Claude Code for Teams: Complete Enterprise Implementation Guide

🤖 What Is Claude Code?

Claude Code is Anthropic's official agentic AI coding tool — a CLI (command-line interface), a VS Code / JetBrains IDE extension, a desktop app, and a web application at claude.ai/code. It brings Claude's frontier AI model directly into your development workflow: reading files, running tests, making multi-file edits, spawning sub-agents, calling external tools via MCP, and executing shell commands — all with a rich permissions model and an audit trail.

At its core, Claude Code runs against Anthropic's API and is powered by the Claude model family (currently Claude Sonnet 4.6 as default, with Opus and Haiku available). It operates in your local environment, reads your actual codebase, and uses tools (Bash, Read, Write, Edit, WebSearch, Agent, etc.) to take real actions.

👪 Why Claude Code for Teams?

Modern engineering teams are under pressure to ship faster without sacrificing quality or security. Claude Code addresses this at three levels:

💰 Subscription Plans Overview

Anthropic offers Claude Code across several tiers. Choosing the right tier for ABC Company matters for cost control and feature access.

⚙ Teams Subscription Setup for ABC Company

The following steps walk an admin through the full org onboarding, from billing to granting secure developer access with the principle of least privilege.

Step 1 — Create the Organization Account

1. Sign up / Convert existing account

   Navigate to claude.ai → Settings → Upgrade → Teams. If you have an existing Pro account, it can be converted to a Teams org owner.

2. Name your organization

   Set the org display name to "ABC Company" and choose a unique org slug (e.g., abc-company). This appears in all invite links and audit logs.

3. Set primary admin email

   Use a shared inbox (e.g., ai-admin@abc-company.com) rather than a personal email, so ownership survives personnel changes.

Step 2 — Billing & Seat Management

1. Choose billing cycle

   Annual billing saves ~17% vs. monthly. Enter a corporate card or request an invoice PO for enterprise procurement.

2. Purchase initial seat count

   Buy seats for your expected headcount (minimum 5). Additional seats can be purchased at any time; they are prorated for the billing period.

3. Set cost centres / budget alerts

   In the admin billing dashboard, configure monthly spend alerts. For API usage, set per-project API key rate limits to prevent runaway costs.

Step 3 — Inviting Members Securely

Invitations can be sent individually, in bulk via CSV, or auto-provisioned through SCIM (Enterprise). Always prefer domain-restricted invitations.

# Bulk-invite employees via CSV (Admin Console → Members → Import)
# CSV format: email, role, team
dev1@abc-company.com,member,backend
dev2@abc-company.com,member,frontend
lead@abc-company.com,admin,platform
billing@abc-company.com,billing_admin,finance

Each invitee receives a secure magic-link email valid for 72 hours. They must verify their work email before accessing shared Projects or Org-level prompts.

Step 4 — Roles & Permission Model

Claude.ai Teams provides four built-in roles. Map them carefully to ABC Company's org chart.

Step 5 — SSO / SAML Configuration

For ABC Company using Azure AD or Okta, configure SAML 2.0 so employees log in through your existing identity provider rather than managing separate claude.ai passwords.

1. Navigate to Admin Console → Security → Single Sign-On

   Copy the SP Entity ID and ACS URL provided by Claude.ai.

2. Register Claude Code as an Enterprise App in Azure AD / Okta

   Paste the SP Entity ID and ACS URL into your IdP's SAML app settings. Map attributes: email, given_name, family_name.

3. Copy IdP metadata URL back to Claude.ai

   Paste your IdP's SAML Metadata XML URL into the Claude.ai SSO configuration and click Test Connection.

4. Enable "Require SSO for all members"

   Once tested, enforce SSO org-wide. Members who still use password login will be prompted to re-authenticate via SSO on next login.

5. SCIM provisioning (Enterprise only)

   Connect your IdP's SCIM endpoint to auto-provision and de-provision seats when employees are onboarded or offboarded in your HR system.

# Azure AD — relevant SAML attribute mappings
user.mail              → email
user.givenname         → given_name
user.surname           → family_name
user.assignedroles     → claude_role   # optional: map AD groups → member/admin

📄 Installing Claude Code CLI

Claude Code CLI is distributed as an npm package. Developers at ABC Company install it once locally; CI/CD pipelines use the same package pinned to a version.

# Prerequisites: Node.js 18+ (LTS recommended)
node --version   # must be 18+

# Install globally
npm install -g @anthropic-ai/claude-code

# Verify installation
claude --version

# Authenticate with your Teams org account
claude auth login
# Opens browser → claude.ai SSO → authenticates with ABC Company SSO

# (Optional) Set a specific model for the session
claude config set model claude-sonnet-4-6

IDE Extensions

Members can also install the Claude Code IDE extension for a richer in-editor experience:

💡 Core Capabilities

Claude Code goes far beyond code completion. Below are its eight pillar capabilities and how each maps to real engineering tasks at ABC Company.

