Enterprise admin settings

​

In this guide

1. SSO, SCIM & provisioning
2. Domain capture
3. Sharing
4. Transcript retention
5. Workspace membership
6. Consent & notice
7. Data export permissions
8. Analytics & usage
9. Connectors (API / MCP)
10. Quick reference

---

​

01 — SSO, SCIM, directory sync & JIT provisioning

Enterprise-only configuration, with minimum of 50 Enterprise seats. Contact your CSM or hey@granola.so (Backend Configuration).

​

Supported identity providers

• Okta
• Microsoft Entra ID
• Google SAML
• JumpCloud
• Other SAML / SCIM providers

​

How to enable

Email your Granola contact with the provider you’d like to use and any required metadata (IdP metadata URL, ACS endpoint, signing cert). The team will configure it on the backend and confirm when it’s ready to test.

​

SSO-only login

Enterprise admins can require all users to sign in through SSO by disabling OAuth login methods (such as Google sign-in). Once OAuth login is disabled, users must authenticate through your configured identity provider to access Granola. This is typically used alongside domain capture to ensure that all users on your domain both join the correct workspace and authenticate through your organization’s identity provider.

​

New user onboarding with SSO

When domain capture and SSO are enabled, there is no need to create user accounts manually. New users are created when they first sign into Granola through your identity provider. During onboarding, they are directed to join your Enterprise workspace.

​

SCIM provisioning

SCIM (System for Cross-domain Identity Management) allows you to sync users between your identity provider and Granola. With SCIM enabled, user accounts are automatically created, updated, and deactivated based on changes in your identity provider. SCIM syncs user groups but does not automatically provision users who were created in Granola before SCIM was enabled. Existing users need to be provisioned separately in your identity provider’s SCIM configuration.

---

​

02 — Domain capture

Enterprise-only configuration. Contact your CSM or hey@granola.so (Backend Configuration).

​

What it does

Domain capture routes every signup from your verified domain into your enterprise workspace, so new hires don’t end up in their own personal accounts. Any user signing up with an @yourcompany.com address is automatically placed inside your enterprise workspace. Blocking the creation of new workspaces for your domain prevents shadow accounts and gives admins a single place to manage users.

​

When to request

Set this up before rolling Granola out to the broader org. Once you have more than a handful of personal accounts on your domain, migrating them in is straightforward but takes coordination.

---

​

03 — Sharing

Sharing controls determine how notes leave the workspace — both via shareable links and via outbound / inbound sharing with people on other accounts.

​

Default link sharing (workspace-wide)

Location: Settings → Workspace → General → Data security → Link access settings Sets the maximum access level for shareable links across the workspace. Changes apply retroactively to all existing notes and folders. Individual users cannot exceed this level, though they may choose a more restrictive default for new notes they create. For how this interacts with per-user defaults, see Sharing controls.

​

Default link sharing (per user)

Location: Settings → Preferences → Data & sharing → Default link sharing Sets each user’s default when they create a new shareable link. Users can still change a link’s access on a per-note basis, but cannot exceed the workspace-wide limit set by an admin.

​

Adjacent sharing controls

Location: Settings → Workspace → General → Data security Allow external sharing: When disabled, people in this workspace can only share notes and folders with email addresses on your verified domain. Turning this off forces all shares to stay internal. Allow inbound sharing: When disabled, people outside your workspace cannot add people in this workspace to notes or folders. Turn this off to keep external content from landing in your tenant.

---

​

04 — Transcript retention

Contact Granola Set how long raw meeting transcripts are kept before automatic deletion. Notes themselves are not affected — only the underlying transcript text.

​

Setting a retention window

Contact your CSM or Granola at hey@granola.so with the retention period you’d like (e.g. 30, 60, 90 days, or 1 year). Once set, transcripts older than that window are deleted automatically across the workspace. For more detail on how deletion works, see Transcript auto-deletion.

---

​

05 — Workspace membership & invites

Control how new people find and join your workspace — discoverability for matching domains, auto-join, and explicit invite links. By default users with domains outside of your main domain should be invited under Team Settings, the shared link will not work. Location: Settings → Workspace → General → Workspace invites & members Allow workspace to be discovered: When users sign up with your company domain, the enterprise workspace is surfaced in the app so they know to join it. Allow teammates to join automatically: Users with your domain are added to the enterprise workspace on signup, without needing approval or an invite link. Invite links: Generate shareable links that drop a user directly into the workspace. Links won’t work for users outside your verified domain — add those individuals directly from Team settings. Only admins can invite new users: Locks invites to admin accounts only. Request enablement from the Granola team — not exposed in the standard settings UI.

---

​

06 — Consent & notice management

The “Heads Up” surface prompts users to disclose recording or get explicit consent at the start of a meeting. All controls here require Granola to enable them for your workspace. Location: Settings → Workspace → General → Consent & notice management

​

What it controls

Whether (and how) users in your workspace are nudged to notify other attendees that a meeting is being captured. Use this when you have a legal or compliance requirement around recording disclosure.

​

Enabling consent controls

None of the consent controls are visible to admins by default. Reach out to the Granola team with the behavior you need — e.g. “prompt users before every external meeting” — and they’ll enable the matching option. Depending on what’s enabled for your workspace, controls may include automated notice emails, Heads Up pages, in-meeting notice, notice in meeting chat, and notice on video. See Heads Up for Enterprise.

---

​

07 — Data export permissions

Determines whether workspace members can export notes, transfer them to another account, or move them to a different workspace. Location: Settings → Workspace → General → Data security → Data export permissions Allow exporting data: Users can export their notes (Markdown, PDF, copy-out) from this workspace. Turn off to keep all content inside Granola. Allow transferring notes to other accounts: Lets users move their own notes from this workspace to a different Granola account they own — e.g. taking notes with them when they leave. Allow moving notes to other workspaces: Lets users move their own notes from this workspace into a different workspace they belong to.

---

​

08 — Analytics & usage data

Workspace-level dashboards showing adoption, active users, and note volume. Useful for tracking rollout and seat utilization. Location: Settings → Analytics

​

What you’ll see

Active users over time, notes created per period, and adoption rollups across teams. Pair these with your rollout milestones to spot pockets that haven’t onboarded yet.

---

​

09 — Connectors (API & MCP)

Controls whether workspace users can connect Granola to outside AI tools via the personal API or the Model Context Protocol (MCP). Location: Settings → Workspace → General → Apps & connectors Allow user-scoped API keys / API access for members: When enabled, workspace members can create personal API keys and access notes according to the scope your admin configures. Granola MCP: When on, users can connect Granola as an MCP source in Claude, ChatGPT, and other supported assistants.

​

Default for Enterprise

MCP is disabled by default for Enterprise workspaces. Individual users can’t enable it themselves — they’ll see “no tools available” until an admin turns it on here. For setup details, see MCP and Granola API.

---

​

Quick reference

Where each setting lives, and who can change it. Need a flag enabled or a backend change? Reach out at hey@granola.so.