System for Cross-domain Identity Management (SCIM) provisioning

This article outlines how organizations can use Udemy’s System for Cross-domain Identity Management (SCIM) API to add or remove user licenses.  

SCIM is supported by a number of Identity Providers such as Okta and OneLogin.  You can also utilize the Udemy Business SCIM API for other IdPs or home-grown tools.

• Review how to configure SCIM Provisioning with Udemy’s SCIM API

Note: SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:

• 30 days before the token expiry
• After the token expiry

License usage

In the Identity Provider, typically licenses are assigned at a group level or, in some cases, at an individual level. When the licenseType attribute is included in requests, the type of license will be specified for the users in question.

• The attribute may be included when creating users, and the users will claim the indicated licenses once they activate their Udemy Business account.
• The attribute may be included for an existing user and can either grant or remove an existing license.
• If insufficient licenses of a required type are available on the account, Udemy Business will send an error message to the IdP, and changes will not be made.
  • Adding more licenses to your Udemy Business account.

Restrictions on removing licenses: 

A user must have a license type. To free up all licenses from a user, the user will need to be deactivated in your organization’s account. If Udemy Business receives a blank licenseType attribute, the system will ignore it. 

• Review how to deactivate a user in your Udemy Business account.

Downgrading from a “Pro” to “Enterprise” license is not currently supported for inactive users, i.e., users that were provisioned with both licenses but who have not logged in yet. 

Providing the required licenseType attribute

The licenseTypes attribute that must be included in your organization’s Identity Provider is: 

urn:ietf:params:scim:schemas:extension:udemy:2.0:User.

This attribute should be provided as a list of strings, with each string representing a license name (see the section below regarding license types for more information).

Providing the accepted values and corresponding license types

In order to manage a user’s license type an accepted value will need to be entered. The input values in the table below will be validated against the supported license types for Udemy Business. The license name value is not case sensitive. 

Enterprise, eNtErpRisE, enTERprise, 

Pro, pRo, PRo, 

Note: If an unaccepted value is provided, an error notification will occur.

How to include licenseTypes when creating users

The following is an example of what would be entered into your Identity Provider to include licenseTypes when creating users:

POST /scim/v2/Users HTTP/1.1
Host: myorganization.udemy.com
Accept: application/scim+json
Authorization: Bearer <enter your Bearer token here>
Content-Type: application/scim+json
{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "urn:ietf:params:scim:schemas:extension:udemy:2.0:User"
    ],
    "userName": "john.doe@udemy.com",
    "externalId": "someexternalidtest12312",
    "name": {
        "givenName": "John",
        "familyName": "Doe"
    },
    "emails": [
        {
            "primary": true,
            "type": "work",
            "value": "john.doe@udemy.com"
        }
    ],
    "active": true,
    "urn:ietf:params:scim:schemas:extension:udemy:2.0:User": {
        "licenseTypes": ["Enterprise", "Pro"]
    }
}

How to replace the attributes of existing users and include licenseTypes

The following is an example of what would be entered to replace the attributes of existing users and include licenseTypes:

PUT /scim/v2/Users/<scim-user-uuid> HTTP/1.1

Host: myorganization.udemy.com

Accept: application/scim+json

Authorization: Bearer <enter your Bearer token here>

Content-Type: application/scim+json

{

  "schemas": [

    "urn:ietf:params:scim:schemas:core:2.0:User",

    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",

    "urn:ietf:params:scim:schemas:extension:udemy:2.0:User"

  ],

    "userName": "john.doe@udemy.com",

    "externalId": "someexternalidtest12312",

    "name": {

        "givenName": "John",

        "familyName": "Doe"

    },

    "emails": [

        {

            "primary": true,

            "type": "work",

            "value": "john.doe@udemy.com"

        }

    ],

  "active": true,

  "urn:ietf:params:scim:schemas:extension:udemy:2.0:User": {

    "licenseTypes": ["Enterprise", "Pro"]

  }

}

How to set only the licenseTypes field of an existing user

In order to set only the licenseTypes field on an existing user, there are two options for PATCH requests use:

"op": "add" 

To add the add-on license (i.e. “Pro”) to already existing ones, use:

"op": "replace" 

to overwrite existing values.

Note: 

With the add operation, a Udemy Business Pro license can be added to existing licenses, which are either Enterprise or Enterprise+Pro. For users who already have Enterprise licenses, the Pro license will be added. For users who already have Enterprise+Pro licenses, no additional license will be added.

Here is an example of what would be entered to set only the licenseTypes field on an existing user:

PATCH /scim/v2/Users/<scim-user-uuid> HTTP/1.1
Host: myorganization.udemy.com
Accept: application/scim+json
Authorization: Bearer <enter your Bearer token here>
Content-Type: application/scim+json
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp",
        "urn:ietf:params:scim:schemas:extension:udemy:2.0:User",
    ],
    "Operations": [
        {
            "op": "add",
            "urn:ietf:params:scim:schemas:extension:udemy:2.0:User": {
                "licenseTypes": ["Pro"]
            }
        }
    ]
}W

How to overwrite the entire set of current licenses for a user

With the replace operation, the whole set of current licenses for a user can be overwritten. To do so, the following must be entered.

PATCH /scim/v2/Users/<scim-user-uuid> HTTP/1.1
Host: myorganization.udemy.com
Accept: application/scim+json
Authorization: Bearer <enter your Bearer token here>
Content-Type: application/scim+json
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp",
        "urn:ietf:params:scim:schemas:extension:udemy:2.0:User",
    ],
    "Operations": [
        {
            "op": "replace",
            "urn:ietf:params:scim:schemas:extension:udemy:2.0:User": {
                "licenseTypes": ["Enterprise", "Pro"]
            }
        }
    ]
}

Once Single Sign-on (SSO) is set up, you can configure Udemy for Cross-domain Identity Management (SCIM 2.0) provisioning in Entra ID (formerly known as Azure AD) with Udemy Business.

