Most IT teams spend 3x longer than they need to on Claude Enterprise setup because the admin console has features most admins don't know exist. The difference between a rushed deployment and a production-ready one often comes down to understanding which SSO integration method fits your existing infrastructure, how SCIM provisioning actually saves time, and which governance controls actually prevent the problems you're going to face at scale.
This guide walks you through every step of setting up Claude Enterprise from procurement to user rollout. You'll know exactly what to ask Anthropic sales, how to configure SSO with SAML 2.0 or Okta or Azure AD, how to automate user provisioning instead of manually inviting everyone, and how to set governance policies that don't kill adoption.
Already have Claude Enterprise?
If you're managing an existing Claude Enterprise deployment and need help with advanced configuration, governance frameworks, or scaling to thousands of users, our team has worked through these challenges with Deloitte, Accenture, and other large enterprises.
Explore Our Enterprise Implementation ServiceWhat Claude Enterprise Includes vs Team and Pro Plans
Claude Enterprise isn't just "more users" — it's a fundamentally different product built for organisations that need governance at scale. Here's what separates it from Claude Team and Pro:
- Single Sign-On (SSO): SAML 2.0 integration with identity providers like Okta, Azure AD, Google Workspace, and AWS SSO. Your users authenticate through your existing corporate identity system, not Claude-specific credentials.
- SCIM Provisioning: Automatic user creation, deletion, and role assignment synced with your directory. Add someone to your Okta org or Azure AD, and they automatically get Claude access within minutes.
- Audit Logging: Complete records of who accessed what, when, and from where. Every user action, API call, and admin change is logged and exportable for compliance audits (SOC 2, ISO 27001, FedRAMP-relevant).
- Admin Console: Centralized dashboard for managing organisation settings, domains, user groups, API usage limits, model access, and security policies.
- Data Non-Training: Guaranteed that conversations, files, and system prompts are never used to train Anthropic's models. Critical for organisations handling customer data, financial information, or intellectual property.
- Custom System Prompts: Set organisation-wide system prompts for Claude Cowork and Code instances. Enforce security guidance, compliance requirements, or brand voice at the platform level.
- IP Allowlisting: Restrict Claude access to specific IP ranges. Prevents access from unsecured networks or third-party locations.
- Advanced Reporting: API usage dashboards, user adoption metrics, feature usage breakdown by team or department.
Claude Team covers 5-100 users per workspace without these governance features. Claude Pro is personal-tier. Claude Enterprise is built for 100+ users with compliance, security, and operational requirements.
Pre-Deployment Checklist: Get These Sign-Offs First
Before you even contact Anthropic sales, align internally. Nothing stalls Claude Enterprise deployments like discovering halfway through that you need legal review or that your security team has concerns you didn't know about.
IT and Infrastructure
- Confirm your SSO provider and available SAML 2.0 endpoints
- Map out API usage requirements — do you need rate limiting? Which models? High usage tiers?
- Plan your network architecture — do you need IP allowlisting or will you allow public access?
- Identify who owns SCIM provisioning on your directory side (usually IAM or identity team)
- Set audit log storage — Claude can export logs, but you'll need somewhere to store them long-term
Security and Compliance
- Review Claude's security architecture and data handling policies with your security team
- Confirm compliance requirements: SOC 2, ISO 27001, FedRAMP, HIPAA, PCI-DSS, GDPR, etc.
- Document current data classification policies — what data can touch Claude?
- Plan audit log review cadence and responsibilities
- Identify any geographic or regulatory restrictions on where processing can happen
Procurement and Finance
- Get budget approval — Claude Enterprise pricing is volume-based; expect $100K+ annually for significant usage
- Identify procurement channel: direct with Anthropic or through an existing vendor partnership
- Plan budget allocation across teams or departments
Legal
- Review Anthropic's data processing agreement (DPA) and Enterprise Agreement
- Confirm data residency, retention, and liability terms align with your policies
- Validate vendor security certifications match your requirements
Executive and Department Leadership
- Communicate why you're adopting Claude (efficiency, cost savings, capability gaps filled)
- Set usage policies: what's permitted, what's prohibited, acceptable use agreement
- Get commitment on training time for your rollout
Step 1: Procuring Claude Enterprise — Talking to Anthropic Sales
Claude Enterprise pricing isn't published. You'll negotiate directly with Anthropic's sales team based on your organisation size, usage patterns, and contract terms.
What to Prepare Before You Contact Sales
- Headcount: Total number of users who need Claude access (or expected in Year 1)
- Usage profile: Will this be daily use for most users, or occasional? Are you deploying AI Agents or Cowork for collaboration, or is this direct Claude.com access?
- Use cases: Code generation, customer support, legal review, financial analysis, research? (This affects which models you'll need.)
- Timeline: When do you need this deployed? This affects contract terms and onboarding priority.
- Compliance requirements: Do you need FedRAMP, HIPAA, SOC 2 audit reports, or specific data handling guarantees?
Typical Contract Terms
- Annual commitment: Most are 1-year minimum, renewable
- Per-user pricing: Typically ranges from $150-500/user/year depending on volume and model access (Claude 3.5 Sonnet vs Opus tiers)
- Overage handling: What happens if you exceed your committed user count? (Usually overages are billed monthly.)
- Model access: Do you get all Claude models (Sonnet, Opus, Haiku) or specific tiers?
- Support level: Standard support, or priority onboarding and dedicated support engineer?
During Contract Negotiations
- Ask for a pilot period (30-90 days) if you're unsure about usage or value
- Confirm SLA terms: uptime guarantees, response times for issues
- Clarify data retention policies during and after contract termination
- Negotiate: if your use case is strategic or you're committing significant headcount, there's usually room to move on pricing or terms
Once you have a signed agreement, Anthropic assigns an onboarding engineer who walks you through the next steps.
Step 2: Admin Console Setup — Creating Your Organisation
Your onboarding engineer sends you an initial login and credentials for the Claude Enterprise Admin Console. This is your control center.
Initial Organisation Creation
You'll be guided to create your organisation profile with: company name, primary domain, billing contact, administrative contacts, and timezone. This information is tied to your contract and audit logs.
Verify ownership of your primary domain (e.g., yourcompany.com). Claude requires this because only users with email addresses on verified domains can be added to your organisation. You'll add a DNS TXT record that Claude checks for verification. This usually takes 5-15 minutes once propagated.
SSO Configuration: SAML 2.0 Integration
This is where most teams encounter the first real complexity. You have three main options:
- Okta (SAML 2.0): Most common. Okta is a dedicated identity provider; if you're already using it, this is your straightforward path.
- Azure AD (SAML 2.0): If you're on Microsoft 365. Azure AD is built into your Microsoft tenant.
- Google Workspace (SAML 2.0): If Google Workspace is your IdP.
- AWS SSO: If you're using AWS's managed identity federation.
- Manual/LDAP-free: If none of the above, Anthropic will work with you on alternate integration methods.
We'll walk through Okta and Azure AD setups. The general pattern is the same across providers.
Okta SAML 2.0 Setup
In your Okta Admin console, navigate to Applications > Create App Integration. Choose SAML 2.0. Name it "Claude Enterprise."
In the Claude Admin Console, go to Settings > SSO Configuration. Copy the following from Claude:
- Assertion Consumer Service (ACS) URL
- Single Logout URL (if available)
- Entity ID / Audience URI
Paste these into Okta's SAML app configuration. Then configure attribute mappings:
Okta SAML Attribute MappingsName: email Value: user.email Name: given_name Value: user.firstName Name: family_name Value: user.lastName Name: groups (optional but recommended) Value: getFilteredGroups("Claude_.*", "group.name")
The groups mapping allows you to control access via Okta group membership. If a user is removed from your Okta "Claude_Engineering" group, they're automatically deprovisioned from Claude.
Once the app is created in Okta, download the SAML metadata XML. In the Claude Admin Console, paste the metadata or manually enter your Okta IdP URL, X.509 certificate, and other required fields. Claude will validate the connection.
Azure AD SAML 2.0 Setup
If you're using Azure AD (now Microsoft Entra ID):
In Azure AD, go to Enterprise Applications > New Application. Search for Claude Enterprise and add it (if Anthropic has published an Azure AD gallery app), or create a custom SAML app.
In Azure AD, under Single Sign-on > SAML-based Sign-on, fill in the Identifier (Entity ID), Reply URL (ACS URL), and Sign on URL from Claude's Admin Console. Upload or paste Claude's certificate.
Azure AD Claims ConfigurationClaim name: email Source: attribute Source attribute: user.mail Claim name: givenname Source: attribute Source attribute: user.givenname Claim name: surname Source: attribute Source attribute: user.surname Claim name: groups Source: attribute Source attribute: user.assignedroles
Then in Claude's Admin Console, configure Claude to accept Azure AD's metadata endpoint (typically https://login.microsoftonline.com/{tenantId}/federationmetadata/2007-06/federationmetadata.xml).
