> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Directory Sync (SCIM)

> Automatically provision and deprovision PromptGuard members from your identity provider

# Directory Sync (SCIM)

Directory Sync keeps your PromptGuard organization in lockstep with your identity provider. When you add, update, or deactivate a user in your directory (Okta, Microsoft Entra ID, Google Workspace, and more), PromptGuard reflects the change automatically — no manual invites, and no orphaned access when someone leaves.

<Note>
  Directory Sync is an **Enterprise** feature and works best alongside [SSO](/platform/sso). [Talk to us](mailto:sales@promptguard.co) to enable it.
</Note>

## Why use it

* **Automatic onboarding** — a new hire in your directory becomes a PromptGuard member without an invite.
* **Automatic offboarding** — deactivating a user in your directory revokes their PromptGuard access immediately. This is the control most security teams require.
* **One source of truth** — your directory, not a separate PromptGuard member list.

## Prerequisites

* An **Enterprise** PromptGuard organization.
* The **Owner** or **Admin** role.
* A directory that supports SCIM 2.0 (most major IdPs do).
* [SSO](/platform/sso) configured (recommended, so synced users sign in seamlessly).

## Set up Directory Sync

<Steps>
  <Step title="Open the SSO settings">
    In the dashboard, go to **Settings → SSO** and click **Configure Directory Sync**. PromptGuard opens the secure, hosted setup portal for your organization.
  </Step>

  <Step title="Connect your directory">
    In the portal, choose your IdP and follow its guided steps to connect your directory. The portal gives you the SCIM endpoint URL and bearer token to paste into your IdP's provisioning settings.
  </Step>

  <Step title="Assign users or groups">
    In your IdP, assign the users (or groups) who should have PromptGuard access to the connected application. Your IdP pushes them to PromptGuard.
  </Step>

  <Step title="Verify">
    Back in **Settings → Team**, confirm the assigned users now appear as members.
  </Step>
</Steps>

## What gets synced

| Directory event               | Effect in PromptGuard                                              |
| ----------------------------- | ------------------------------------------------------------------ |
| User created / assigned       | Account provisioned and added to your organization as a **Member** |
| User profile updated          | Name / email kept in sync                                          |
| User deactivated / unassigned | Removed from your organization — access revoked                    |

<Note>
  Synced users join as **Members**. Promote anyone who needs elevated access to **Admin** or **Owner** in **Settings → Team**, or grant project-specific roles in [project access settings](/platform/organizations#project-level-access). Role changes you make in PromptGuard are preserved across syncs.
</Note>

## Security

<Warning>
  Directory Sync events are accepted only when they carry a valid signature from your provisioning connection. PromptGuard rejects unsigned or tampered requests, so a forged event can't add or remove members.
</Warning>

* Deprovisioning is **immediate** — when your IdP sends a deactivate event, the member's PromptGuard sessions and access end right away.
* Directory Sync covers organization membership. It does not delete the user's historical audit-log entries, which are retained for compliance.

## Troubleshooting

<AccordionGroup>
  <Accordion title="Assigned users aren't appearing">
    Confirm the users (or their group) are assigned to the application in your IdP, and that provisioning/push is enabled there. It can take a minute for the first sync to propagate.
  </Accordion>

  <Accordion title="A removed user still has access">
    Check that your IdP sent a deactivate/unassign event. If the user signs in via a non-SSO method (e.g. a personal password set before SSO), remove them manually in **Settings → Team** and enforce SSO-only login.
  </Accordion>
</AccordionGroup>

## Next steps

<CardGroup cols={2}>
  <Card title="Single Sign-On (SSO)" icon="key" href="/platform/sso">
    Let synced users sign in with your identity provider.
  </Card>

  <Card title="Organizations & Teams" icon="people-group" href="/platform/organizations">
    Roles, members, and project-level access.
  </Card>
</CardGroup>