SCIM provisioning enables you to provision, deprovision, create groups, manage group membership, manage licenses, and change user profile details like name and email address in Entra ID, which automatically updates Udemy Business. You will no longer need to update both Entra ID and Udemy Business separately with these actions as it will all be synced from Entra ID.

Please note:

• SSO must be enabled prior to activating SCIM.
• Single sign-on and provisioning are available to Udemy Business Enterprise Plan customers.
• Users provisioned through Entra ID won't take up a license until they log into the Udemy Business application for the first time.
• SCIM provisioning changes can only be synced from Entra ID to Udemy Business, not the other way round.
• Users and Groups managed by SCIM in Entra ID can't be changed within the Udemy Business app; SCIM is the single source of truth for user and group data.
• You can still create groups manually in Udemy Business if you have users that you don’t need or want to push from Entra ID, such as contractors or temporary staff.
• Note: SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:
  • 30 days before the token expiry
  • After the token expiry

Table of Contents

• Configure SCIM Provisioning with Entra ID
• Troubleshooting

Configure SCIM Provisioning with Entra ID

1. In your Udemy Business account, go to Manage > Settings > Provisioning (SCIM).

2. Click Start Setup, choose your Identity Provider and follow the instructions to generate the Secret Token (Bearer token) which you then need to input into Entra ID.

3. Access your Entra ID account and go to your Udemy Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Entra ID for further guidance.

Go to the Provisioning tab in your Azure portal.   

Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM. When configuring your own instance, use the app that was named by your team. 

4. In the Provisioning Mode field, select Automatic.

5. In the Admin Credentials section:

Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy Business account)

Secret Token: This is a Bearer token that you can generate or view inside your Udemy Business account.

• Go to Manage > Settings > User Access to get the Secret Token.

6. Click Test Connection to check that it’s working correctly.  

7. (Optional) Enter an email address if you wish to receive alerts from Azure about errors.

8. In Mappings:

Go to Provision Microsoft Entra ID User:

Once inside you should see the attribute mappings list

Supported attributes

Confirm that the required attributes below are added in the customappsso Attributes as these fields are required for SCIM provisioning to function within Udemy.

emails[type eq "work"].value

userName

active

externalId

urn:ietf:params:scim:schemas:extension:
enterprise:2.0:User:employeeNumber

name.givenName

name.familyName

name, { givenName, familyName }

title

urn:ietf:params:scim:schemas:extension:
udemy:2.0:User:licensePoolName

urn:ietf:params:scim:schemas:extension:
udemy:2.0:User:licenseTypes

Confirm the attribute Switch([IsSoftDeleted], , "False", "True", "True", "False") is mapped to active which allows the deactivation of users to be passed over.

Once you added the attributes, update the Matching precedence to have emails[type eq "work"].value set to 1.
You might have to update userName to 2 or 3.

9. Scroll down to the bottom of the User Attributes Mapping and enable Show advanced options. Select Edit attribute list for customappsso and enable Exact case for both id and userName.

10. Return to the main Provisioning setting screen:

11. In the Scope field, choose how you want to sync your users and groups.

You can sync only users and groups who are assigned the Udemy Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.

In order to provision more users and groups with Udemy Business access:

12. Click Users and groups

13. Click on Add User, which will give you the option to add both Users and Groups.

Select all users or the groups you want to add to the application and click Select.

Troubleshooting

In relation to Mappings:

If you experience this error when provisioning:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}

You should change the mapping of the User.

emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.

If you go to the user profile, you should be able to see which field contains the email there.

For any errors provisioning users, you can view more details by looking into the provisioning logs.

• You can obtain this log by going to the Udemy App on Azure > Provisioning > Provisioning Logs > Search for the affected user > Troubleshooting & Recommendations.
• If needed, open a support ticket and provide a screenshot of the Azure provisioning logs so we can take a look at what failed.

Once Single Sign-on (SSO) is set up you can then configure System for Cross-domain Identity Management (SCIM) provisioning in OneLogin with Udemy Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address in OneLogin, which automatically updates Udemy Business. You will no longer need to update both OneLogin and Udemy Business separately with these actions as it will all be synced from OneLogin.

This article outlines how you can configure SCIM provisioning with OneLogin. 

Note: SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:

• 30 days before the token expiry
• After the token expiry

How to enable SCIM Provisioning

To enable SCIM Provisioning for your Udemy Business account, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).

Click Start Setup and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to save in OneLogin.

Next, access your OneLogin account and go to your Udemy Business SSO app and follow the steps below to get set up. 

Additional information regarding how to provision users is also available in One Login's support center.

1. In the admin panel click on the applications tab:

2. Navigate to the “Configuration” tab. Inside the “Configuration” tab, input the SCIM bearer token from your Udemy Business account that was generated above, and set to “Enabled”:

3. Next, navigate to the “Provisioning” tab, and check the “Enable provisioning” box:

Creating a rule to sync a user’s group with Udemy Business

OneLogin uses the concept of “rules” in order to sync a user with a particular group in your Udemy Business account. There are many ways to create rules based on your different requirements for syncing groups. The following is one specific example of how to create a rule to sync a user with a group called “Engineers”.

1. Navigate to the “Rules” tab and select “Add Rule”:

2. Prerequisite: Before moving to the next step, please contact our Support Team and request that they enable the feature flag that will allow SCIM groups to be pulled from Udemy Business. With this feature enabled you can pull the existing groups from Udemy Business and access them in OneLogin.

