How Claude Code Enterprise works for teams: SSO/SAML setup, usage policies, admin controls, audit logs, and how it differs from individual Pro and Max plans.
Claude Code Enterprise gives engineering teams the administrative controls, compliance documentation, and usage governance that individual plans can't provide. This guide covers the key differences and how to set up an Enterprise deployment.
| Feature | Pro ($20/mo) | Max ($100/mo) | Enterprise |
|---|---|---|---|
| Usage limits | Standard | 5× standard | Negotiated (unlimited options) |
| API key management | Personal | Personal | Admin-managed, per-team keys |
| SSO / SAML | No | No | Yes — Okta, Azure AD, Google Workspace |
| Audit logs | No | No | Yes — full tool-call audit trail |
| Usage dashboards | Personal only | Personal only | Team and org-level dashboards |
| Custom data retention | No | No | Yes — 0, 30, or 90-day options |
| SOC 2 Type II docs | No | No | Yes |
| Dedicated CSM | No | No | Yes (10+ seats) |
| Bedrock / Vertex routing | No | No | Yes — run via your cloud account |
The most practical Enterprise control is distributing a managed CLAUDE.md that applies to every developer. Create it at ~/.claude/CLAUDE.md and deploy via your MDM (Jamf, Intune, etc.) or onboarding script:
# ~/.claude/CLAUDE.md (org-wide policy, deployed via MDM)
## Security rules (mandatory — do not override)
- Never read or output contents of .env, *.pem, *.key, or credentials.json
- Never run git push --force on main or master
- Always confirm before deleting files outside the current project directory
- Do not access URLs outside *.internal.mycompany.com and known public APIs
## Code standards
- Python: use ruff for linting, pytest for tests
- TypeScript: strict mode, no `any`
- All new code requires a test file in the same PR
## Allowed tools
- Shell: git, npm, yarn, pytest, ruff, docker (read-only)
- Do NOT run: curl to external hosts, pip install from non-approved sources
Project-level CLAUDE.md files in each repo can extend but not override the org policy — Claude Code reads both in order.
In Enterprise, the org admin creates team-scoped API keys in the Anthropic console:
# Admin creates a key with spend cap and team tag
# anthropic.com/console → Settings → API Keys → New Key
# Set: monthly_spend_cap=$500, team=backend-eng, expires=2027-01-01
# Distribute via env var in your secrets manager (not hardcoded):
# AWS Secrets Manager:
aws secretsmanager create-secret --name prod/anthropic/api-key --secret-string '{"key":"sk-ant-..."}'
# Developers pull the key at shell startup (~/.zshrc):
export ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value --secret-id prod/anthropic/api-key --query SecretString --output text | jq -r .key)
Enterprise audit logs record every tool call Claude Code makes, exported as JSON:
{
"timestamp": "2026-05-19T09:14:22Z",
"user": "alice@mycompany.com",
"session_id": "sess_abc123",
"tool": "Edit",
"file": "src/payments/processor.py",
"lines_changed": 14,
"project": "payments-service",
"branch": "feature/gateway-refactor"
}
Audit logs ship to your SIEM (Splunk, Datadog, CloudWatch) via webhook. Common use cases: compliance evidence for SOC 2 audits, detecting accidental credential access, chargeback by team.
Enterprise allows you to restrict Claude Code's shell access to an approved URL allowlist. Useful for regulated environments:
# /etc/claude-code/network-policy.json (managed via MDM)
{
"outbound_allowlist": [
"api.anthropic.com",
"*.internal.mycompany.com",
"registry.npmjs.org",
"pypi.org"
],
"block_on_violation": true,
"log_attempts": true
}
email → user.email and groups → user.groups.For running Claude Code in cloud infrastructure without individual developer authentication, see Claude Code on AWS Bedrock. For headless/CI use cases, see Claude Code headless mode.