Directory sync setup
Set up SCIM 2.0 directory sync to automatically provision, update, and deprovision teammates from your identity provider, with role and seat mapping.
Written By Robi Rohumaa
Last updated 3 days ago
Overview
Directory sync connects Featurebase to your identity provider over SCIM 2.0 (System for Cross-domain Identity Management), so your provider manages who's on your team. When you add, change, or remove a user there, Featurebase applies your access policy automatically – provisioning teammates, assigning roles, setting seats, and deprovisioning them when they leave.
Directory sync doesn't enforce SSO sign-in. That's a separate setting, covered in Enterprise SSO setup.
Note: Directory sync is available on the Enterprise plan and is switched on by our team first.
Supported providers
Directory sync works over SCIM. Supported identity providers include:
Okta
Microsoft Entra ID (formerly Azure AD)
Google Workspace
OneLogin
JumpCloud
PingFederate
Rippling
CyberArk
SailPoint
Don't see yours? You can connect any other SCIM provider with a custom connection. The list of supported providers grows over time, so reach out if you're unsure whether yours is covered.
Before you start
You need:
The Enterprise plan, with Directory sync enabled by our team
A role with the Manage SSO permission to set up the connection and rules
At least one verified company domain
Admin access to your identity provider
To unlink or re-link individual teammates later, your role also needs the Manage Team Members permission.
If the page shows that setup needs to be enabled by our team first, contact us from that page.
Verify your domain
Featurebase needs at least one verified company domain before Directory sync can manage synced teammates.
Under Enterprise identity, click Manage domains.
Add your company domain and follow the steps in the Featurebase Enterprise Identity Portal.
Connect directory sync
Click Set up directory sync.
Complete the SCIM setup in the Featurebase Enterprise Identity Portal, then return to Featurebase.
Confirm Directory connection shows your connection.
The Featurebase Enterprise Identity Portal gives your IT team the SCIM endpoint and token, plus the steps for your provider.
Set your access policy
Group rules decide which synced teammates get access, and what role and seat they receive. Open Directory sync access policy and add ordered group rules.
To add a rule:
Click Add rule under Ordered group rules.
Choose the IdP group.
Choose the Featurebase role.
Choose the Seat target.
Each rule maps one identity provider group to a role and seat. Rules save automatically once a group and role are set.
Note: Group rules only apply to users your identity provider sends to Featurebase. In your provider, assign the relevant users or groups to the Featurebase app – otherwise no one will sync.
How rule order works:
Rules run from top to bottom, and the first matching rule wins
Drag rules to change their order
A teammate who matches no rule doesn't get directory-synced access
Seat targets
Each rule sets a seat target:
Full seat – full workspace access based on the assigned role
Lite seat – a lighter seat for collaborators with simplified access
Full seat + Copilot – a Full seat with Copilot enabled, where available on your plan
Copilot is an add-on to a Full seat and isn't available with Lite seat.
Seats and billing
Synced teammates only take up a paid seat once they sign in. Until then they show as Provisioned and aren't billed.
On first sign-in, Featurebase activates the seat target from their group rule. What that means for billing depends on your plan.
Monthly plans
Seats are usage-based. When a synced teammate signs in for the first time, their mapped seat is added to your subscription automatically and billed from then on. You don't pre-buy seats – teammates are added to billing as they sign in.
Yearly plans
You have a fixed number of seats for your term. A synced teammate activates on first sign-in only if a seat of their mapped type is still available. If you're out of seats, they stay Provisioned and see an activation-pending message until there's room. To let them in:
Add more seats
Free a seat, for example by deprovisioning another teammate
Change their rule's seat target to a type that's available, such as Lite
Full seats, Lite seats, and Copilot each have their own limit. If a teammate's target includes Copilot but no Copilot capacity is free, they still get the Full seat, and Copilot is added once capacity opens up.
Note: When a synced teammate is removed, their seat is freed right away.
What gets synced
Once a teammate is managed by Directory sync, your identity provider is the source of truth for them. Directory sync keeps in sync:
Email and name
Role and seat, based on your group rules
Membership – adding teammates and removing them
It does not change your Featurebase teams. Group rules map an identity provider group to a role and seat only, so team membership stays managed in Featurebase. Other directory fields, like job title or phone number, aren't synced.
Turning on Directory sync with an existing team
You don't need to start from an empty workspace. When you turn on Directory sync, existing teammates are brought under management automatically as your identity provider sends their details, matched by email address.
On the first match, a teammate keeps their current role even if a group rule would assign a different one. Later changes follow your rules
Teammates who aren't in your directory stay manually managed – Directory sync won't touch them
If a teammate's email later changes in your identity provider, Featurebase updates it automatically
Tip: Set up your group rules before turning on Directory sync, and add anyone who should stay manual to Protected members first.
Protected members
Protected members are skipped by Directory sync. Their role, seat, and access aren't changed or removed by SCIM, even if their directory access changes. Use this for teammates who should keep manual access.
Add them under Exceptions & manual overrides. The workspace owner is always protected.
Manage individual teammates
To take one teammate out of Directory sync, go to Settings → Members and teams, open the member, and choose Unlink from directory sync. After unlinking:
You manage the teammate's role, seat, and access manually
Directory sync no longer changes or removes them
Choose Re-link to directory sync to hand them back. Re-linking works only if their directory user still exists and matches a mapped group.
On the Members page, badges show how each teammate is managed: SCIM-managed, Manual override, Protected, or Provisioned.
Re-sync the directory
Use Re-sync directory to have Featurebase re-check your directory's current state against your rules. Make sure your group rules are correct first.
Note: Re-syncing with no saved rules can remove access for SCIM-managed teammates, unless they're protected, unlinked, or the workspace owner.
What happens to teammates
Added
A teammate in a mapped group is added with that rule's role and seat target.
Updated
Featurebase updates their name, role, and seat target from your directory and rules. For active teammates, a later seat change doesn't move them back to Provisioned; if capacity is short, the change stays pending until capacity frees up.
Removed or deactivated
If a linked, unprotected teammate is deleted, deactivated, or no longer matches any rule, Featurebase removes their workspace access and signs them out.
Restored
To bring a removed teammate back, re-add them in your identity provider and make sure they match a group rule. The restore has to come from your identity provider – inviting them, an SSO sign-in, or a manual change in Featurebase won't do it.
If they were removed within the last 14 days, their previous role and seat come back automatically. After that, they return as a new teammate and pick up the role and seat from your group rules.