Identity and onboarding

Supported identity providers, workspace onboarding paths, roles, authorization, and Enterprise Entra ID with SCIM.

Overview

ContractRabbit supports two identity paths:

Self-serve identity for Free, Basic, and Team workspaces - Users sign in with email/password, Google, or Microsoft. Microsoft sign-in works for Microsoft Entra ID-backed work accounts, formerly Azure AD, but it is an OAuth sign-in path, not directory sync.
Enterprise identity for Enterprise workspaces - Customers connect Microsoft Entra ID, formerly Azure AD, through a Clerk Enterprise Connection with SAML SSO and SCIM directory sync.

Authentication proves who the user is. Workspace authorization is separate: a user must also be allowed into a ContractRabbit workspace by invitation, verified-domain policy, access request approval, or enterprise SCIM membership.

Supported providers by plan

Plan	Account sign-in	Customer-managed access	Directory sync
Free	Email/password, Google, Microsoft, including Microsoft Entra-backed work accounts	Single-user workspace	Not included
Basic	Email/password, Google, Microsoft, including Microsoft Entra-backed work accounts	Invites and seat limits	Not included
Team	Email/password, Google, Microsoft, including Microsoft Entra-backed work accounts	Invites, verified domains, access requests, optional auto-join for verified domains, seat limits	Not included
Enterprise	Email/password, Google, Microsoft where allowed; Enterprise SAML SSO	Customer IT-managed access through Entra assignment, SAML, SCIM, groups, and ContractRabbit roles	Microsoft Entra SCIM

Google and Microsoft social sign-in are authentication providers. They do not, by themselves, grant workspace access or synchronize a customer directory into ContractRabbit.

Self-serve onboarding

Self-serve workspaces use Clerk for account management and ContractRabbit for workspace authorization.

A user signs up or signs in with email/password, Google, or Microsoft.
ContractRabbit creates or updates the local user profile from the identity provider.
ContractRabbit checks whether the user is authorized for a workspace.
Access is granted only if an invite, approved access request, verified-domain policy, or existing membership allows it.
Seat limits are checked before new users are added.

Microsoft sign-in can use Entra-backed work accounts. This gives users a familiar corporate login, but it does not provide SCIM provisioning, deprovisioning, Entra group-to-role mapping, or proactive lifecycle sync.

Team access controls

Workspace admins can manage access from Admin > Settings > Security.

Invites

Admins can invite users directly from Admin > Settings > Members. ContractRabbit checks active seats and pending invitations before sending a new invite.

Verified domains

Admins can add allowed email domains and verify ownership with a DNS TXT record. Verified domains can be used for:

Showing that a workspace controls a corporate domain.
Allowing verified-domain users to request access.
Allowing verified-domain users to auto-join when policy and seat limits allow it.
Requiring Microsoft sign-in for selected domains.

Access modes

Team access policy supports three modes:

Invite-only - Only explicitly invited users can join.
Request access - Verified-domain users can request access. Admins approve or deny requests in Security settings.
Auto-join verified domains - Verified-domain users can join automatically when the domain permits auto-join and the plan seat limit has room.

Microsoft requirement

Admins can require Microsoft sign-in for selected verified domains or for the workspace access policy. This is useful when the customer wants users to authenticate with their Entra-backed Microsoft work account without purchasing Enterprise SAML/SCIM.

Customer IT can also restrict Microsoft OAuth access in Entra by configuring the ContractRabbit Microsoft Enterprise Application with Assignment required and assigning allowed users or groups. That limits who can get Microsoft tokens for ContractRabbit, but ContractRabbit still enforces its own workspace authorization, roles, and seat limits.

Enterprise Entra ID and SCIM

Enterprise customers can use Microsoft Entra ID as the authoritative identity and lifecycle source.

Enterprise setup uses:

Clerk Organization scoped to the ContractRabbit team.
Clerk Microsoft Entra SAML Enterprise Connection.
SAML SSO configured by customer IT in Entra.
SCIM directory sync from Entra into Clerk.
Group-to-role mapping for ContractRabbit organization roles.

The customer IT admin controls assignment, provisioning, and deprovisioning in Entra. ContractRabbit configures the enterprise connection, SCIM setup, and role mapping needed to connect the customer directory to the ContractRabbit workspace. Customer admins see read-only connection status from Admin > Settings > Enterprise Identity.

Enterprise onboarding sequence

Step	Owner	Action
1	ContractRabbit	Creates or selects the customer organization record for the enterprise workspace.
2	ContractRabbit	Creates the Microsoft Entra SAML Enterprise Connection scoped to the customer organization and approved domain.
3	ContractRabbit	Provides the SAML Entity ID, Reply URL, and any required setup values to customer IT.
4	Customer IT	Configures SAML in Microsoft Entra using the values provided by ContractRabbit.
5	Customer IT	Provides the Federation Metadata URL to ContractRabbit.
6	ContractRabbit	Enables SCIM and provides the SCIM Tenant URL and bearer token to customer IT through an approved secure channel.
7	Customer IT	Enables automatic provisioning in Microsoft Entra and maps the required SCIM attributes.
8	Customer IT	Assigns the approved users and groups to the Microsoft Entra Enterprise Application.
9	ContractRabbit	Maps pushed groups to ContractRabbit organization roles such as `org:admin` and `org:member`.
10	ContractRabbit	Monitors connection status, stale syncs, missing mappings, webhook failures, and local membership mismatches.

SCIM attributes

The expected SCIM mapping includes:

userName
email
name.givenName
name.familyName
active

Admin/member groups should be pushed from Entra and mapped to ContractRabbit organization roles. Admin mapping has highest precedence when a user appears in multiple groups.

Roles and authorization

ContractRabbit uses tenant-scoped authorization. Application data belongs to a team, and server-side use cases and API routes resolve the current team before reading or writing team data.

Workspace roles are:

Admin (org:admin) - Can manage settings, billing, members, access policy, domains, security settings, API keys, review policy, and audit views.
Member (org:member) - Can use workspace features such as documents, matters, agent workflows, standards, and search, subject to feature-level permissions and plan limits.

Admin routes and mutating team-management APIs require admin role checks. Members cannot grant themselves workspace access through client-side state; authorization is enforced on the server.

Billing and seat enforcement

Seats are counted from active organization membership. Pending invitations are included before a new invitation is sent so admins cannot bypass plan limits by over-inviting.

ContractRabbit checks seat limits before:

Sending an invite.
Approving an access request.
Auto-joining a verified-domain user.
Accepting a new organization membership from webhooks or SCIM.

When a member is added or removed, ContractRabbit syncs Stripe subscription quantity for non-enterprise paid plans. Enterprise plans use contracted/custom seat terms unless the customer agreement configures a limit.

What each path does not do

Self-serve Google and Microsoft sign-in do not:

Create a per-customer SAML connection.
Sync a full Google Workspace or Entra directory.
SCIM-provision or SCIM-deprovision users.
Reliably map external groups to ContractRabbit roles.

Enterprise Entra ID with SCIM does:

Let customer IT manage assignment in Entra.
Provision and deprovision users.
Push group membership for role mapping.
Support proactive lifecycle controls beyond sign-in-time profile sync.

Identity and onboarding

On this page