Use this guide to connect ChatGPT for EDU to your district identity systems. The goal is to make access reliable at launch and easier to manage over time.
Audience: District IT administrators who manage identity, provisioning, domains, and access groups.
District Identity Plan
For district-wide rollout, use centralized identity and provisioning in the following steps:
- Set up SCIM Directory Sync
- Push groups from the identity provider into ChatGPT.
- Map groups to custom roles
1. Verify The District Domain
Domain verification confirms that your district controls the email domain and enables ChatGPT to route eligible users into your district-managed workspace.
- In Workspace Settings, go to Identity and Access.
- Add the district email domain you want to verify.
- ChatGPT will generate a DNS TXT record for that domain.
- Send the DNS TXT record to the team that manages your district’s DNS.
- Once the record has been added, return to ChatGPT and verify the domain.
2. Configure Single Sign-On (SSO)
Once your district domain is verified, configure Single Sign-On (SSO). ChatGPT supports common identity providers, as well as custom identity provider setups.
SSO controls how users sign in to ChatGPT. It should be treated as an authentication step, not a method for automatically adding users to the workspace.
- In your workspace settings, begin configuring SSO with your district’s identity provider.
- Start with a small group of invited test users.
- Leave SSO enforcement turned off while testing the sign-in flow.
- Confirm that each test user can successfully sign in to the workspace.
- Turn on SSO enforcement only after testing is complete and your district is ready to require SSO for eligible users.
SSO applies to users associated with the verified domain who have been invited or provisioned into the managed workspace. It does not automatically apply to users who have not been added to the workspace.
3. Configure SCIM Directory Sync
Use SCIM for inviting users throughout your district to the workspace. SCIM is the recommended path because it supports both provisioning and deprovisioning.
Set up SCIM as a separate application from SSO in your identity provider. For example, if your district uses Microsoft Entra ID, you may have one app for SSO and a separate app for SCIM.
SCIM can push:
- Changes when users are added or removed.
Note on Automatic Creation Automatic account creation can bring users into the workspace when they create an account with a verified district domain. This can be useful in some contexts, but it does not provide automatic deprovisioning. For district-managed rollout, use SCIM instead of combining SCIM with automatic account creation. Running both can create contention and make access harder to manage.
|
4. Push Groups From The Identity Provider
Create the important access groups in your identity provider first, then push them through SCIM. This keeps group membership tied to your central source of truth. Groups are useful since Administrators can map groups to custom roles and control app access.
Use names that make the purpose clear to both IT and workspace administrators.
Note on Local Groups Local groups can be created directly in ChatGPT. They are useful for pilots, alpha-feature testing, or quick validation when you do not want to change the identity provider yet. Do not use local groups as the main district access model. If a local group later becomes a SCIM-managed group, you may end up with duplicate group structures. Move long-term groups into the identity provider when they become part of the official rollout. |
5. Map Groups to Custom Roles
After groups appear in ChatGPT, map them to custom roles. Custom roles should be used for additional permissions, such as:
- Publishing GPTs to the workspace
- Publishing skills to the workspace
- Higher credit limits for a specific group
Default workspace settings should remain the baseline, whereas custom roles should be assigned only to groups that need extra permissions. Learn more about Role-Based Access Controls here.