3. Inside of the “Edit Mapping” screen is where you can configure the logic for your rule. In this example, we create a rule where the logic is “If the Group of the user is Engineering Group then the action is set the user’s group in Udemy Business to Engineers”: In order to pull groups “From Existing” in Udemy Business - you will need to refresh entitlements.

4. Navigate to the “Parameters” tab:

Supported attributes

Confirm that the required attributes below are added in the Parameters Tab Attributes as these fields are required for SCIM provisioning to function within Udemy.

SCIM.email

externalId

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

SCIM.name.givenName

SCIM.name.familyName

Note: adding parameters might not take effect immediately as OneLogin does a parameter sync daily.

5. Click on the “Groups” field:

6. Check the “Include in User Provisioning” box and save:

7. Now, after adding a user in OneLogin and setting that user’s group to “Engineering Group”:

8. Once the user is added to the Udemy Business application and synced, based on the rule, this user will be added to the “Engineers” group in your Udemy Business account:

Udemy Business supports user and group access and identity management with the System for Cross-domain Identity Management (SCIM) standard. SCIM is used by Single Sign-On (SSO) services and Identity Providers to manage people across a variety of apps and tools, including Udemy Business.

SCIM can be a great option for organizations looking to maximize scale and security, as well as minimize friction in user management for Udemy Business.

What you can do with SCIM:

• Automatically provision licenses and access to users and groups from your Identity Provider (provisioning).
• Automatically deactivate users and groups from your identity provider (deprovisioning).
• Reactivate users who were previously deprovisioned (provided the user’s personally identifiable information has not been anonymized).
• Update user details: name, email address. 
• Create, remove, or edit groups.
• Manage group membership (users changing groups).
• Add users to License Pools
• Assign Udemy Business Pro Licenses

What you cannot do with SCIM:

• Delete User Personal Identifiable Information (PII) via SCIM on any Identity Provider.
• Sync data from Udemy Business back to the Identity Provider.
• Manage roles (admin, group admin, user).
• Please note: SCIM-provisioned users will not receive an automatically-generated email invite to claim their Udemy Business license as they would if they were manually invited through the Udemy Business user management portal. We recommend your learning team send out a separate communication explaining how they can get access by logging in via their SSO provider. However, users who are reactivated via SCIM will receive an automatically-generated email from Udemy saying their account has been reactivated.

Once you take any of the above supported actions, the data or change will automatically update in Udemy Business.

Key points about SCIM Integration for your Udemy Business Account

• Your SCIM integration setup will vary depending on the identity provider you use. 
• Udemy Business supports SCIM Provisioning for the key identity providers and SSO services that offer access and identity management.
• SCIM Provisioning is available to Enterprise Plan customers using Single Sign-on (SSO).
• Users provisioned through SCIM in your SSO service will not take up a license until they join Udemy Business by signing in for the first time. When users are provisioned through SCIM but have not signed in for the first time, they will display on the All users page with a No License status.
  • For customers who have purchased Udemy Business Pro licenses for all users, Pro licenses will be automatically assigned when invitations are accepted by users, or when they authenticate via SSO/SCIM.
•  Note: When SCIM is enabled, Udemy uses the SCIM protocol for attribute mapping over SAML. Since groups is not a SCIM user attribute, groups will not pass via SAML if you previously mapped the attribute as part of a SAML only configuration.

• SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:

  • 30 days before the token expiry
  • After the token expiry

SCIM-managed users have a gray SCIM flag next to their name and email.  Users with the Status SCIM provisioned will not consume an active license until they login for the first time:

How to enable SCIM provisioning

To enable SCIM provisioning for your Udemy Business account, go to your Udemy Business account to Manage > Settings > Provisioning (SCIM). 

Scroll to the SCIM Integration section. Next, follow the instructions to enable SCIM, choose your Identity Provider from the dropdown, and generate the credentials (Username and Password or Secret/Bearer token), which you then need to input into your Identity Provider as part of the configuration.

Depending on which Identity Provider you use, follow the instructions in the appropriate guide below to complete the SCIM setup.

Okta Configuration Guide 

Azure AD Configuration Guide 

OneLogin Configuration Guide

For other IdPs or your own tools, please refer to the Udemy SCIM API Configuration Guide.

How to disable SCIM provisioning

To disable SCIM provisioning for your Udemy Business account (if you’re changing providers or no longer require SCIM) access Manage > Settings > Provisioning (SCIM).

Scroll to the SCIM Integration section and click on the Disable Integration link and follow the instructions to disable SCIM. This will disable the integration from the Udemy Business side, but your IT team will need to disable the integration from the Identity Provider side also. 

You can continue to use Udemy Business as usual, but you will need to manually update user and group information within the platform from now on.

Deprovisioning users with SCIM

Note that Udemy Business users deprovisioned from your Identity Provider will be deactivated within Udemy Business.  We first deploy this “soft delete” to enable you to preserve learner history, in the case of reactivating these users at a later point, and to prevent accidental, irreversible, anonymization of user data.  If you wish to permanently delete a user and all their data, please follow the instructions below:

Deleting PII for SCIM-managed learners

If you wish to disconnect a learner from being managed by your IdP with SCIM, you can do so by first deprovisioning them in your SSO Active Directory, and then you can delete their PII in your Udemy Business account.

• Learn how to anonymize a learner in Udemy Business.

If you need to manage a learner directly from within your Udemy Business account and not via your SSO IdP, and further, or you do not wish to delete their PII, please reach out to our support team for further assistance.

