Microsoft Entra ID, previously named Azure, is a custom SAML application with limited automatic provisioning including user creation and removal. Roles, Custom Roles, and Teams cannot be assigned. You can set a default role. You can't set roles per user.

What you'll need

• Before you can set up provisioning, you need to have Microsoft Entra ID enabled for your Workspace.
  • Microsoft Entra ID is only available to Workspaces on the Enterprise Plan.
  • Only Workspace owners and admins can enable SAML.
• Only Microsoft Entra ID admins can configure Microsoft Entra ID SCIM.

Set up Microsoft Entra ID custom SAML application

To set up the custom SAML application:

1. Create a new custom SAML application in Microsoft Entra ID.
   

   This is not the official ClickUp Microsoft Entra ID Gallery application ClickUp Productivity Platform.

   
2. In ClickUp, click your Workspace avatar and in the upper-left corner.
3. Select Settings.
4. In the left sidebar, click Security & Permissions.
5. In the Single sign-on (SSO) section, select SAML.
   
6. For a new Microsoft Entra ID app, copy the SP Entity ID from ClickUp.
   
7. Paste the SP Entity ID from ClickUp into the Identifier (Entity ID) field in Microsoft Entra ID.
   
8. Copy the Single sign-on URL (ACS URL) from ClickUp and paste it into the Reply URL (Assertion Consumer Service URL) field in Microsoft Entra ID.
9. Click Save in Microsoft Entra ID.
   

Link SSO in ClickUp

Now that the application is set up, you can complete the SSO connection in ClickUp:

1. Ensure the person setting up the SSO integration is assigned in the Microsoft Entra ID app. Others can be added later.
2. Copy the Login URL and the IDP Public Certificate from Microsoft Entra ID.
   
3. Paste these values in plaintext to the corresponding empty ClickUp fields when selecting the SAML connector.
   • To get the certificate in plaintext, download and right-click the file to open it with a text editor of your choice. The text begins with -----BEGIN CERTIFICATE-----. Paste the entire text value without any edits into the IDP Public Certificate field.
      
4. Select Save metadata.
   
5. You'll be prompted to complete the link by logging in with SSO. If successful, you'll be redirected to ClickUp.
6. On the Security & Permissions page in ClickUp, you'll see three new options:
   • SCIM Base URL: You'll enter this info in the next step. 
   • SCIM API Token: You'll enter this info in the next step. 
   • Login policy: Choose one of these three options:
     • All users must use Microsoft Entra ID auth: All member-type and guest-type users are required to sign in with their Microsoft Entra ID account to access your Workspace.
     • All users except guests must use Microsoft Entra ID auth: Guest-type users aren't required to sign in with their Microsoft Entra ID account to access your Workspace.
     • Using Microsoft Entra ID auth is optional: Users can choose to sign in with their Microsoft Entra ID account to access your Workspace but aren't required to.
7. Go to the next step to provision the other people in your Workspace. 

Set up automatic provisioning with ClickUp

When adding a user profile to the custom SAML app, they're not a ClickUp user unless you provision them via SCIM.

Automatic provisioning runs on a 30-minute cycle and users assigned to the application will only be added when the next automatic provisioning cycle runs. 

To set up automatic provisioning:

1. In Microsoft Entra ID, open the Provisioning tab and change the dropdown from Manual to Automatic. This will cause the Admin Credentials window to appear in the Provisioning tab.
   • If you want to provision up to five users at a time manually, in the Provisioning tab, select Provision on demand.
     
2. Input the SCIM Base URL from your ClickUp Security & Permissions page into the Tenant URL field.
3. Input the SCIM API Token from your ClickUp Security & Permissions page into the Secret Token field.
4. Click Test Connection.
   
5. Once the test is successful, SCIM is set up in your Workspace. Users can sign in to ClickUp using Microsoft Entra ID.

Select the ClickUp user roles you want to provision

The user role defaults to member unless you select the ClickUp user roles you want to provision. 

To map Microsoft Entra ID to ClickUp user roles:

1. As an admin, sign into the Microsoft Entra admin center. 
2. Select Identity, Applications, then Enterprise applications.
3. From the Enterprise applications page, select your SAML app.
4. From the Overview page in the left sidebar, select Provisioning.
5. From the Provisioning page, click Mappings.
6. Select Provision Microsoft Entra ID Users to see a list of attributes.
7. Scroll to the bottom of the page and click the Show advanced options checkbox.
8. Click Edit attribute list.
   
9. Scroll to the last row of the Name column, and enter this string: urn:ietf:params:scim:schemas:extension:ClickUp:2.0:User:clickupRole.
10. From the dropdown in the Type column, ensure that String is selected. 
11. In the upper-left corner, click Save. 
    • If the name doesn't save, select Discard and try again. If you continue to see the name fail to save, try resetting your mappings to their defaults.
12. You are redirected to the Attribute Mapping page.
13. Select Add New Mapping.
14. From the Edit Attribute page, for Mapping type select Constant.
15. For Constant Value enter one of the following values: 
    • 2 for admins.
    • 3 for members.
    • 4 for guests. 
    • 100 for limited members.
16. For Target attribute, enter urn:ietf:params:scim:schemas:extension:ClickUp:2.0:User:clickupRole
17. Click OK and Save.
18. Any user you provision will be provisioned as that ClickUp user role.  
    • To map another user role, start at step 5 and select a different Constant Value. 

The following user role attributes can also be mapped: