> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Restrict account creation to SCIM
> Restrict organization access to users provisioned via SCIM.
Available on the Enterprise plan. [Contact sales](https://ona.com/contact/sales) to learn more.
When enabled, only users provisioned via [SCIM](/ona/scim/overview) can access the organization. Users attempting to sign in via SSO without a SCIM-provisioned account are blocked.
Useful when:
* Centralizing account lifecycle management in your identity provider
* Ensuring every user in the organization has a corresponding directory entry
* Preventing access from users outside your provisioned scope, even if they can authenticate via SSO
## Prerequisites
* An active [SSO login provider](/ona/sso/overview)
* An enabled [SCIM configuration](/ona/scim/overview) linked to that SSO provider
The toggle is disabled until SCIM provisioning is configured and enabled.
## Configuration
1. Go to **Settings → Organization → Policies**
2. Toggle **Restrict Account Creation to SCIM**
Changes take effect immediately for new sign-in attempts. Existing members are not removed.
## Effect on users
| User type | Behavior |
| -------------------------------- | -------------------------------------------------------------- |
| SCIM-provisioned users | Sign in normally via the linked SSO provider |
| Non-provisioned users (SSO only) | Blocked from creating an account or joining the organization |
| Existing members | Retain access; remove via your IdP or by deactivating the user |
Before enabling, confirm that all users who need access are in scope of your SCIM provisioning. Users outside the provisioning scope will lose the ability to sign in to a new account, even with valid SSO credentials.