Manage Smartsheet users through Azure Active Directory

Leverage Azure Active Directory (Azure AD) to provision, deprovision, and manage user profiles in your Smartsheet plan.

Who can use this?

Plans:

  • Enterprise

Permissions:

  • System Admin

Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.

This article discusses information relevant to both the Legacy Collaborator Model and the User Subscription Model. If you're unsure about your model type, learn how to determine the model your plan is on.

Overview

  • In Legacy Collaborator Model plans, Smartsheet allows you to provision users as unlicensed without assigning them specific roles. Any new unlicensed user provisioned through Azure AD doesn't appear in Smartsheet's Admin Center until they sign in for the first time or are added to a Smartsheet group.
  • In User Subscription Model plans, all new users provisioned through Azure AD are designated Provisional Members upon creation. The only exception to this rule is the System Admin role, which can be provisioned as non-Member (Viewer). Additionally, upgrading or downgrading existing users is only supported through the Manage True-up page in Admin Center.

Provisional Members have the same access to features as regular Members, but only for a limited time. Learn more about the True-up process and capabilities of Provisional Members.

Prerequisites

System Admins and an IT Administrator can set up Active Directory with Smartsheet. As long as they're also Azure AD administrators, System Admins can manage users (provision, de-provision, change user profile information and roles) through Active Directory.

  1. Contact your Smartsheet account representative or Smartsheet Support to enable this capability for your organization’s plan.
  2. Take the Azure Active Directory and Smartsheet Integration online training.

Connect Azure AD with Smartsheet

- Use this SCIM URL to configure Azure Active Directory integration: https://scim.smartsheet.com/v2/
- EU accounts should use this one instead: https://scim.smartsheet.eu/v2/

 

  1. Sign in to Smartsheet with System Admin credentials.
  2. In Smartsheet, generate an API token under Account > Apps and Integrations > API Access > Generate new access token. The token generated runs with your credentials—this is a password to your account. Treat it as such.
  3. In Azure AD, work with your IT administrator to enable the Smartsheet gallery tile with the application ID 3290e3f7-d3ac-4165-bcef-cf4874fc4270.

Configure user provisioning and deprovisioning to Smartsheet

Refer to the following resources to learn how to configure the Azure Active Directory provisioning service. This setup enables you to create, update, and deactivate users and groups in Smartsheet according to their assignments within your directory:

Deprovisioned users will be deactivated. Deactivated users can't sign in to Smartsheet and are no longer assigned a license (Legacy Collaborator Model) or Member designation, and that license or Member designation is available for you to reassign.

If you wish to delete their Smartsheet account:

  1. Deactivate the Azure AD integration with Smartsheet.

  2. Manually remove the user in Admin Center.

     

About existing groups in Azure AD or Smartsheet

The Azure AD provisioning service only updates users who are “assigned” to the Smartsheet app. Users are assigned by being included in specified role-mapped Azure AD groups.

  • If users aren’t added to any Smartsheet role groups in Azure AD, they won’t be updated or affected within the Smartsheet app.
  • If users are assigned to a Smartsheet role group in Azure AD, provisioned into Smartsheet as a result, and later removed from that group, they’ll be deactivated during the next provisioning cycle.
  • If a Smartsheet user has an account in Azure AD but isn’t assigned to any Azure AD groups mapped to Smartsheet roles, Azure AD will essentially ignore the user during provisioning.

User list report

To download your current user list:

  1. In Admin Center, select the Menu icon in the top-left corner.
  2. Navigate to Users and Groups > User Roles and Reports.
  3. Select More Actions > User List. See Admin Center: Add, edit, or deactivate users for more info. Use this list to assign users the correct roles in Azure AD. This ensures all users are provisioned to your account when logging in to Smartsheet for the first time.
Download User List as a CSV file

In this report, you can find the following fields:

  • Name
  • Email
  • Status
  • Division
  • Department
  • Cost Center

Division, Department, and Cost Center data populate through your Active Directory service. If data exists for these fields, it shows in the User List report. If data doesn't exist from the Directory Service, the fields are blank in the User List report.

The data in the report should automatically sync with the Directory Service, although the Directory Service determines the exact refresh rate.

Keep this in mind

After the setup, be careful when making significant changes, such as manual or scripted bulk modifications. Improperly prepared scripts may cause unintentional deprovisioning when used with the Azure Directory Integration. If you have questions or require further assistance with making significant changes, contact Support.