Note: The functionality described in this article is available only to Grammarly Enterprise customers. If you’re interested in enabling this feature, please contact your Customer Success Manager or the Grammarly Support team.
This guide provides the steps required to configure SCIM provisioning for Grammarly in Microsoft Entra ID (Azure AD). For general information about SCIM provisioning, please refer to this article: Configure SCIM provisioning
Topics covered in this article:
- Features
- Requirements
- Step-by-Step Configuration Instructions
- Provisioning of already assigned users
- Monitoring Deployment
- Resolve Issues
Features
The following provisioning features are supported in Microsoft Entra ID:
- Create users in Grammarly
- Remove users in Grammarly when they no longer require access
- Keep user attributes synchronized between Microsoft Entra ID and Grammarly
Requirements
- A Microsoft Entra ID tenant
- A user account in Microsoft Entra ID with permissions to configure provisioning (e.g., Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator)
- A Grammarly Enterprise account with the admin role or a designated custom role
- A Grammarly app configured in Microsoft Entra ID
- SAML Single Sign-On (SSO) enabled in Grammarly
Step-by-Step Configuration Instructions
- Log in to your Grammarly account, go to the Provisioning page, and click Configure.
- Click the Activate SCIM button.
- Generate a SCIM token by clicking the Create token link.
- Copy the SCIM token for future use, click Got it, and close the window.
- Sign in to the Microsoft Azure portal. Select Enterprise applications, then select All applications.
- In the applications list, select Grammarly.
- Select the Provisioning tab.
- Set the Provisioning Mode to Automatic.
- Under the Admin Credentials section, in the enter Tenant URL field enter https://sso.grammarly.com/scim/v2, and in the Secret Token field enter the token provided by Grammarly (see Step 4 above). Click Test Connection to ensure Microsoft Entra ID can connect to Grammarly. If the connection fails, ensure your Grammarly account has Admin permissions and try again.
- In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the box next to Send an email notification when a failure occurs check.
- Select Save.
- Under the Mappings section, select Synchronize Azure Active Directory Users to Grammarly.
- Review the user attributes that are synchronized from Microsoft Entra ID to Grammarly in the Attribute-Mapping section. The attributes selected as Matching properties are used to match the user accounts in Grammarly for update operations. If you choose to change the matching target attribute, you will need to ensure that the Grammarly API supports filtering users based on that attribute. Select the Save button to commit any changes.
- To configure scoping filters, refer to the following instructions provided in the scoping filter tutorial.
- To enable the Microsoft Entra ID provisioning service for Grammarly, change the Provisioning Status to On in the Settings section.
- Define the users and/or groups that you would like to provision to Grammarly by choosing the desired values in Scope in the Settings section.
- When you are ready to provision, click Save.
This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every forty minutes as long as the Microsoft Entra ID provisioning service is running.
Provisioning of already assigned users
If you already have team members in your Grammarly subscription and turn on provisioning, a reconciliation process needs to happen. As part of this process, Microsoft Entra ID will notify Grammarly of all assigned users. Grammarly will reconcile users already invited via a provisioning request from the identity provider and their status will be reflected on the Members page. To determine users who haven’t been reconciled with Microsoft Entra ID, access the Provisioning page. If there are users who haven’t yet been provisioned by the identity provider, the Provisioning page will show a warning banner. Click the Download report link to download a CSV file containing the list of members that haven’t yet been provisioned. This report can be used to bulk delete outstanding users, if appropriate, or for manual processing.
Monitoring Deployment
Once you’ve configured provisioning, use the following resources to monitor your deployment:
- Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully.
- If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. You can learn more about quarantine states in this article by Microsoft: Application provisioning in quarantine status
Resolve Issues
- When assigning users and groups to Grammarly, you must select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can update the application manifest to add additional roles.
- When users are deactivated in Microsoft Entra ID, they will be deactivated in Grammarly. Users will not be able to log in to the application, but their data will remain available as an “inactive user.” After 30 days, their accounts will be deleted completely.