This guide provides the steps required for existing Okta and Udemy Business customers to configure automatic provisioning, de-provisioning, profile updates, and group management of Udemy Business users and groups using System for Cross-domain Identity Management (SCIM 2.0).

If you've already configured SCIM provisioning, and want to use the new Udemy Business app, you'll need to migrate your existing integration to Bearer token authentication.

• See Migrate an existing integration to bearer token to enable use of the new Udemy Business app in Okta for instructions.

Notes:

• If you already have SSO sign on enabled for Udemy Business in Okta, you don't need to reconfigure SSO.
• If you had SSO set up from a manual configuration by one of our team, you should add our new Udemy Business app into your Okta account. You'll find this in Applications by searching for Udemy Business. Because this is a new version of our app in Okta, existing customers might be required to reconfigure Single Sign On (SSO) before enabling SCIM Provisioning. (step by step instructions below).
• Users provisioned through Okta will not consume an active license until they log into the Udemy Business application for the first time.
• SCIM-managed users and groups can only be changed in Okta.
• When SCIM is enabled, Udemy uses the SCIM protocol for attribute mapping over SAML. Since groups is not a SCIM user attribute, groups will not pass via SAML if you previously mapped the attribute as part of a SAML only configuration.
• SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:
  • 30 days before the token expiry
  • After the token expiry

Table of Contents

• SCIM provisioning features
• Before you begin
• Configuration steps
• Assign users to a license pool
• Migrate an existing integration to bearer token to enable use of the new Udemy Business app in Okta

SCIM provisioning features

The following SCIM provisioning features are supported:

• Provision Users from Okta
  • Users assigned the Udemy Business app in Okta will be provisioned in Udemy Business.
  • Note: Users won't receive an automatically-generated invite email if they are SCIM provisioned from Okta.
• Push Profile Updates
  • Updates made to the user's profile through Okta will be pushed to Udemy Business for users who are associated with Udemy Business in Okta.
• Push User Deactivation
  • Deactivating the user or disabling the user's access to the application through Okta will deactivate the user on Udemy Business and remove them from all groups.
  • Note: Deactivated users will retain their learning data for reporting purposes or future reactivation.  To permanently delete a SCIM-managed deactivated user, you'l first need to break the SCIM connection for that user, which Udemy Business support can assist with.
• Reactivate Users
  • You can reactivate users in Udemy Business by reassigning the app to that user through Okta.
  • Note: Reactivated users will receive an automatically-generated email from Udemy saying they’ve been reactivated.
• Group Push
  • Groups and their memberships will be pushed to Udemy Business.
  • Note: Manage groups is limited to groups pushed originally from Okta as we don't send information of groups created on Udemy Business.
• Import Users and Groups
  • If you switch to the new Udemy Business app in Okta, you can import users and groups from your existing integration into your new integration.

SCIM-managed users have a gray SCIM flag next to their name and email.  Users with the Status SCIM provisioned won't consume an active license until they login for the first time:

Before you begin

If you haven't enabled SSO for Okta, or if you had SSO set up from a manual configuration by our team, complete the Okta SSO configuration steps here first.

• You can avoid any SSO downtime by hiding the Udemy Business tile in your Okta dashboard until the new SSO and SCIM configuration is complete.
• Beside Application Visibility, click Do not display application icon to users.

Configuration Steps

1. In the Udemy Business app, select the General tab, and complete these fields:

• Subdomain: Your Udemy Business domain name
• Domain: udemy.com
• Audience URI (SP Entity ID): PingConnect.

2.  On the Provisioning tab, click Configure API integration. 

3.  Select Enable API Integration and add the API token.

You can generate or view the API token in your Udemy Business account by navigating to Manage > Settings > Provisioning (SCIM) 

 4. Click Test API Credentials, and you should see a message indicating that you’ve successfully completed your SSO integration. If not, please send a message to the Udemy Business Support Team with the given error message.

5. Click Save and you’ll be redirected to the application Provisioning configuration page.

6. In Settings > To App, click Edit to enable individual features. 

To use all the capabilities, we recommend enabling Create Users, Update User Attributes, and Deactivate Users. Click Save.

7. (Optional) Profile attributes: In your Okta account, go to Directory >  Profile Editor > Your application name. 

8. On the Profile Editor page, click Add Attribute. 

9. On the Add Attribute page, complete these fields with the following attributes: 

licenseTypes

licensePoolName

externalId

employeeNumber

title

10. Click either Add Attribute or Save and Add Another.

After adding your attribute, you should see something like this added into the profile:

Assign users to a license pool

To assign a user to a license pool:

1. On the left-hand side of the Okta admin page, navigate to Application → Applications.

2. Select your application.

3. Go to the Assignments tab.

4. Click Assign, and then click either Assign to People or Assign to Groups.

5. Enter the attributes for that user or group.

User attributes:

Group attributes:

6. Click Save and Go Back.

You've now added users or groups with License Pool Name attributes, and the user(s) will be assigned to the particular license pool that you mentioned.

7. Navigate to the Assignments tab to assign Udemy Business to single users or entire groups. 

Assigned users will be automatically provisioned after being added, automatically modified when changes are made to their profiles, and automatically deactivated when they are removed from assignments.

8. Navigate to the Push Groups tab to send groups and their membership information to Udemy Business.

9. Click + Push Groups and select the groups you want to push to Udemy Business.

You'll be able to select each group, or you can create an automatic rule.

10. Select the group search criteria and fill the requested information for the groups you would like to send information to Udemy Business.

11. After selecting the group, select Push group memberships immediately to send not only the group but the members within the group as soon as you select the group, then click Save.

