Hi Zoom Dev Forum,
We (University of SanDiego) are working on user provisioning through API calls via our Identity connector, and we’re hoping to get some guidance or best practices.
Current Setup:
-
We use two provisioning methods:
-
SSO Just-in-Time (JIT)
-
An identity system (MidPoint) that provisions users via Zoom API
-
-
Historically, users were:
-
Created via API as basic users
-
Then upgraded/licensed upon first SSO login
-
No activation email was triggered in this flow
-
Issue:
-
After migrating to a new identity system (MidPoint), which does not support SSO create, newly provisioned users:
-
Are placed into a pending state
-
Receive activation emails
-
-
This behavior is not desired, as they want a seamless SSO-first experience without user activation steps
Additional Observation:
-
Up until April 30, 2026, users consistently went into a pending state
-
Starting May 1, 2026, newly provisioned users began appearing in the active users bucket, despite:
-
No changes made on the customer side
-
Activation emails still being sent
-
Questions:
-
Is there a recommended approach for handling API-based provisioning when SSO create is not available?
-
Is it possible to suppress activation emails for API-created users in this type of setup?
-
What determines whether a user is placed into “pending” vs “active” when created via API?
-
Were there any recent changes (around May 1) to provisioning or user state handling that could explain this shift in behavior?
-
Are there best practices for hybrid provisioning (API + SSO) when the identity provider cannot initiate SSO create?
Goal:
-
Avoid activation emails
-
Ensure users can access Zoom seamlessly via SSO
-
Maintain clean provisioning without pending user backlog
Any insight, recommendations, or documentation pointers would be greatly appreciated.
Regards
Amol