Configure Box Enterprise user provisioning

As an administrator, once you've set up SSO with Box® Enterprise your next step is to set up automated user provisioning so that any identities you create, modify, or delete in G Suite are automatically reflected in Box Enterprise.

Set up user provisioning for Box Enterprise
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box application.
  4. Select User provisioning.
  5. Under User provisioning, click Set up user provisioning.
  6. In the Authorize window, click Authorize.
    Box opens in the same tab. You are prompted for an authorization by Box. If you see the 
    "Disabled by Administrator This application cannot be used because it is not allowed by your box administration" messageyour Box administrator has blocked unpublished applications.
    ​You need to whitelist our application on Box. Complete the following instructions:
    1. Sign in to the Box Admin Console.
    2. Click Admin Console.
    3. Click the Settings icon.
    4. Click Business Settings or Enterprise Settings.
    5. In the banner menu, choose Apps.
      In the Applications Settings section, if the Unpublished apps box is checked, in the text box provided, enter the API Key: av79ru9rj0082v4efu5wciehe9qwojvu.
    6. Click Save.

    Note:

    • If you've authorized Google in the past, your Box application won't ask for your approval again. However, if you've revoked access and haven't reauthorized since, you'll be asked for authorization.
    • If you haven't signed in to your Box administrator account before clicking Authorize, you're prompted to sign into Box to authorize.

    Important: You might have to reauthorize if the admin password for Box has changed. Changing the admin password will cause the original authorization to be revoked.

  7. In the Map attributes dialog box:
    1. Next to the selected Cloud Directory attribute, click the Down arrow Down Arrow to map to the corresponding Box attribute. Attributes marked with (*) must be mapped.
    2. Click Next.
  8. (Optional) In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and begin typing your group name. 
      A list of available groups appears.
    2. Selecting one adds it and opens another underscore to use to add another. Add more groups, if necessary. 
    3. To remove any group you've added, click Edit Edit next to it.
  9. Once you’re done, click Finish.
  10. Review the information in the Provisioning summary dialog box, then click OK.
  11. Click Activate provisioning.
    Note: If you added groups using the Set provisioning scope dialog box, you must choose a scope. Otherwise, the Activate Provisioning button remains grayed out. You must set the app to On for everyone or On for some organizations and refresh the page before activating provisioning. If the app is set to Off, this choice is grayed out.
  12. In the confirmation dialog box, click Activate
Display user provisioning

Once provisioning is enabled, Google begins collecting usage information. Next to User Provisioning, you see the usage information section. There aren't any numbers next to the event names until you enable provisioning.

The following event names provide the usage information for the last 30 days:

  • Users created
  • Users suspended
  • Users hard deleted
  • User failures

For more information, see Monitor user provisioning.

Edit provisioning scope

You may want to restrict the scope of provisioning to members of groups you define.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box application.
  4. Select User provisioning.
  5. Under User provisioning, click Edit provisioning scope.
  6. In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and begin typing your group name. 
      A list of available groups appears.
    2. Selecting one adds it and opens another underscore to use to add another. Add more groups, if necessary. 
    3. To remove any group you've added, click Edit Edit next to it.
  7. Once you’re done, click Finish.
  8. The next time you click Edit provisioning scope, the groups you added appear in the Set provisioning scope window. If you've turned on the Box application for a set of organizational units, the provisioning scope will be restricted to those users in the added groups who are also members of those organizations.
Deactivate user provisioning

To disable user provisioning for Box Enterprise without losing all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box application.
  4. Select User provisioning.
  5. Under User provisioning, click Deactivate provisioning.
  6. In the Deactivate provisioning dialog box, click Deactivate
Define deprovisioning timeframes

To define how long deprovisioning actions should be delayed before taking effect:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box application.
  4. Select User provisioning.
  5. Under User provisioning, click Edit deprovisioning config.
  6. In the Deprovisioning configuration dialog box, select one or more of the following options to define how long deprovisioning actions should be delayed before taking effect:
    1. When an app is turned off for the user, suspend their account, hard delete their account, or both, after the number of days you choose.

      A suspended account is temporarily unavailable until it's restored.

      Box will only delete users without managed content.
    2. When a user is suspended on Google, suspend their account, hard delete their account, or both, after the number of days you choose.
    3. When a user is deleted from Google, suspend their account, hard delete their account, or both, after the number of days you choose.

      ​The amount of time before deprovisioning takes effect can be set to within 24 hours, after 1 day, after 7 days, or after 30 days.

      The default for each is to suspend the account within 24 hours. Always set the amount of time before hard deleting a user's account to more than the amount of time before suspending a user's account.
  7. Click Save.
Remove user provisioning

To disable user provisioning for Box Enterprise and remove all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box application.
  4. Select User provisioning.
  5. Under User provisioning, click Delete provisioning.
  6. In the Delete provisioning config dialog box, click Delete to deactivate user provisioning and remove all configuration information.

    Existing users on Box are not deprovisioned.
Important: If automatic provisioning stops and you need to reauthorize the application

If the admin password for Box Enterprise has changed, automatic provisioning will stop working. In this case, the original authorization is revoked by Box Enterprise, and you must reauthorize automatic provisioning.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenSAML apps.
  3. Click the Box Enterprise application.
  4. Select User provisioning.
  5. Click Re-authorize App.
  6. In the Authorize window, click Authorize.

    If you haven't recently signed in to Box Enterprise, you may need to sign in during reauthorization.

After reauthorization completes, you're returned to the Box Enterprise User Provisioning settings in Admin console.

Note: Your third-party application might revoke authorization for reasons other than the admin password changing. These reasons can include account inactivity, for example. Check with the documentation for the third-party application for scenarios in which authorization can be revoked.

Was this helpful?
How can we improve it?