12. Repeat these previous steps for groups selection for all groups you would like to send to Udemy Business.

Note: Udemy Business won't allow changes to SCIM-managed users or groups after setup.

Migrate an existing integration to bearer token to enable use of the new Udemy Business app in Okta

If you already have SCIM provisioning with Okta configured, and want to use the Udemy Business application in Okta, you’ll need to migrate to bearer token authentication first. Follow the steps below to migrate your integration.

Step 1: Generate a token in Udemy Business 

1. In your Udemy Business admin account, navigate to Manage > Settings > Provisioning (SCIM).

If you already have an Okta integration that is based on username/password, you’ll see those credentials on the dashboard.

2. Click Generate token, and you’ll see a modal to confirm that you want to generate a Bearer token for SCIM integration.

• Once you confirm, your previous credentials will no longer be visible for Provisioning SCIM, but they will still remain valid for other existing integrations (for example, LMS, public APIs for learning activity, and so on). 

Results 

Once generated, a success message will appear, and the Bearer token will appear on the Provisioning SCIM page. You can click Copy to copy the Bearer token for Okta setup. 

After you refresh the page, the success message will disappear, and the dropdown option will change from Okta (Legacy) to Okta.

Step 2: Update the integration in Okta

To complete the migration, you need to update your integration in Okta. 

1. In your Okta admin account, navigate to Applications > Application > Browse App Catalog and search for Udemy Business.

2.  Add the integration and complete the details, including Subdomain, domain, and Audience URI (SP Entity ID). 

3. On the Provisioning tab, click Enable API integration. 

4. When prompted to provide the API Token, paste the Bearer token you previously copied from Udemy Business.

5. Click Test API Credentials to test the connection. 

If the test is successful, you can safely click Save.

6. In the Provisioning tab, navigate to Settings > To App and ensure that all types of provisioning are enabled: 

• Create Users
• Update User Attributes
• Deactivate Users 

Note: After completing this step, all the changes done in this new Udemy Business application will affect your provisioning in Udemy Business.

Results

Your basic integration of the new Udemy Business application is now complete. 

Step 3: Manage your old Udemy Business application 

After creating your new integration, you must choose between these two options:

Option 1: Disable the old integration

• Pro: There will be 1 source of truth, and you’ll be sure that any changes you make in the new integration will stay.
• Con: Your users won’t be able to log in through SSO in Udemy Business.

Option 2: Keep the old integration as it is 

• Pro: There won’t be any downtime for your users using Udemy Business.
• Con: If someone makes changes to the old integration, the changes would overwrite the new integration. You’ll have to carefully manage the transition, and let other administrators know to not make changes to any users or groups in the old integration.

Step 4: Import Users into the new integration 

You have two options for importing users into the new integration: 

• Auto import
• Review and self import 

The time the import takes to complete will depend on the number of users in the application, and can range from a few seconds to several minutes. 

Option 1: Auto import users

To import users automatically: 

1. Navigate to the Provisioning tab of the new Udemy Business application.
2. On the left-hand side, select To Okta.
3. Under the User Creation & Matching setting, you’ll see these options to automatically import and confirm the assignments for you:
   • Imported user is an exact match to Okta user if:
     • Select Email matches
   • Allow partial matches:
     • Select Partial match on first and last name
   • Confirm matched users:
     • Select Auto-confirm exact matches
     • Select Auto-confirm partial matches
   • Under Confirm new users:
     • Select Auto-confirm new users

4. Click Save.

5. In the Udemy Business app, navigate to the Import tab.

6. Click Import Now.

Option 2: Review and self import 

To self import users:

1. On the Udemy Business app, navigate to the Import tab.
2. Click Import Now.

Step 5: Import groups to the new integration

Note: You need to add all users to the new integration before you start adding groups.

To import groups to the new integration:

1. On the new Udemy Business app, navigate to the Push Groups tab. 

2. Click Refresh App Groups.

3. Select Push Groups > Find groups by name.

 4. On the left-hand side, click By name and use the Link Group option.

5. Click Save or Save & Add Another and repeat the same process for the rest of your groups.

Overview

System for Cross-Domain Identity Management (SCIM) is a standard API for automating user and group provisioning/deprovisioning, and updating user and group data from the customer’s Identity Provider (IdP) into the Udemy Business account.  SCIM is supported by a number of Identity Providers such as Okta, Azure AD, and OneLogin.  You can also utilize the Udemy Business SCIM API for other IdPs or home-grown tools.

If your organization uses one of the following IdPs, please instead refer to our guides below for configuring SCIM:

• Configure SCIM Provisioning With Okta
• Configure SCIM Provisioning With Azure Active Directory (AD)
• Configure SCIM Provisioning With OneLogin

SCIM uses a standardized REST API with data formatted in JSON. Udemy Business supports version 2.0 of the SCIM standard. The API is available for all customers that are on the Enterprise plan.

Udemy Business SCIM API supports the following features: 

• Provisioning users
• Deprovisioning users (deactivation)
• Changing email addresses
• Changing user details
• Provisioning groups
• Assigning licenses
• Assigning users to license pools
• Adding/removing users to groups

Note: SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:

• 30 days before the token expiry
• After the token expiry

SCIM protocol description

SCIM Protocol is an application-level REST protocol for provisioning and managing identity data on the web. The protocol is client-server where the client is the Identity Provider (IdP) and the server is Udemy Business.

The basic flow is:

• When access to Udemy Business is granted to the user in the IDP by the customer, the IdP sends us a request to check if the specific user exists in our database. They issue a User search request by an attribute like userName or email.
• If the user does not exist, the IdP sends a request to create a user.
• If the user exists, the IdP sends an update request for the user.
• When access to Udemy Business is revoked, the IdP sends us a request to deactivate the user from our database.
• IdP can also send requests to change user details.

