We want to let System Admins know of important updates to how Entra (formerly Azure AD) and Okta Directory Integration (DI) provisioning works for customers on Smartsheet user model plans.
This change does not currently apply to Legacy plan customers, but will take effect upon migration to a User Model plan. We're sharing this information broadly to give full visibility into what to expect.
What changed
Previously, when SCIM provisioning was used with a User Model plan, all users were provisioned with a Viewer seat type regardless of their IdP group assignment. Any seat type changes had to be made manually in the Admin Center.
That is no longer the case. SCIM provisioning now respects IdP group assignments to determine the correct seat type in Smartsheet automatically.
IMPORTANT: Existing users won’t be affected immediately
Please note that this change is not retroactive. Existing users will not have their seat types automatically updated on or after the launch date simply because of their current group assignments.
For the new group mapping logic to take effect on an existing user, our system needs to receive an update call triggered by a change to that user's group assignments in your IdP. Without an update call, the user's seat type will remain as-is.
For example: if a user was previously assigned to both the System Admin group and the Licensed User group, but was only ever provisioned as a Viewer under the old behavior, that user will still be a Viewer on launch day and beyond, unless a change is made to their group assignments in Entra or Okta that triggers an update call to Smartsheet.
To apply the new seat type logic to existing users, you can make a group assignment change in your IdP (such as removing and re-adding a group, or adding a new group assignment) to trigger an update. Alternatively, seat types can always be adjusted manually in the Admin Center.
RECOMMENDED: How to safely update group assignments
If you plan to re-assign groups to trigger the new seat type logic, we strongly recommend following these steps to prevent any unintended seat type changes during the process:
1. Disable the Directory Integration in Smartsheet first (via the Admin Center).
2. Disable the integration on the Okta or Entra side as well.
3. Re-assign groups in your IdP as needed.
4. Re-enable the integration in Okta or Entra.
5. Re-enable the Directory Integration in Smartsheet.
This ensures that group assignment changes are processed in a controlled way, and that no unintended update calls are sent to Smartsheet mid-change
Critical note for Entra ID customers regarding the Users and Groups section
If you are using the Entra ID Smartsheet application for both SCIM provisioning AND OIDC Single Sign-On (SSO), please read this section carefully before making any changes.
You may be aware that some documentation recommends testing Directory Integration with a small subset of users first. While this is sound general advice, it is NOT a safe approach if your organization is using the Users and Groups section of the Entra ID Smartsheet application, and doing so in a rolling or piecemeal fashion could have serious unintended consequences.
Here is why this matters:
Any user assigned to the Smartsheet application in Entra ID's Users and Groups section is considered "managed by Directory Integration" in Smartsheet. If that user has no role group assigned, meaning they are only present in the Users and Groups section without being assigned to a specific role group, they will be treated as a Viewer seat type by default.
This means: if you enable Directory Integration before all role groups are fully configured for your users, anyone not yet assigned to a role group at the time DI is enabled could be downgraded to a Viewer seat. This includes users who may currently hold Member seats.
Our strong recommendation for Entra ID customers using the Users and Groups section:
- Do NOT enable Directory Integration to test with a small subset of users if your broader user population is already assigned to the Entra ID Smartsheet application.
- Before enabling Directory Integration, ensure that the correct role groups are configured and assigned to ALL users in your Entra ID Smartsheet application — not just those in a test group.
- Enable Directory Integration only once role group assignments are complete and verified for your full user population.
Taking a piecemeal approach risks unintentionally downgrading users to Viewer who should have Member-level access, which can disrupt their ability to work in Smartsheet.
If you have any questions about how your current Entra ID configuration may be affected, please reach out to your Customer Success Manager or Account Manager before making changes.
Group mappings for seat type provisioning
When using SCIM provisioning with a User Model plan, the following group mappings control the resulting seat type assigned in Smartsheet:
- Note on "No IdP group assigned":
- For Okta, this means the user is assigned to the app (general app assignment) but has not been assigned to any specific role group.
- For Entra, this means the user is assigned to the SMARTSHEET_USER group.
- Note on Viewer seat type: When a user is added as a Viewer, they have the ability to create new assets such as sheets, reports or dashboards. If they create a new asset or take a qualifying action on a shared asset, they will become a Provisional Member. This transition is triggered automatically by our system based on their actions — not by group assignment.
Supported seat type changes via group mappings
The following seat type transitions can be triggered through Directory Integration group mappings on User Model plans:
✓ Viewer → Member
✓ Provisional Member → Member
✓ Member → Viewer
- If a user enters a Provisional Member state and is then added to a Member-level group in Directory Integration, they will automatically be promoted to a Member seat.
- If a user enters a Provisional Member state but has not been added to a Member-level IdP group, they will remain in that state until either the Admin Approval Setting downgrades them or a System Admin manually changes their seat type in the Admin Center.
Seat type changes not supported via group mappings
The following transitions cannot be handled through Directory Integration and must be managed in the Admin Center or are system-triggered only:
✗ Provisional Member → Viewer (Admin Center only)
✗ Viewer → No Access (Admin Center only)
✗ Viewer → Provisional Member (system-triggered only)
✗ Provisional Member → No Access (Admin Center only)
✗ Member → No Access (Admin Center only)
Additional notes:
- Moving from Member → Provisional Member is not supported directly in the Admin Center or via Directory Integration.
- User deactivation is still fully supported by deactivating or removing the user profile in Entra or Okta.
- Guests will need to be managed fully in the Admin Center, as they would not exist in your organization's IdP.
Learn more about these changes and how to configure Directory Integration:
If you have any additional questions or concerns about this update, please reach out to your Customer Success Manager or Account Manager for personalized guidance.