In Azure AD, go to Users and groups. Add users or groups who should have Claude access. Only assigned users can sign in via SSO. (Unassigned users will get an error.)
Test Your SSO Connection
Before rollout, test with a pilot user. In your IdP, sign out of all sessions. Then go to your Claude login page, and attempt SSO login with a test account. You should be redirected to your IdP, authenticate, and be redirected back to Claude — now logged in.
If this fails, the most common issues are:
- Email attribute mismatch (Claude expects exact email match between IdP and organisation domain)
- Certificate expiration or invalid signing
- Wrong ACS URL or Entity ID
- User not assigned to the SAML app in IdP
Your onboarding engineer can help debug. Most SSO issues are resolved in 1-2 hours once you involve both sides.
Step 3: User Provisioning with SCIM
You've set up SSO so users can sign in. Now automate the entire user lifecycle so you don't have to manually invite everyone.
SCIM (System for Cross-domain Identity Management) is a standard API that syncs user data between your directory and Claude. When you:
- Add a user to Okta → user is created in Claude within minutes
- Remove a user from Azure AD → user is deactivated in Claude
- Change someone's role in your directory → their Claude role updates automatically
Why SCIM Matters
- Speed: No manual invitations. Users get access the moment they're added to your directory.
- Compliance: Offboarding is instant. If someone leaves, you remove them from Okta, and they lose Claude access immediately.
- Reduced errors: No typos in email addresses, no forgotten invitations, no orphaned accounts.
- Scalability: Managing 1,000 users manually is insane. SCIM makes it trivial.
SCIM Setup: Okta Example
In the Claude Admin Console, go to Settings > Integrations > SCIM. Claude generates a Bearer token. Copy this — you'll only see it once. Store it securely (use your password manager or secrets vault).
In Okta, go to your Claude app > Provisioning > Integration. Select "Configure API integration." Check "Enable API integration." Paste the following:
Okta SCIM ConfigurationSCIM Base URL: https://api.claude.ai/scim/v2/orgs/{your-org-id} Authentication: Bearer {your-scim-token} Under Provisioning to App: ☑ Create Users ☑ Update User Attributes ☑ Deactivate Users
Then, set up attribute mappings so Okta knows which user fields to sync to Claude:
Okta to Claude User MappingOkta Attribute → Claude Attribute user.email → email user.firstName → given_name user.lastName → family_name user.active → active
Groups in Claude control feature access and permissions. Create Okta groups like "Claude_Engineering", "Claude_Finance", "Claude_Legal", and set membership. Sync these to Claude so group-level policies apply automatically.
Add a test user to a Claude group in Okta. Wait 2-5 minutes. Check the Claude Admin Console — the user should appear. Sign them out of SSO, sign back in via SSO, and confirm they can access Claude.
SCIM Setup: Azure AD (Entra ID)
Azure AD SCIM is configured similarly:
- In Claude, generate your SCIM token and Base URL
- In Azure AD Enterprise App > Provisioning, select "Get started" and choose "Automatic"
- Paste the SCIM Base URL and Bearer token
- Map attributes (mail → email, givenName → given_name, etc.)
- Assign users/groups to the app and enable provisioning
Azure AD typically provisions users within 5-10 minutes. You can monitor progress in the Provisioning logs.
Step 4: Security and Governance Configuration
Now you have users in the system. Lock it down.
Data Retention and Archival Policies
In the Admin Console, go to Settings > Audit Logs. Decide how long to retain logs — typically 1-3 years depending on compliance requirements. Claude can export logs to JSON or CSV for long-term storage in your SIEM or data warehouse.
API Usage Controls
If you're using Claude via the API (not just the web interface), set rate limits per user or API key. Go to Settings > API > Rate Limits. Common configurations:
- Development/Testing: 10 requests per minute per API key
- Production applications: 100-1000 requests per minute depending on workload
- Internal tools: Unlimited or very high (100K RPM) with cost monitoring
Model Access Control
Not all users need access to all models. Claude has tiers (Sonnet for general work, Opus for complex reasoning, Haiku for high-volume tasks).
