@mrbaz Thanks for the detailed feedback!

If XO had a way of pulling the user's group information and only allowing those in a certain group to have authorization to XO to have their accounts automatically generated, that would work too.

That wouldn't be trivial to implement with our current plugin system. But as you said, a user that logs into XO isn't able to do anything without granting them permissions first. Also, if this is still a concern for you, you can disable user auto-generation in xo-server configuration by adding this line:

createUserOnFirstSignin = false

However, you'd then have to create the users manually before they can log in.

the issue still stands that I can't put a user into a group or assign ACLs until after they have signed in for the first time.

I agree but I'm not sure what a good solution to this would be. If we add an option to import all the users at once, it could mean importing a lot of users for some companies, even if many of those users would never actually log in later.