Quickstart guide for Enterprises
Set up SonarQube Cloud Enterprise from prerequisites through organization onboarding, enterprise creation, SSO, Advanced Security, and developer enablement.
If you're setting up SonarQube Cloud on the Team plan, use the Quickstart guide.
By completing this guide you will:
At a glance
Region
Use the EU region by default, or complete the US region prerequisites before rollout.
Networking
Allow communication between SonarQube Cloud, DevOps platforms, CI runners, and IDEs.
Software
Prepare Java 21, SonarScanners, stack-specific build tools, and any Azure or SCA dependencies.
Authentication
Start with a DevOps administrator account and move to SSO after the enterprise exists.
Organization model
Create one SonarQube Cloud organization per DevOps organization or workspace.
Enterprise setup
Create the enterprise with your license key and attach the organization or organizations.
Optional add-ons
Enable Advanced Security through the Sonar team, then configure SSO and provisioning if needed.
Developer rollout
Install SonarQube for IDE and optionally the SonarQube MCP Server for AI-assisted workflows.
Confirm your prerequisites
Choose your hosted region
By default, SonarQube Cloud uses the EU region.
US region
If the US region is mandatory, contact the Sales team before rollout so your domain can authenticate to the US region. After approval, follow the same process described in this guide, but replace sonarcloud.io with sonarqube.us. For details, see Getting started in the US region.
Prepare networking
SonarQube Cloud requires bidirectional communication between your DevOps platform, CI pipelines or runners, and developer IDEs.
Before rollout:
Review the required URLs and IP addresses in Networking requirements.
Allowlist the endpoints needed by SonarQube Cloud, your DevOps platform, your CI infrastructure, and developer workstations.
If you plan to restrict enterprise access with an IP allow list after SSO is enabled, include the IPs used by enterprise admins, developers, CI runners, and token-based integrations. See IP allow lists.
Prepare software and build agents
Make sure your build and analysis environment is ready before you onboard projects:
Ensure all build agents support Java 21. It is the recommended runtime for the latest SonarScanners.
Identify the scanner or scanners required by your primary technology stacks:
Sonar's Build Wrapper or analyzing C/C++/Objective-C code
Verify the supporting build tools on your agents:
Node.js for JavaScript and TypeScript analysis
SonarScanner for Maven or SonarScanner for Gradle for Java builds
Installing the scanner for C# analysis
If you use Azure DevOps Pipelines, install the SonarQube extension for Azure DevOps.
If you plan to use Advanced Security, review Analyzing projects for dependencies (SCA) to confirm any additional build tool, lockfile, or package manager requirements.
Prepare authentication
The DevOps administrator who performs the setup should sign in with an administrator account from the chosen DevOps platform: GitHub, Azure DevOps, GitLab, or Bitbucket Cloud.
Before rollout:
Confirm that the account can administer the DevOps organization or workspace you plan to import.
If needed, install the SonarQube Cloud marketplace application or grant the required access described in Default authentication through DevOps platform.
Plan to configure Setting up SSO after the enterprise is created. Enterprise users still start by signing up with their DevOps platform account.
Create your SonarQube Cloud organizations
SonarQube Cloud uses a one-to-one model: one SonarQube Cloud organization is bound to one DevOps organization or workspace. If you need to connect multiple DevOps platforms or multiple organizations, create a separate SonarQube Cloud organization for each one. For background, see Binding with the DevOps platform and Organization.
When you create an organization that will be added to an enterprise, select the Free plan during the organization import flow. The organization will move to the Enterprise plan when you add it to the enterprise.
Use the import path that matches your DevOps platform:
Importing GitHub organization: grant the SonarQube Cloud application access to the organization.
Importing Bitbucket workspace: grant the SonarQube Cloud application access to the workspace.
Importing GitLab group: create and provide a Personal Access Token from an owner or dedicated technical account.
Importing Azure DevOps organization: create and provide a Personal Access Token from an administrator or dedicated technical account.
Create your enterprise
Once at least one SonarQube Cloud organization exists, create the enterprise:
In SonarQube Cloud, select the + menu in the top-right corner.
Select Create new enterprise.
Enter the license key provided by Sonar.
Enter the enterprise name and enterprise key.
Select the organization or organizations you want to include.
Create the enterprise.
For the full workflow, see Step 2: Create the SonarQube Cloud enterprise.
After creation, review Managing the enterprise-related permissions and make sure the right users can administer the enterprise and create portfolios.
Enable enterprise capabilities
Enable Advanced Security
Advanced Security is enabled by the Sonar team.
To request it:
Open the enterprise in SonarQube Cloud.
Copy the enterprise ID from the browser URL, for example
https://sonarcloud.io/enterprise/<your-enterprise-id>.Provide that ID to your Sonar contact or Sonar team.
Wait for confirmation that Advanced Security has been enabled.
Once enabled, use Analyzing projects for dependencies (SCA) to configure dependency analysis.
Configure SAML SSO and provisioning
After the enterprise exists, you can transition from DevOps-platform authentication to SAML SSO.
Use this rollout order:
Review Setting up SSO for the enterprise-level flow.
Configure SAML in Set up SSO.
Decide whether you will provision users with Set up SCIM or .
Map IdP groups to SonarQube Cloud organizations with .
Complete the setup with Complete SSO setup.
Verify the resulting organization access with Managing user groups, Setting your project's permissions, and Using permission templates.
If you're rolling out SSO with Okta, Microsoft Entra ID, or another SAML-compatible identity provider, the SSO assistant guides you through the provider-specific configuration.
Roll out SonarQube for IDE and AI tooling
Make sure developers can reach sonarcloud.io or sonarqube.us, depending on your hosted region.
For local analysis and issue remediation, install SonarQube for IDE in the supported IDEs and bind projects with SonarQube for IDE. Connected mode lets SonarQube for IDE use the quality profiles, rule selections, file exclusions, and issue states configured in SonarQube Cloud.
If your organization manages VS Code extensions through a VS Code Private Marketplace, make SonarQube for VS Code available through that private catalog before onboarding developers. Developers in managed environments may not be able to install the extension from the public Visual Studio Marketplace.
If your teams use AI-assisted development, you can also roll out the :
Use SonarQube Cloud's embedded MCP server for the simplest setup.
Run a local MCP server via Docker when you need local filesystem access, Context Augmentation, or Agentic Analysis tooling.
If you use the US region, review the US-specific MCP configuration notes on the MCP server page before rollout.
Review trust and compliance resources
Review the Trust Center for security attestations and SaaS security documentation. For ongoing enterprise administration after setup, the Getting started with Enterprise section is the best next stop.
Last updated
Was this helpful?