User provisioning

LeaseWizard supports two models; you can mix them.

Invitation-based (default)

• A LeaseWizard organization admin invites users by email from the LeaseWizard admin console. Each invitation carries a role (Owner, Admin, Member, Viewer, or a custom org-scoped role) and optional country/portfolio scope.
• The invitee receives a single-use link with a limited expiry. Invitation secrets are never stored in plaintext.
• If the invitee already exists, they accept inline. If not, they sign up and the membership is created atomically.
• Recommended for organizations that want explicit control over who has LeaseWizard access.

Just-in-time (JIT) provisioning via SSO

When enabled on an SSO connection, the first SSO login from a verified email domain will create:

• a LeaseWizard user (linked to the IdP's stable user identifier)
• a membership in the organization that owns the SSO connection
• the default role configured on the connection

Preconditions for JIT to trigger:

1. JIT provisioning is enabled on the connection.
2. The ID token's email_verified claim is true (required by default; can be relaxed on request).
3. The email's domain has been verified for your organization (see Domain verification).

If any precondition fails, the user is redirected back with an auth error.

Deprovisioning

Today there is no SCIM. Deprovisioning is a two-step process:

1. Disable the user in your IdP → they can no longer authenticate via SSO.
2. A LeaseWizard admin deactivates the user's membership in the LeaseWizard admin console → their existing sessions are revoked immediately across all devices and their access to all org data is removed.

Disabling the entire SSO connection in LeaseWizard:

• Blocks all new SSO logins for that org.
• Immediately invalidates any existing session that was issued via that SSO connection.
• Does not affect password / email-code / personal Google / personal Microsoft logins, unless the admin also selects "Disable and bulk-revoke organization sessions".