Leverage Microsoft Entra ID to provision, deprovision, and manage user profiles in your Smartsheet plan.
USM Content
With the Smartsheet - Entra ID Integration, you can manage user roles and access based on updates made in your Entra ID active directory environment.
Systems Admins can provision, deactivate, and manage the profile data of Smartsheet users through Entra ID’s active directory service. The integration allows you to provision and deactivate users through a central user directory and ensures they can no longer access company data in Smartsheet once they leave the organization.
How it works
Directory Integration (DI) uses Entra ID as the source of truth for seat management. Once enabled, Smartsheet automatically assigns and updates seat types based on the Entra ID groups your users belong to, reducing the need for manual updates in Admin Center.
Here's what happens during a sync:
- Seat assignment by group: Users receive a seat type based on their Entra ID group membership. Members of a licensed group (such as Smartsheet Licensed User) receive a Member seat, while users assigned the Smartsheet app but not placed in a specific group default to a Viewer seat.
- Automatic upgrades and downgrades: When a user moves between Entra ID groups, their seat type updates automatically during the next sync. No manual intervention is necessary.
- Privileged group takes precedence: If a user belongs to multiple groups with different roles, DI assigns the most privileged seat type.
- Provisional Members: DI upgrades Provisional Members as needed, but doesn't automatically downgrade them. System Admins must handle downgrades manually in Admin Center—or, if your plan is set to auto-downgrade, the change happens at the end of the review period. Learn more about Provisional Member settings.
- Deactivation: When a user is removed from Entra ID or unassigned from the Smartsheet app, they're automatically deactivated in Smartsheet on the next sync.
To reactivate a deactivated user, a System Admin must temporarily turn off DI, reactivate the user, and then re-enable DI.
Once DI is active, it overrides any manual seat changes made by System Admins in Admin Center during the next sync. It’s recommended to turn off the auto-upgrade setting in Smartsheet to avoid conflicts with IdP-driven workflows.
Provisional Members have the same access to features as regular Members, but only for a limited time. Learn more about Smartsheet’s user model and provisional membership.
Prerequisites
System Admins and an IT Administrator can set up Active Directory with Smartsheet. As long as they're also Entra ID administrators, System Admins can manage users (provision, de-provision, change user profile information, and roles) through Active Directory.
- Contact your Smartsheet account representative or Smartsheet Support to enable this capability for your organization’s plan.
- Take the Entra ID and Smartsheet Integration online training.
Connect Entra ID with Smartsheet
Use this SCIM URL to configure Entra ID integration:
- US accounts: https://scim.smartsheet.com/v2/
- EU accounts: https://scim.smartsheet.eu/v2/
- AU accounts: https://scim.smartsheet.au/v2/
- Sign in to Smartsheet with System Admin credentials.
- In Smartsheet, generate an API token under Account > Apps and Integrations > API Access > Generate new access token. The token generated runs with your credentials—this is a password to your account. Treat it as such.
- In Entra ID, work with your IT administrator to enable the Smartsheet gallery tile with the application ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270.
Configure user provisioning and deprovisioning to Smartsheet
Refer to the following resources to learn how to configure the Entra ID provisioning service. This setup enables you to create, update, and deactivate users and groups in Smartsheet according to their assignments within your directory:
- Configure automatic user provisioning for Smartsheet in Entra ID
- Information about the Entra ID service, its functions, and common inquiries
Deprovisioned users get deactivated. Deactivated users can't sign in to Smartsheet and are no longer assigned a Member designation, and that Member designation is available for you to reassign.
If you wish to remove a user from your Smartsheet plan:
- Deactivate the Entra ID integration with Smartsheet.
- Manually remove the user in Admin Center.
To reactivate their account:
- Temporarily turn off the Entra ID integration with Smartsheet.
- Manually reactivate the user in Admin Center.
About existing groups in Entra ID or Smartsheet
The Entra ID provisioning service only updates users you assign to the Smartsheet app. Assign users by including them in specified role-mapped Entra ID groups.
- If you don't add users to any Smartsheet role groups in Entra ID, they aren't updated or affected within the Smartsheet app and receive a Viewer seat type.
- If you assign users to a Smartsheet role group in Entra ID, they get provisioned into Smartsheet. If they get later removed from that group, their seat type updates on the next sync according to the remaining group assignments (if any).
- When an Admin removes a user from the Entra ID directory or unassigns the Smartsheet app in Entra ID, the user gets automatically deactivated in Smartsheet on the next sync.
- If a Smartsheet user has an account in Entra ID but isn’t assigned to the Smartsheet app or any Entra ID groups mapped to Smartsheet roles, Entra ID ignores the user during provisioning.
In Smartsheet’s item ownership model, plans take ownership of items rather than individual users. This means Smartsheet doesn’t transfer the items from a deprovisioned user to an escrow account because the user remains active on the plan. However, doing so is still recommended as a precautionary measure.
How seat type assignment works
Seat types are automatically assigned based on Entra ID group membership. The table below shows how each group maps to a seat type in Smartsheet.
| Smartsheet roles | Mapping values | Variable names (preferred) | Resulting seat type |
|---|---|---|---|
| Smartsheet User | SMARTSHEET_USER | smartsheetUser | Viewer |
| Smartsheet Licensed User | LICENSED_USER | smartsheetLicensedUser | Member |
| Smartsheet Group Admin | GROUP_ADMIN | smartsheetGroupAdmin | Member |
| Smartsheet Resource Viewer | RESOURCE_VIEWER | smartsheetResourceViewer | Member |
| Smartsheet System Admin | USER_ADMIN, PAYMENT_ADMIN, DATA_ADMIN | smartsheetSystemAdmin | Viewer |
Supported seat type changes via group mappings
Directory Integration handles the following transitions automatically:
| From | To |
|---|---|
| Viewer | Member |
| Provisional Member | Member |
| Member | Viewer |
- If a Viewer enters a Provisional Member state and then gets added to a Member-level group in DI, they automatically upgrade to a Member seat.