How to access the API?

In order to obtain the authorization credentials to connect to the SCIM API, you will have to set up SCIM integration via Manage -> Settings -> Provisioning (SCIM) page in your Udemy Business account. Note that only Admins have access to this page. 

Click Start Setup.

In the next step, select Choose provider, then Custom.

Click Generate token.

On this screen, click Copy to copy the Bearer token to the clipboard.

You will need to include Authorization HTTP header with the Bearer token in your requests, for example:

GET /scim/v2/Users HTTP/1.1
Host: myorganization.udemy.com
Accept: application/scim+json
Authorization: Bearer <enter you Bearer token here>
Content-Type: application/scim+json

Udemy Business SCIM API uses the HTTP protocol and is only available over a secure HTTPS connection.

The base URL for the API is: https://<yoursubdomain>.udemy.com/scim/v2/.

If you are developing an application to interact with the Udemy Business SCIM API, it is recommended to refer to the SCIM RFCs included at the end of this document. Udemy Business SCIM API implementation is compliant with the standard.

Rate limiting

Udemy Business applies rate limiting to the SCIM API in accordance with the standard HTTP rate limiting protocol. If your request is ratelimited, you will receive an HTTP 429 response and you’re supposed to wait and retry according to what is specified in the Retry-After header.

SCIM API endpoints

Informational Endpoints

These endpoints are informational and serve to configure the clients. They do not require authentication, so you don’t need to include the Authorization header when accessing these endpoints.

GET /ServiceProviderConfig

Returns details about Udemy Business SCIM implementation including which methods are supported.

GET /Schemas

Returns information about the schemas that our SCIM implementation supports. Supported schemas are Users and Groups.

GET /Schemas/Users

Returns all attributes that we support for User resources.

GET /Schemas/Groups

Returns all attributes that we support for Group resources.

User endpoints

Using these endpoints you can list users, filter by attributes, add new users, update  users’ information, or deactivate/anonymize users. 

If the SCIM API does not return all users please contact Udemy Business Support.

Supported attributes

emails[type=”work”]]['value’]

userName

active

externalId

urn:ietf:params:scim:schemas:extension:
enterprise:2.0:User:employeeNumber

costCenter

department

division

name.givenName

name.familyName

name, { givenName, familyName }

title

licenseTypes

licensePoolName

manager.value (if manager is an object)
else manager (if manager holds the value directly)

organization

Note: If you specify any other attribute that is not on this list, it will be ignored.

GET /Users

Returns a paginated list of users, 12 users per page by default. You can pass in

count 

and

startIndex 

parameters to paginate through the result set. For example:

GET /scim/v2/Users?startIndex=1&count=100 HTTP/1.1

 Host: myorganization.udemy.com

 Accept: application/scim+json

 Authorization: Bearer <enter you Bearer token here>

startIndex

• is the 1-based index of the first result in the current set of list results (offset)

• count

  is the number of resources returned in a list response page (limit). You can retrieve no more than 1000 users in a single request. If this item is omitted it will default to 12.

Example request

GET https://demo.udemy.com/scim/v2/Users 

{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 18,
"startIndex": 1,
"Resources": [
{
"id": "KwLzN3",
"externalId": "00u3mlhj4x1E482sK5d7",
"userName": "firstName.lastName@domain.com",
"name": {
"givenName": "firstName",
"familyName": "lastName",
"formatted": "firstName lastName"
},
"emails": [
{
"value": "firstName.lastName@domain.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [
{
"value": "NZOaw",
"display": "Group Test",
"$ref": "https://demo.udemy.com/scim/v2/Groups/NZOaw"
},
{
"value": "dn1K8",
"display": "NewGroup2",
"$ref": "https://demo.udemy.com/scim/v2/Groups/dn1K8"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/KwLzN3",
"created": "2022-01-19T01:11:59Z",
"lastModified": "2024-11-22T21:58:48Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "64e63"
}
},
[...]
],
"itemsPerPage": 12
}

GET /Users?filter=

This endpoint is used to filter users by specific attributes. For example, it is possible to search by userName attribute:

GET /Users?filter=userName eq "example..name”

Note: In the example above, you will need to URL encode the URL parameters so the URL becomes:

GET /Users?filter=userName%20eq%20%22example.name%22

This will return a list of user resources. If there are no results, an empty list will be returned.

GET Users?filter=groups.value eq "{SCIM_Group_ID}"

This will return all users who belong to this SCIM Group

The supported filters are:

userName
externalID
emails[type eq=”work”]
groups

The supported operators are:

and
eq

Response:

• HTTP status code 200 with the list of entities on success
• HTTP status code 501 if an unsupported filter is supplied

POST /Users

This endpoint is used to create (provision) new users in Udemy Business. 

The response will contain an

id 

attribute which should be used when referring to this user in all subsequent requests.

Note that:

• New users created this way will not take up a license until they sign in for the first time.
• If there was an existing pending invitation for this user, it will get used at this point. 
  The user will get added to groups, be assigned appropriate role/course assignments according to what is specified in the invitation.
• An attempt to create a user that already exists in Udemy Business will cause the user to become SCIM managed (displayed with a small link icon on the Manage Users page). Note that the user's status and license usage will not be changed. If the user was active,  they will remain active and if the user was deactivated they will remain deactivated.