⚙ CLI Commands Reference

Claude Code is invoked via the claude command. Here is the complete reference for ABC Company developers.

Launch Modes

Config Commands

Memory & Context Commands

# Initialise a new CLAUDE.md for the current project
claude /init

# Clear the current session's context
claude /clear

# View token usage for current session
claude /status

# Toggle fast mode (Opus with faster output)
claude /fast

# Open interactive config panel
claude /config

🔨 Slash Commands (In-Session)

Within an active Claude Code session, slash commands trigger built-in and custom behaviours. They are distinct from CLI flags — they are typed into the interactive REPL.

🌟 Skills System

Skills are reusable, versioned prompt programs stored in Markdown files that Claude executes when triggered. They encode expert workflows — security reviews, deployment steps, test strategies — so junior developers benefit from senior-level process with a single command.

Built-in Skills (available to all Teams members)

Custom Skills for ABC Company

Store custom skills in .claude/skills/ at the repo root. They are version-controlled alongside your code and shared with all team members automatically.

# .claude/skills/deploy-staging.md
# Triggered by /deploy-staging in any Claude Code session

---
name: deploy-staging
description: Build, lint, test, and deploy the app to the ABC staging environment
---

# The skill body instructs Claude step by step:
1. Run `npm run lint && npm run test` — abort on failure
2. Build Docker image: `docker build -t abc-app:staging .`
3. Push to ECR: `aws ecr get-login-password | docker login ...`
4. Deploy via: `kubectl set image deployment/abc-app ...`
5. Health-check the /healthz endpoint for 60 seconds
6. Report success or rollback instructions

🤖 Agents & Multi-Agent Orchestration

Claude Code's Agent system allows one Claude instance (the orchestrator) to spawn specialised sub-agents that work in parallel or in sequence, each with its own context window, tools, and isolation level.

Agent Types

Multi-Agent Architecture Pattern

Worktree Isolation

Agents can run in isolated git worktrees so that experiments or risky changes never touch your working branch. If the agent makes no changes, the worktree is automatically cleaned up.

# In a skill or orchestrator — spawn an agent in an isolated worktree
Agent({
  description: "Implement the new payment service",
  subagent_type: "claude",
  isolation: "worktree",         // safe sandbox branch
  prompt: "Implement Stripe webhook handling per the spec in docs/payments.md"
})

Background Agents

Long-running tasks (CI watches, deploy monitors, periodic audits) can run in the background. The orchestrator continues other work and is notified on completion.

Agent({
  description: "Monitor staging deploy health for 10 minutes",
  run_in_background: true,       // non-blocking
  prompt: "Poll /healthz every 30s for 10 minutes, alert if <200"
})

📁 Projects

Projects are shared workspaces in Claude.ai that give an entire team a common context: custom instructions, uploaded documents, shared conversation history, and org-level memory. They replace the need for every developer to repeat the same system prompt.

How Projects Work

1. Create a Project in the Admin Console

   Name it e.g. "ABC Backend API", "Mobile Apps", or "Security Reviews". Assign member access.

2. Upload shared context documents

   Add architecture diagrams, coding standards, API contracts, runbooks, and security policies. All members' Claude sessions reference these automatically.

3. Write Custom Instructions (system prompt)

   E.g.: "You are ABC Company's AI assistant. Always follow our security checklist in SECURITY.md. Never log secrets. Use TypeScript strict mode."

4. Link to CLAUDE.md in repos

   Per-repo CLAUDE.md files (generated by /init) provide local codebase context that complements the Project-level instructions.

CLAUDE.md — The Local Project Brain

The CLAUDE.md file at the repo root is the authoritative local context for Claude Code. Run claude /init to generate a starter, then expand it with team conventions.

# CLAUDE.md — ABC Company Backend Service

## Project Overview
Node.js 20 REST API. PostgreSQL via Prisma ORM. Deployed on AWS ECS.

## Architecture
- src/routes/    — Express routers (one file per domain)
- src/services/  — Business logic (no DB access here)
- src/models/    — Prisma model extensions
- src/middleware/ — Auth, rate-limit, validation

## Key Conventions
- All DB queries go through the service layer, never from routes directly
- Use zod for request validation at every route
- Return errors as { code, message } JSON — never stack traces

## Security Rules
- Never log req.body in production (contains PII)
- All new endpoints must have input validation and rate limiting
- Run `npm run security:check` before any PR

## Test Commands
- Unit tests:       npm run test:unit
- Integration:      npm run test:integration  (needs DB)
- E2E:              npm run test:e2e

🔗 MCP — Model Context Protocol

The Model Context Protocol (MCP) is an open standard (developed by Anthropic) that lets Claude Code connect to external systems — databases, APIs, file systems, SaaS tools — through a standard server interface. Think of it as USB-C for AI integrations.