- If a Viewer enters a Provisional Member state but hasn't been added to a Member Seat Type IdP group, they remain in that state until either the Admin Approval Setting downgrades them or a System Admin manually changes their seat type in Admin Center.
Unsupported seat type changes via group mappings
Directory Integration doesn't handle the following transitions. Find out where you should perform them:
| From | To | Where to act |
|---|---|---|
| Provisional Member | Viewer | Admin Center |
| Viewer | No Access | Admin Center |
| Viewer | Provisional Member | System-triggered only |
| Provisional Member | No Access | Admin Center |
| Member | No Access | Admin Center |
- Downgrading from Member to Provisional Member isn't supported directly in Admin Center or in DI.
- Deactivation is still supported by removing or deactivating the user profile in Entra ID.
- You must manage Guests entirely in Admin Center, as they don't exist in your IdP.
User list report
To download your current user list:
- In Admin Center, select the Menu icon in the top-left corner.
- Navigate to Users and Groups > User Roles and Reports.
- Select More Actions > User List. See Admin Center: Access additional user controls for more info. Use this list to assign users the correct roles in Entra ID. This ensures all users are provisioned to your account when logging in to Smartsheet for the first time.
In this report, you can find the following fields:
- Name
- Status
- Division
- Department
- Cost Center
Division, Department, and Cost Center data populate through your Active Directory service. If data exists for these fields, it shows in the User List report. If data doesn't exist from the Directory Service, the fields are blank in the User List report.
The data in the report should automatically sync with the Directory Service, although the Directory Service determines the exact refresh rate.
Keep this in mind
After the setup, be careful when making significant changes, such as manual or scripted bulk modifications. Improperly prepared scripts may cause unintentional deprovisioning when used with the Entra ID Integration. If you have questions or require further assistance with making significant changes, contact Support.
LCM Content
Overview
Smartsheet allows you to provision users as unlicensed without assigning them specific roles. Any new unlicensed user provisioned through Entra ID doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.
Prerequisites
System Admins and an IT Administrator can set up Active Directory with Smartsheet. As long as they're also Entra ID administrators, System Admins can manage users (provision, de-provision, change user profile information, and roles) through Active Directory.
- Contact your Smartsheet account representative or Smartsheet Support to enable this capability for your organization’s plan.
- Take the Entra ID and Smartsheet Integration online training.
Connect Entra ID with Smartsheet
Use this SCIM URL to configure Entra ID integration: https://scim.smartsheet.com/v2/
EU accounts should use this one instead: https://scim.smartsheet.eu/v2/
- Sign in to Smartsheet with System Admin credentials.
- In Smartsheet, generate an API token under Account > Apps and Integrations > API Access > Generate new access token. The token generated runs with your credentials—this is a password to your account. Treat it as such.
- In Entra ID work with your IT administrator to enable the Smartsheet gallery tile with the application ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270.
Configure user provisioning and deprovisioning to Smartsheet
Refer to the following resources to learn how to configure the Entra ID provisioning service. This setup enables you to create, update, and deactivate users and groups in Smartsheet according to their assignments within your directory:
- Configure automatic user provisioning for Smartsheet in Entra ID
- Information about the Entra ID service, its functions, and common inquiries
De-provisioned users are deactivated. Deactivated users can't sign in to Smartsheet and no longer have a license assigned, but you can reassign it if needed.
If you wish to delete their Smartsheet account:
- Deactivate the Entra ID integration with Smartsheet.
- Manually remove the user in Admin Center.
About existing groups in Entra ID or Smartsheet
The Entra ID provisioning service only updates users who are assigned to the Smartsheet app. Users are assigned by being included in specified role-mapped Entra ID groups.
- If you don't add users to any Smartsheet role groups in Entra ID, they aren't updated or affected within the Smartsheet app.
- If you assign users to a Smartsheet role group in Entra ID, provision them into Smartsheet as a result, and later remove them from that group, they’re deactivated during the next provisioning cycle.
- If a Smartsheet user has an account in Entra ID but isn’t assigned to any Entra ID groups mapped to Smartsheet roles, Entra ID ignores the user during provisioning.
User list report
To download your current user list:
- In Admin Center, select the Menu icon in the top-left corner.
- Navigate to Users and Groups > User Roles and Reports.
- Select More Actions > User List. See Admin Center: Access additional user controls for more info. Use this list to assign users the correct roles in Entra ID This ensures all users are provisioned to your account when logging in to Smartsheet for the first time.
In this report, you can find the following fields:
- Name
- Status
- Division
- Department
- Cost Center
Division, Department, and Cost Center data are populated through your Active Directory service. If data exists for these fields, it shows in the User List report. If data doesn't exist from the Directory Service, the fields in the User List report are blank.
The data in the report should automatically sync with the Directory Service, although the Directory Service determines the exact refresh rate.
Keep this in mind
After the setup, be careful when making significant changes, such as manual or scripted bulk modifications. Improperly prepared scripts may cause unintentional deprovisioning when used with the Entra ID Integration. If you have questions or require further assistance with making significant changes, contact Support.