Hi Steve, We don't generally recommend provisioning access levels, as there have been times in the past where we've seen the last admin get moved over to a non-admin group, and then nobody has admin access anymore. Bar that risk, it is entirely possible for you to set up, my only concern is limiting access to users that have access to move accounts between groups. Also, the way that the auto-provisioner works is it checks the fields that are set in the attribute mapping. Profile pictures, groups, teams, etc, do not change unless they are mapped out. Throwing it out there, the minimum required to enable auto provisioning is a first name, last name, and email address field, though I'm sure you are aware of that. I would suggest working with our Support team to ensure that everything is configured in your preview environment and working as expected before even considering it in production. Thanks! Dustin Martin Assigned Support Engineer Workfront