Example request

POST https://demo.udemy.com/scim/v2/Users 

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "demo.user@test.com"
}
],
"externalId" : "externalIdValue",
"meta": {
"resourceType": "User"
},
"userName": "DemoTest",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "externalIdValue"
},
"name": {
"familyName": "Test",
"formatted": "formatted",
"givenName": "Demo"
}
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "Demo",
"familyName": "Test",
"formatted": "Demo Test"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:00:26Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "externalIdValue"
},
"userName": "DemoTest",
"externalId": "externalIdValue"
}
 

Response:

• HTTP status code 201 and the user’s resource on success
• HTTP status code 409 if the member with the same userName already exists in the Organization
• HTTP status code 400 with the error details in the response body if the request did not pass validation

GET /Users/<id>

This endpoint is used to retrieve user details for a specified user.

id

parameter in the request above is a unique identifier that was returned when the user was created using SCIM or when listing all existing users.

Response:

• HTTP status code 200 with the user resource on success
• HTTP status code 404 if the user has not been found

PUT /Users/<id>

This endpoint is used to replace (overwrite) user details in Udemy Business. If specified, attribute active can be used to deactivate or reactivate the user.

Example request:

PUT https://demo.udemy.com/scim/v2/Users/MPD698

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"id": "MPD698",
"userName": "demo.user@test.com",
"externalId": "NewExternalID",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"name": {
"givenName": "demo",
"familyName": "user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"active": true
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "demo",
"familyName": "user",
"formatted": "demo user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:17:52Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"userName": "demo.user@test.com",
"externalId": "NewExternalID"
}
 

Response:

• HTTP status code 200 and the updated user resource
• HTTP status code 404 if the user doesn’t exist.
• HTTP status code 400 in case of an attempt to deactivate an organization owner.

PATCH /Users/<id>

This endpoint is used to make partial updates to the user details in our system, meaning that you can use it to change only some attributes of the user. This is in contrast to PUT which replaces the entire user. 

It can contain the attribute active which will cause the user to be deactivated or reactivated.

• The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
• The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
• The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.

Example request

PATCH https://demo.udemy.com/scim/v2/Users/MPD698 

{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [ 
{
"op": "replace",
"path": "userName",
"value": "DemoUserName"
}
]
}

Example response

{
"id": "MPD698",
"name": {
"givenName": "demo",
"familyName": "user",
"formatted": "demo user"
},
"emails": [
{
"value": "demo.user@test.com",
"type": "work",
"primary": true
}
],
"title": "",
"active": true,
"groups": [
{
"value": "5ypNz",
"display": "NewGroup",
"$ref": "https://demo.udemy.com/scim/v2/Groups/5ypNz"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"meta": {
"resourceType": "User",
"location": "https://demo.udemy.com/scim/v2/Users/MPD698",
"created": "2024-12-27T22:00:25Z",
"lastModified": "2024-12-27T22:17:52Z"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "NewExternalID"
},
"userName": "DemoUserName",
"externalId": "NewExternalID"
}
 

Response:

• HTTP status code 200 with the updated user’s resource on success
• HTTP status code 404 if the user was not found
• HTTP status code 400 if attempting to deactivate an organization owner or in case of an invalid operation.

Group endpoints

Supported attributes

displayName

externalId

Note: If you specify any other attribute that is not on this list, it will be ignored.

GET /Groups

This endpoint is used to get a paginated list of all provisioned groups. Include startIndex and count query string parameters to paginate through the results. 

Bear in mind that only groups created using SCIM will be returned. Groups created from Udemy Business will not be returned.

Example request

GET https://demo.udemy.com/scim/v2/scim/v2/Groups

 "schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 6,
"startIndex": 1,
"Resources": [
{
"id": "NZOaw",
"displayName": "Group Test",
"members": [
{
"value": "KwLzN3",
"display": "firstName lastName",
"type": "User",
"$ref": "https://demo.udemy.com/scim/v2/Users/KwLzN3"
},
{
"value": "eBmzpr",
"display": "user four",
"type": "User",
"$ref": "https://demo.udemy.com/scim/v2/Users/eBmzpr"
}
],
"externalId": null,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/NZOaw",
"created": "2024-08-23T22:26:48Z",
"lastModified": "2024-08-23T22:26:48Z"
}
},
[...]
],
"itemsPerPage": 12
}

GET /Groups?filter=

This endpoint is used to filter groups by specific attributes. For example, it is possible to search by displayName attribute:

GET /Groups?filter=displayName eq "Marketing”

 

This will return a list of group resources. If there are no results, an empty list will be returned.

Note that you will need to url encode the parameters, so the request becomes:

GET /Groups?filter=displayName%20eq%20%22Marketing%22

The supported filters are:

displayName
externalId
Id
member.value

The supported operators are:

and
eq

Response:

• HTTP status code 200 with the list of entities on success
• HTTP status code 501 if the non-supported filter is used

POST /Groups

This endpoint is used to create (provision) new groups in Udemy Business. 

Response:

• HTTP status code 409 If the provisioned group with the same name already exists in the org, we return 409 (Conflict) with a scimType error code of uniqueness.
• When the group has been created successfully, we return the full representation of the group with HTTP status code 201 (Created) together with the Location header that contains the URL of the create group resource.

GET /Groups/<id>

This endpoint is used to fetch the group details from Udemy Business. 

Response:

• HTTP status code 200 and a group resource
• HTTP status code 404 if the group has not been found

POST /Groups

This endpoint is used to create (provision) new groups in Udemy Business.

Warning: When using the POST or PUT /scim/v2/Groups endpoint to create groups, do not include the members attribute in the request. Any members specified will be ignored. To add users to a group, first create the group, then make separate calls to the PATCH /scim/v2/Groups/ 

Example request

https://demo.udemy.com/scim/v2/Groups 

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group1",
"externalId": "234523"
}

Example response

{
"id": "vREOw",
"displayName": "Group1",
"members": [],
"externalId": "234523",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/vREOw",
"created": "2025-01-15T22:24:54Z",
"lastModified": "2025-01-15T22:24:54Z"
}
}
 

PUT /Groups/<id>

This endpoint is used to replace the group details in Udemy Business.