Popular MCP Integrations for ABC Company

Adding an MCP Server to Claude Code

# Project-scoped MCP config: .claude/settings.json
{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}" }
    },
    "postgres": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-postgres",
               "postgresql://readonly_user:${DB_PASS}@db.abc.internal/prod"],
      "env": {}
    },
    "jira": {
      "command": "node",
      "args": ["./mcp-servers/jira-server.js"],
      "env": {
        "JIRA_BASE_URL": "https://abc-company.atlassian.net",
        "JIRA_API_TOKEN": "${JIRA_TOKEN}"
      }
    }
  }
}

🪝 Hooks & Automation

Hooks are shell commands configured in .claude/settings.json that execute automatically in response to Claude Code lifecycle events — before a tool runs, after Claude responds, when the session starts, etc. They allow ABC Company to enforce policies without relying on developer memory.

# .claude/settings.json — hooks configuration
{
  "hooks": {
    // Run before any Bash tool executes
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [{
          "type": "command",
          "command": "echo 'CMD: $CLAUDE_TOOL_INPUT' >> ~/.claude/audit.log"
        }]
      }
    ],
    // Run after every Claude response
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "hooks": [{
          "type": "command",
          "command": "npm run lint:check -- $CLAUDE_FILE_PATH 2>&1 || true"
        }]
      }
    ],
    // Notify Slack when a session ends
    "Stop": [{
      "type": "command",
      "command": "node scripts/notify-session-end.js"
    }]
  }
}

Common Hook Patterns for Teams

• 🔐
  Audit logging Log every Bash command Claude executes to a tamper-evident audit file — critical for compliance.
• ✅
  Auto-lint on save Run ESLint / Prettier after every file write so Claude's output always meets code style standards.
• 🔌
  Secret scanning Run gitleaks detect after every file edit to prevent credentials being committed.
• 📞
  Slack / Teams notifications Post a summary to your dev channel when Claude completes a significant task or hits an error.

🔒 Security Best Practices

Deploying an AI coding agent at scale introduces new attack surfaces. ABC Company's security team should enforce the following controls at org, project, and developer levels.

Permission Model & Trust Levels

Claude Code has three permission modes. Configure the strictest mode that allows productive work.

Security Checklist

• ✅
  Enable SSO / SAML All org members must authenticate via your corporate IdP, never standalone claude.ai passwords.
• ✅
  Allowlist email domain Restrict membership to @abc-company.com addresses only.
• ✅
  Rotate API keys quarterly CI/CD API keys should have a 90-day TTL enforced via secrets management (AWS Secrets Manager, Vault).
• ✅
  Scope MCP servers to read-only DB and cloud MCP connections must use least-privilege credentials. Require explicit approval for write operations.
• ✅
  Enable audit logging via hooks All Bash commands Claude executes must be logged with timestamp, user, and session ID.
• ✅
  Add secret scanning hook Run gitleaks after every file write to catch credentials before they reach git history.
• ✅
  Review /security-review skill output Run /security-review on every branch before merge. Gate PR merges on green output in CI.
• ✅
  Data classification in CLAUDE.md Document which data is PII / confidential so Claude never logs, exposes, or transmits sensitive fields.
• ✅
  Prompt injection awareness Train developers to flag if Claude's tool results appear to contain adversarial instructions (e.g., from web scrapes).
• ✅
  Offboarding via SCIM When an employee leaves, their HR system de-provision event must revoke their Claude Code seat within 1 hour.

🚀 End-to-End Rollout Plan for ABC Company

Roll out Claude Code in phases. A phased approach reduces blast radius, builds internal champions, and gives the security team time to validate controls at each stage.

CI/CD Integration

# .github/workflows/claude-review.yml
name: Claude Security Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  claude-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Claude Code
        run: npm install -g @anthropic-ai/claude-code

      - name: Run Security Review
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          claude --dangerously-skip-permissions \
                 -p "Run a security review of the changes on this branch. \
                     Flag any OWASP Top 10 issues, hardcoded secrets, \
                     missing input validation, or insecure dependencies. \
                     Output as a markdown report." \
            > security-report.md

      - name: Comment report on PR
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const report = fs.readFileSync('security-report.md', 'utf8');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: '## Claude Code Security Review\n\n' + report
            });

🎯 Summary

Claude Code is not just an AI coding assistant — it is a full agentic engineering platform designed to elevate every developer at ABC Company. From the moment a new hire installs the CLI and opens a repo, CLAUDE.md and shared Projects give them expert context. Skills codify your best processes. MCP servers connect Claude to every tool in your stack. Agents parallelize work that would take hours manually. And a layered security model — SSO, RBAC, audit hooks, secret scanning — ensures none of this velocity comes at the cost of safety.