Team Provisioning
Deeployd supports automatic provisioning of Google Workspace and Microsoft 365 resources when importing teams. This feature uses Loyd, your AI assistant, to create resources with human-in-the-loop confirmation for cost-associated operations.
Overview
When you import a team using the deeployd-team JSON format, you can include provisioning options that tell Loyd to create:
- Google Workspace: Groups, Shared Drives, User accounts
- Microsoft 365: Groups, SharePoint sites, Teams channels
How It Works
┌─────────────────────┐
│ Import Team JSON │
│ with provisioning │
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ Team & Agents │
│ Created │
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ Provisioning Task │
│ Created for Loyd │
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ User Runs Task │
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ Loyd Asks for │
│ Confirmation │◄─── Human-in-the-Loop
└──────────┬──────────┘
│
▼
┌─────────────────────┐
│ Resources Created │
│ (Google/Microsoft) │
└─────────────────────┘
Provisioning Options
Google Workspace
{
"provisioning": {
"google": {
"createGroup": true,
"groupEmail": "csuite@yourcompany.com",
"createSharedDrive": true,
"sharedDriveName": "C-Suite Executive Drive",
"createUserAccounts": false
}
}
}
| Option | Description | Requires Approval |
|---|---|---|
createGroup | Create a Google Group for the team | Yes |
groupEmail | Suggested email for the group | - |
createSharedDrive | Create a Shared Drive for collaboration | Yes |
sharedDriveName | Name for the Shared Drive | - |
createUserAccounts | Create Google Workspace accounts for agents | Yes |
Microsoft 365
{
"provisioning": {
"microsoft": {
"createGroup": true,
"groupEmail": "csuite@yourcompany.onmicrosoft.com",
"createSharePointSite": true,
"siteName": "C-Suite Executive Hub",
"createTeamsChannel": true
}
}
}
| Option | Description | Requires Approval |
|---|---|---|
createGroup | Create a Microsoft 365 Group | Yes |
groupEmail | Suggested email for the group | - |
createSharePointSite | Create a SharePoint site | Yes |
siteName | Name for the SharePoint site | - |
createTeamsChannel | Create a Teams channel | No |
Complete Example
Here's a complete team export with provisioning options:
{
"_format": "deeployd-team",
"_version": "1.0",
"_exportedAt": "2025-12-17T00:00:00.000Z",
"team": {
"name": "C-Suite",
"description": "AI C-Suite executive team"
},
"agents": [
{
"localId": "iris",
"name": "Iris",
"description": "Chief of Staff",
"role": "chief-of-staff",
"model": "claude-sonnet-4-20250514",
"systemPrompt": "You are Iris, Chief of Staff..."
},
{
"localId": "maya",
"name": "Maya",
"description": "CMO - Content strategy",
"role": "cmo",
"model": "claude-sonnet-4-20250514",
"systemPrompt": "You are Maya, CMO..."
}
],
"provisioning": {
"google": {
"createGroup": true,
"groupEmail": "csuite@yourcompany.com",
"createSharedDrive": true,
"sharedDriveName": "C-Suite Drive"
},
"microsoft": {
"createGroup": true,
"createTeamsChannel": true
}
}
}
Importing with Provisioning
Via API
curl -X POST https://app.deeployd.com/api/export/teams/import \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"export": { ... },
"options": {
"enableProvisioning": true,
"importMemory": true
}
}'
Via Dashboard
- Go to Teams page
- Click Import Team
- Upload your JSON file
- Check Enable Provisioning option
- Click Import
Running the Provisioning Task
After import, a task is created and assigned to Loyd. To run it:
- Go to Tasks page
- Find the task named "Provision Resources for Team: [Team Name]"
- Click Run Task
- Loyd will ask for confirmation before creating each resource
Example Conversation
Loyd: A team "C-Suite" has been imported with provisioning requests.
I need to create the following resources:
1. Create a Google Group for the team "C-Suite" with email "csuite@yourcompany.com"
2. Create a Google Shared Drive named "C-Suite Drive"
3. Create a Microsoft 365 Group for the team "C-Suite"
4. Create a Microsoft Teams channel for the team
IMPORTANT: These actions may incur costs (Google Workspace licenses, storage, etc.).
Would you like me to proceed with creating these resources?
You: Yes, go ahead with the Google Group and Shared Drive first.
Loyd: I'll create the Google Group now. This will create a group with
email csuite@yourcompany.com...
[Approval requested for google_admin_create_group]
Prerequisites
Google Workspace
To use Google provisioning, you need:
- A Google Cloud service account with domain-wide delegation
- Admin SDK scopes authorized in Google Admin Console:
https://www.googleapis.com/auth/admin.directory.grouphttps://www.googleapis.com/auth/admin.directory.userhttps://www.googleapis.com/auth/drive
GOOGLE_SERVICE_ACCOUNT_KEYstored in your tenant vault
Microsoft 365
To use Microsoft provisioning, you need:
- An Azure AD app registration with admin consent
- Required permissions:
Group.ReadWrite.AllSites.ReadWrite.AllChannel.Create
- Credentials stored in tenant vault:
MS_TENANT_IDMS_CLIENT_IDMS_CLIENT_SECRET
Cost Considerations
Operations that create billable resources require user approval:
| Operation | Typical Cost |
|---|---|
| Google Workspace User | $6-18/month per user |
| Google Shared Drive | Counts against storage quota |
| Microsoft 365 Group | Included with M365 license |
| SharePoint Site | Counts against storage quota |
Loyd will always ask for confirmation before creating these resources, explaining the potential costs involved.
Team Settings After Provisioning
Once resources are provisioned, the team settings are updated with the resource IDs:
{
"settings": {
"google": {
"groupId": "03ep4vu70ff83si",
"groupEmail": "csuite@yourcompany.com",
"sharedDriveId": "0ALJFk9...",
"sharedDriveName": "C-Suite Drive"
},
"microsoft": {
"groupId": "a1b2c3d4-...",
"groupEmail": "csuite@yourcompany.onmicrosoft.com",
"teamsChannelId": "19:abc123..."
}
}
}
These IDs can be used by agents to interact with the provisioned resources using the Google Workspace and Microsoft 365 tools.
Security
- All provisioning operations go through Loyd with human-in-the-loop confirmation
- Service account credentials are stored securely in the tenant vault
- Audit logs track all resource creation
- Resources are created within your organization's Google/Microsoft tenant