision users as unlicensed without assigning them specific roles. Any new unlicensed user provisioned through Entra ID doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.
Prerequisites
System Admins and an IT Administrator can set up Active Directory with Smartsheet. As long as they're also Entra ID administrators, System Admins can manage users (provision, de-provision, change user profile information, and roles) through Active Directory.
- Contact your Smartsheet account representative or Smartsheet Support to enable this capability for your organization’s plan.
- Take the Entra ID and Smartsheet Integration online training.
Connect Entra ID with Smartsheet
Use this SCIM URL to configure Entra ID integration: https://scim.smartsheet.com/v2/
EU accounts should use this one instead: https://scim.smartsheet.eu/v2/
- Sign in to Smartsheet with System Admin credentials.
- In Smartsheet, generate an API token under Account > Apps and Integrations > API Access > Generate new access token. The token generated runs with your credentials—this is a password to your account. Treat it as such.
- In Entra ID work with your IT administrator to enable the Smartsheet gallery tile with the application ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270.
Configure user provisioning and deprovisioning to Smartsheet
Refer to the following resources to learn how to configure the Entra ID provisioning service. This setup enables you to create, update, and deactivate users and groups in Smartsheet according to their assignments within your directory:
- Configure automatic user provisioning for Smartsheet in Entra ID
- Information about the Entra ID service, its functions, and common inquiries
De-provisioned users are deactivated. Deactivated users can't sign in to Smartsheet and no longer have a license assigned, but you can reassign it if needed.
If you wish to delete their Smartsheet account:
- Deactivate the Entra ID integration with Smartsheet.
- Manually remove the user in Admin Center.
About existing groups in Entra ID or Smartsheet
The Entra ID provisioning service only updates users who are assigned to the Smartsheet app. Users are assigned by being included in specified role-mapped Entra ID groups.
- If you don't add users to any Smartsheet role groups in Entra ID, they aren't updated or affected within the Smartsheet app.
- If you assign users to a Smartsheet role group in Entra ID, provision them into Smartsheet as a result, and later remove them from that group, they’re deactivated during the next provisioning cycle.
- If a Smartsheet user has an account in Entra ID but isn’t assigned to any Entra ID groups mapped to Smartsheet roles, Entra ID ignores the user during provisioning.
User list report
To download your current user list:
- In Admin Center, select the Menu icon in the top-left corner.
- Navigate to Users and Groups > User Roles and Reports.
- Select More Actions > User List. See Admin Center: Access additional user controls for more info. Use this list to assign users the correct roles in Entra ID This ensures all users are provisioned to your account when logging in to Smartsheet for the first time.
In this report, you can find the following fields:
- Name
- Status
- Division
- Department
- Cost Center
Division, Department, and Cost Center data are populated through your Active Directory service. If data exists for these fields, it shows in the User List report. If data doesn't exist from the Directory Service, the fields in the User List report are blank.
The data in the report should automatically sync with the Directory Service, although the Directory Service determines the exact refresh rate.
Keep this in mind
After the setup, be careful when making significant changes, such as manual or scripted bulk modifications. Improperly prepared scripts may cause unintentional deprovisioning when used with the Entra ID Integration. If you have questions or require further assistance with making significant changes, contact Support.