Team authentication
Require multi-factor authentication, set up Single Sign-On, and provision dashboard accounts from your identity provider.
The authentication settings page controls how your team signs in to the WorkOS dashboard. From here you can verify your email domain, require all members to sign in through your identity provider, automatically provision and deprovision accounts, and enforce multi-factor authentication (MFA).
Only members with the Admin role can view or change authentication settings.
Before you can set up Single Sign-On or directory provisioning for your team, you must verify ownership of your email domain. The domain you verify must match the email domain of your dashboard account – for example, an admin signed in as alice@example.com must verify example.com.
The Domains section walks you through verification by adding a DNS record. Once the domain is verified, the Single Sign-On and directory provisioning sections become available.
The Single Sign-On section lets you require all team members to authenticate to the WorkOS dashboard via your identity provider, using the same SSO technology WorkOS provides to your applications.
Setting up SSO for your team requires:
- A verified domain matching your email domain (see Domains).
- An active production environment.
The setup flow opens a guided configuration experience where you connect your identity provider. Once the connection is active, team members sign in through your identity provider instead of using email-based authentication.
Multi-factor authentication enforcement is handled by your identity provider when your team authenticates through SSO, so the dashboard’s MFA requirement is not available while SSO is active.
The Directory provisioning section lets you automatically provision and deprovision dashboard accounts by syncing with your identity provider, using Directory Sync. Role assignments are also synced from your identity provider groups, so members’ dashboard roles are controlled centrally.
Two distinct WorkOS features are named “directory provisioning.” The feature on this page provisions members of your own WorkOS dashboard team from your identity provider, and you can set it up yourself. AuthKit Directory Provisioning provisions your application’s users and organization memberships from your customers’ directories, and is enabled by WorkOS support on request. When contacting support, specify which one you mean.
Directory provisioning requires:
- A verified domain matching your email domain (see Domains).
- An active production environment.
When setting up directory provisioning, make sure at least one user is in a group mapped to the Admin role. Otherwise your team can lose admin access to its own workspace.
Once directory provisioning is active, synced members are managed by the directory:
- Their access can only be revoked by removing them in your identity provider, not from the dashboard.
- Role changes made in the dashboard may be overridden on the next directory sync if the member belongs to an identity provider group that is mapped to a role.
The WorkOS MCP section controls whether your team can use the WorkOS MCP server to manage your workspace with AI agents. These settings apply to the entire team, and only admins can change them.
Three settings can be toggled independently. All are enabled by default:
- Enable – Allow this team to access the WorkOS dashboard over MCP. Turning this off disables MCP for the team entirely, which also disables the two settings below.
- Allow production access – Allow agents to access production environments. When off, MCP can only reach sandbox environments.
- Allow write access – Allow agents to perform write operations. When off, MCP is restricted to read-only operations.
The Additional security section lets admins require MFA for the whole team.
When the requirement is enabled, all team members must use multi-factor authentication to sign in. Anyone who hasn’t enrolled yet is prompted to enroll at their next sign-in.
Before you can enable the requirement, you must first enroll in MFA on your own account from your profile settings. The requirement is also unavailable when your team authenticates through SSO, since your identity provider enforces MFA in that case.
Disabling the requirement stops prompting new members to enroll, but members who already enrolled still complete MFA at sign-in unless an admin resets their factor.