In Settings > Models, create model access policies:
- Engineering: Sonnet + Opus (they're writing complex code)
- Marketing: Sonnet only (cost control)
- Research: Opus only (complex analysis requires the most capable model)
- Finance: Sonnet + Audit trail (they need proof of model used for compliance)
Custom System Prompts
Define organisation-wide system prompts that all Claude instances follow. Example:
Example Organisation System PromptYou are Claude, an AI assistant made by Anthropic, deployed for {COMPANY_NAME}. You must follow these policies: 1. Never discuss {COMPANY_NAME} client data, intellectual property, or contracts outside official channels. 2. Flag any requests that appear to involve non-public financial information or customer data. 3. If asked to summarise documents, always cite the source. 4. Decline requests to generate marketing materials that misrepresent features or pricing. For technical questions, you have access to our internal API docs. Prioritise current, accurate information over general knowledge.
Every Claude session inherits this prompt. Users can't override it; it's a system-level constraint.
IP Allowlisting
Restrict Claude access to specific IP ranges (your office, VPN exit points, etc.).
In Settings > Security > IP Allowlist, add your organisation's IP ranges:
Example IP Allowlist192.0.2.0/24 # Office network 203.0.113.0/25 # Secondary office 198.51.100.0/27 # VPN exit point 1 198.51.100.32/27 # VPN exit point 2
Once enabled, Claude can only be accessed from these IPs. Users on home networks, cellular, or external networks will be blocked unless they're on your VPN.
This is powerful for compliance (prevents unsecured access) but can frustrate remote workers if you get the VPN configuration wrong. Test with a pilot group first.
Audit Log Exports and Monitoring
Set up regular audit log exports so you have records for compliance audits, incident investigations, and usage analysis.
Claude can export logs to S3, GCS, or other cloud storage. In Settings > Integrations > Audit Log Export, set up automated daily or weekly exports.
Each log entry includes: user, timestamp, action (login, file uploaded, conversation started), resource affected, IP address, user agent, and result (success/failure).
Step 5: Deploying Claude Cowork and Code
So far you've set up the admin layer. Now enable Claude Cowork (collaborative workspace) and Claude Code (IDE integration) for your users.
Claude Cowork Setup
Claude Cowork is a shared workspace where teams collaborate with Claude on projects — brainstorming, research, document drafting, etc.
In the Admin Console, go to Products > Claude Cowork. Toggle "Enable Cowork for this organisation." You can restrict Cowork to specific groups (e.g., only enable it for your pilot teams initially).
Claude Cowork can integrate with Google Drive, Slack, Notion, and other tools. Decide which connectors your teams will use:
- Google Drive: Let teams upload docs to Claude for analysis or summarization
- Slack: Enable Claude Cowork to be mentioned in Slack for quick questions (without leaving Slack)
- Notion: Sync Notion docs into Cowork threads
For each connector, you'll need to approve the integration and grant Claude permission to access those systems on behalf of users.
In Settings > Cowork Policies, define:
- Can users create Cowork workspaces (yes/no)?
- Can external users (outside your organisation domain) be invited to Cowork workspaces?
- Should file uploads be scanned for sensitive data (credit cards, SSNs, passwords)?
- What file types are allowed (disable executable files, etc.)?
Claude Code Setup
Claude Code integrates Claude directly into VS Code and other IDEs. Developers can use Claude for code generation, debugging, refactoring, and documentation without leaving their editor.
In Products > Claude Code, toggle "Enable Claude Code." Choose whether to enable it org-wide or for specific groups (e.g., engineering teams only).
Your developers install the Claude for VS Code extension from the marketplace. On first use, they authenticate with their Claude Enterprise credentials (via SSO). They're immediately productive.
Step 6: Change Management and User Rollout
Technical setup is 30% of the battle. Getting people to actually use Claude correctly is the other 70%.
Phased Rollout Strategy
Don't flip the switch for 5,000 users at once. Do this in phases:
30-50 power users, mostly IT and early adopters. They'll find edge cases and feature requests. Goal: validate the setup and get a handful of success stories.
Expand to 3-5 departments. Run live training sessions. Establish feedback loops (weekly check-ins, Slack channel for questions).
Everyone else. By now you've solved most problems and can handle questions faster. Momentum is on your side.
User Training and Onboarding
- Recorded demo: 15-minute video showing how to log in, find Claude, run a basic query
- Department-specific training: 30-minute interactive session for each department (engineering gets "Claude for Code", marketing gets "Claude for writing", etc.)
- Documentation wiki: FAQ, common use cases, policy reference, troubleshooting
- Slack bot or email digest: Weekly tips and best practices
Usage Policies — Make Them Clear
Create a 1-page usage policy and share it with all users. Example:
Claude Enterprise Usage Policy (excerpt)✓ OK to use Claude for: - Code generation and debugging - Document drafting and editing - Data analysis and reporting - Customer research and brainstorming - Learning and skill development ✗ NOT OK to use Claude for: - Customer personal information (names, SSNs, credit cards, phone numbers) - Unpublished financial data or earnings guidance - Employee personal information - Proprietary algorithms without explicit approval - Creating marketing materials claiming features we don't have ❓ Unsure? Ask your manager or contact security@company.com
Feedback and Iteration
- Weekly pulse surveys: "How are you using Claude? Any blockers?"
