Granola Multi-Environment Setup

Overview

Configure Granola for multi-workspace enterprise deployments with SSO-based user provisioning, per-workspace integration configuration, and compliance controls. Each workspace operates as an isolated unit with its own folders, integrations, sharing rules, and retention policies.

Prerequisites

• Granola Enterprise plan ($35+/user/month)
• Organization admin access in Granola
• Identity provider configured (Okta, Azure AD, or Google Workspace)
• Team structure and workspace plan documented

Instructions

Step 1 — Plan Workspace Structure

Map your organization to Granola workspaces:

Step 2 — Create Workspaces

1. Navigate to Organization Settings > Workspaces
2. For each workspace:

• Name: Department name (e.g., "Engineering")
• Description: Purpose and scope
• Owner: Department lead (Workspace Admin role)
• Privacy: Private (members only) or Internal (org-visible)
• Default sharing: Private for new notes

Step 3 — Configure SSO and User Provisioning

SSO Setup (Okta example):

1. Organization Settings > Security > SSO
2. Choose SAML 2.0 or OIDC
3. Configure in your IdP:

• Entity ID: https://app.granola.ai/sso/{org-slug}
• ACS URL: https://app.granola.ai/sso/callback
• Name ID: Email address

1. Test with a pilot user before enforcing org-wide

SCIM Provisioning:

1. Organization Settings > Security > SCIM
2. Generate SCIM token
3. Configure in your IdP:

• SCIM endpoint: https://api.granola.ai/scim/v2/{org-id}
• Bearer token: Generated in step 2

1. Map IdP groups to Granola workspaces and roles:

Just-in-Time (JIT) Provisioning:

Enable JIT so users are auto-provisioned on first SSO login without manual invitation. Map their IdP groups to workspace membership.

Step 4 — Configure Per-Workspace Integrations

Each workspace can have independent integration configurations:

Configure in each workspace: Settings > Integrations. Each workspace's integrations are independent — connecting Slack in Engineering does not affect Sales.

Step 5 — Set Compliance Controls Per Workspace

Sensitive workspace hardening (HR, Executive):

Workspace Settings > Security:
  External sharing: Disabled
  Public links: Disabled
  Link expiration: 7 days (if any sharing enabled)
  MFA required: Yes (beyond SSO)
  Session timeout: 4 hours
  AI training opt-out: Enforced
  IP allowlist: Enabled (office IPs only)

Step 6 — Role Hierarchy and Permissions

Step 7 — Validate and Monitor

Validation checklist:

• [ ] All workspaces created with correct owners
• [ ] SSO login tested with users from each IdP group
• [ ] SCIM sync verified (user added to IdP group → appears in workspace)
• [ ] Per-workspace integrations tested with sample meetings
• [ ] Compliance settings verified for sensitive workspaces (HR, Executive)
• [ ] Cross-workspace search working for admin users
• [ ] Audit logs capturing expected events

Ongoing monitoring:

• Monthly: Review workspace membership, deactivate departed users
• Quarterly: Access review across all workspaces (principle of least privilege)
• Annual: Re-certify compliance settings, update retention policies

Output

• Multi-workspace topology deployed and configured
• SSO and SCIM provisioning operational
• Per-workspace integrations connected and tested
• Compliance controls applied with sensitive workspace hardening
• Role hierarchy documented and enforced

Error Handling

Resources

• Granola Enterprise
• Signing In and Calendar Connection
• Sign In with Microsoft
• Security Standards

Next Steps

Proceed to granola-observability for meeting analytics and monitoring.