Warning: When using the POST or PUT /scim/v2/Groups endpoint to create groups, do not include the members attribute in the request. Any members specified will be ignored. To add users to a group, first create the group, then make separate calls to the PATCH /scim/v2/Groups/ 

Example request

PUT https://demo.udemy.com/scim/v2/Groups/vREOw 

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group1",
"externalId": "MPD699"
}

Example response

{
"id": "vREOw",
"displayName": "Group1",
"members": [],
"externalId": "MPD699",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"meta": {
"resourceType": "Group",
"location": "https://demo.udemy.com/scim/v2/Groups/vREOw",
"created": "2025-01-08T21:12:53Z",
"lastModified": "2025-01-15T22:35:55Z"
}
}

Response:

• HTTP status code 200 and the updated group resource
• HTTP status code 404 if the group doesn’t exist. 
•  

PATCH /Groups/<id>

This endpoint is used to make partial updates to group details in Udemy Business. 

The PATCH endpoint is more tricky than others, as it supports different kinds of operations (and their combinations are possible):

Example request

PATCH https://demo.udemy.com/scim/v2/Groups/5ypNz 

{ "schemas": 
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path": "members",
"value":[{
"display": "demo user",
"$ref":"https://demo.udemy.com/scim/v2/Users/MPD698",
"value": "MPD698"
}
] 
} 
]
} 

Example response

204 No Content

• replace operation changes the specified value. In our case it’s either group name or members.
• remove operation removes a member from the group.
• add operation adds members to the group.

The rules are the following:

• We never remove unprovisioned members from the group (in case of `replace` members operation, for example).
• PATCH request, regardless of the number of operations, SHALL be treated as atomic.

The input validations are the following:

• The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
• The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations.  Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace".
• The “path” attribute can be empty, in this case “value” should be a dictionary in the format of {“path”: “value”}.
• For “Remove” operation the “members” path is required.
• For the “Add” operation either “members” or “externalId” “path” should be present.
• For “Replace” operation “members” path may be present. If it’s not there it means that we are replacing the group details (like group name) but not members.

Note:

• Assigning/unassigning users to a group happens asynchronously, so the changes won’t be reflected immediately in Udemy Business.
• We do not support nested groups, so they will be ignored during this request.

Response:

• HTTP status code 204 if the operation was successful.
• HTTP status code 404 if the group does not exist.
• HTTP status code 404 with the error details if there is an attempt to assign a group to a user that’s not a member of the organization.
• HTTP status code 400 with the error details in the response body if the request did not pass the validation

DELETE /Groups/<id>

This endpoint is used to remove or deprovision a group in Udemy Business. 

The rules are the following:

• If the group contains non-provisioned members, remove provisioned users from the group, delete `OrganizationSCIMGroup` record.

Response:

• HTTP status code 204 if the operation was successful.
• HTTP status code 404 if the group does not exist.

Further Reading

• SCIM overview: http://www.simplecloud.info
• RFC 7642, SCIM - Definitions, Overview, Concepts, and Requirements: https://tools.ietf.org/pdf/rfc7642.pdf
• RFC 7643, SCIM - Core Schema: https://tools.ietf.org/pdf/rfc7643.pdf
• RFC 7644, SCIM - Protocol: https://tools.ietf.org/pdf/rfc7644.pdf

We have two ways to provide your users with access to your Udemy Business account - through single sign-on (SSO) and by invitation sent by admins/group admins.

This feature is an additional option if you use the invitation process, which gives your users a way to trigger the invitation email themselves from your account landing page (eg. company.udemy.com), once they use an approved/verified email address domain that has been pre-set by you, the admin.

How to approve an email address domain

On the page in Settings called Email Domain Access, admins can specify an email address domain (or multiple domains) that are approved for joining your Udemy Business account.

This feature is available for both Team and Enterprise plans - but setting up the approved email domain in the Email Domain Access page is only accessible by owners and admins, not group admins.

Sharing your account landing page URL for users to sign up

You can share your Udemy Business account landing page URL with the users and groups in the organization who should have access, eg. by Slack, email, wiki, intranet or simply add the link in your learning management system (LMS).

When a user accesses your account landing page URL they can enter their email address to sign up, once the email address entered matches an approved email domain that was pre-set by the admin.

Please note: To maintain a secure and reliable platform, we require email validation when signing up for a new account. If you are experiencing issues, please review our troubleshooting steps.

Once they enter an approved email address, they get an on-screen instruction to check their email to verify their account.

License usage and verification

Users must complete signing up for their account in order to claim their license. 

If there are no licenses available we present the user with the message below to contact their manager or IT department.

Users will then need to verify their account information, via the verification email they received which contains a link. The verification link will expire in one hour*. Once they’ve verified their account, they’ll be able to sign up, by adding their name, email and password.

*Please note that Single Sign-On (SSO)/System for Cross-Domain Management (SCIM) users will not be put through this verification flow.

If the email address the user enters does not match the approved email domain, they will see the message below and will be prevented from signing up.

If there are no licenses available we present the user with the below message to contact their manager or IT department.

Users that sign up through the approved email domain process will show in the Pending Invitations screen in Manage Users, but they will be distinguished as ‘Invited through approved email’.

This feature is available for both Team and Enterprise plans - but setting up the approved email domain in the User Access page is only accessible by owners and admins, not group admins.