- Monthly adoption reports: login counts, daily active users, feature usage
- Quarterly reviews: team usage patterns, ROI, training needs
Common Mistakes and How to Avoid Them
Mistake 1: Skipping SCIM and Manually Inviting Users
What happens: You email 500 invitation links, half bounce or go to spam, you spend a week on follow-ups, and you still have 20% of users not activated.
Why it matters: SCIM is automated. Users get access instantly. Offboarding is instant (remove from directory → user loses Claude access within 5 minutes). It's a no-brainer for teams over 100 people.
How to avoid it: Budget 2-3 days for SCIM setup. It's the best 2-3 days you'll spend. Yes, it requires coordination between your IAM team and Anthropic. Yes, it's worth it.
Mistake 2: No Usage Policy or Acceptable Use Agreement
What happens: Users start uploading customer data, financial spreadsheets, and unpublished research to Claude. Three months later, your security audit flags "potential data exfiltration to third-party AI vendor." Now you're doing incident response.
Why it matters: A clear policy prevents misuse, protects confidential data, and gives you grounds to enforce restrictions.
How to avoid it: Write a simple policy (do's and don'ts) and have every user confirm they've read it during onboarding. Update it as you learn what your teams actually do with Claude.
Mistake 3: Over-Restricting Access (Wrong Model Tier, Too Many Blocks)
What happens: You set Sonnet-only access to save costs. Your research team hits a complex problem that needs Opus. They get frustrated, ask you to change it, or they just use Claude.com on their personal account (which you have zero visibility into). You lose the compliance benefit.
Why it matters: Overly restrictive policies drive shadow IT. Smart policy is: "Give teams what they need, monitor usage, adjust quarterly."
How to avoid it: Start generous. Monitor real usage for 4-6 weeks. Then optimize. You'll learn which teams actually need Opus vs Sonnet. Adjust accordingly.
Mistake 4: Ignoring Audit Logs
What happens: You configure audit logs but never look at them. A compliance officer asks, "Who accessed customer files and when?" You have no answer. Or worse: an incident happens and you can't reconstruct what happened.
Why it matters: Audit logs are your evidence for compliance, security, and incident response. If you can't show who did what, you can't defend yourself.
How to avoid it: Export logs to your SIEM or data warehouse. Set up alerting for suspicious patterns (user accessing from new IP, bulk export, failed logins). Review monthly summaries during security team meetings.
Mistake 5: Wrong Model Tier Selection for Your Use Case
What happens: You pick Claude 3.5 Sonnet (latest, fastest) across the board. Your research team needs Opus for numerical reasoning. Your customer support team doesn't need Opus and you're paying too much. You end up leaving money on the table and your teams aren't optimised.
Why it matters: Claude Opus is 2-3x more expensive than Sonnet. Pick the right tier and you save 20-30% on API costs without sacrificing quality.
How to avoid it: Ask Anthropic for usage recommendations based on your use cases during contract negotiations. Start with Sonnet (it's excellent for most tasks). Reserve Opus for reasoning-heavy work.
Ready for an Expert Review?
Setting up Claude Enterprise at scale is complex, and mistakes are expensive. If you want a security-focused architect to audit your configuration, design your SCIM integration, or plan your governance framework, we've done this for enterprises deploying Claude to thousands of users. We'll work with your Anthropic onboarding engineer to close the gaps.
Get a Deployment ReviewWhat's Next
Once you've completed these 6 steps, you have a production-ready Claude Enterprise deployment. Your users are authenticated via SSO, they're auto-provisioned via SCIM, you have visibility into usage via audit logs, and you have governance controls in place.
After launch, the real work begins: adoption, training, and optimisation. Most IT teams underestimate the time investment in change management. Budget 20-30% of your time for helping users succeed, not just for technical setup.
Monitor your adoption metrics monthly. Track: daily active users, features used, API usage by team, support tickets. Use this data to improve training, adjust policies, and justify continued investment to leadership.
And if you hit snags — SSO auth failures, SCIM provisioning issues, unclear security requirements — your Anthropic onboarding engineer is a real resource. Use them. They've seen every configuration and every mistake.