Admin ConsoleOversight & VisibilityClaimed Domains

Claimed Domains

Enterprise customers can claim domain (eg. mycompany.com) ownership for their organizations with a valid and unique-to-Bitwarden DNS TXT record. When you claim a domain, your organization gains additional controls over accounts with matching email addresses:

  • Policy to block undesired account creation:

    Turn on a policy
    to prevent email accounts with matching domains (e.g. jdoe@mycompany.com) from creating Bitwarden accounts outside the organization. When the policy on, email accounts with matching domains can only be used to create Bitwarden accounts by being invited to join the organization.

  • Claimed member accounts: Onboarded organization member accounts that use an email address with a matching domain (e.g. jdoe@mycompany.com) will automatically be

    claimed by your organization
    , restricting users from taking some account actions and allowing administrators to
    delete the accounts
     outright instead of only being able to remove them from the organization.

Onboarded organization member accounts that use an email address with a matching domain (e.g. jdoe@mycompany.com), referred to as

claimed accounts
, also gain the following benefits:

  • Easier SSO workflow: During SSO authentication, these members will automatically bypass the step that would require them to enter an

    SSO identifier
    .

  • Automatically verified emails: These members will have their

    email automatically verified
    when onboarded.

Claim a domain

In order to claim a domain, Bitwarden must verify that:

  • No other organization has verified the domain.

  • Your organization has ownership of the domain.

Bitwarden will use a DNS TXT record to validate a domain claim. This DNS TXT record must be kept active and available at all times, as Bitwarden will continually check for it.

To claim a domain, complete the following steps as an

admin or owner
:

  1. Log in to the Bitwarden

    web app
    and open the Admin Console using the product switcher:

    Product switcher

  2. Navigate to SettingsClaimed domains:

    Claiming a domain

  3. On the Claimed domains screen you will see a list of active domains, along with status checks and options. If you have no active domains, select New domain.

    tip

    When you claim a domain, the

    single organization policy
    will automatically be activated during the claiming workflow. Domains that were claimed prior to the 2025.3.0 release will not automatically activate this policy, however any subsequent domains claimed by the organization will.

  4. In the pop-up window, enter a Domain name.

    note

    The format of the domain name entry should not include https:// or www..

  5. Copy the DNS TXT record and add it to your domain.

  6. Select Claim domain.

Manage your domains

You can manage and view the status of your domains from the Claimed domains page. All domains will have a status of Claimed or Not Claimed:

Claimed domain

tip

Before updating your claimed domain in Bitwarden, verify that your TXT record is publicly visible using the dig command:

Bash
dig your.domain.com TXT

If the wrong TXT record is found, your DNS changes may need more time to propagate. If the right TXT record is found but claiming still fails, your Bitwarden server may be configured to use a internal DNS server than the public one in which the update was made.

Use the menu located on the right side of the domain to:

  • Edit or delete a domain.

  • Copy DNS TXT record to provide it to your DNS provider.

  • Manually verify domain if automatic claiming was not successful.

    warning

    Bitwarden will attempt to verify the domain 3 times during the first 72 hours. If the domain has not been verified within 7 days after the 3rd attempt, the domain will be removed from your organization.

Domain claiming activities will be logged in the organization event logs. To view events, navigate to ReportingEvent logs in the Admin Console.

Once your domain is claimed

Once your domain is claimed and verified, your organization will gain access to the following:

Block account creation for claimed domains

Turn on

this policy
to prevent email accounts with matching domains (e.g. jdoe@mycompany.com) from creating Bitwarden accounts outside the organization. When the policy on, email accounts with matching domains can only be used to create Bitwarden accounts by being invited to join the organization.

Claimed member accounts

Onboarded organization member accounts that use an email address with a matching domain (e.g. jdoe@mycompany.com) will automatically be

claimed by your organization
, resulting in a few key changes to the way the account works:

note

A user must have a matching domain and be a

confirmed member
of your Bitwarden organization to be considered a claimed account. Claiming a domain does not automatically invite any users and therefore will not in and of itself add to your subscription seat count.

Org-managed account deletion

Claimed member accounts can be outright deleted by organization administrators, instead of only being able to be removed from the organization. Owners and admins can delete a claimed account from the Admin Console's Members page using the menu:

Delete claimed accounts

Members of your organization that do not have claimed accounts can be Removed from the organization instead.

note

Directory Connector and SCIM do not have the ability to delete claimed accounts, this action can only be taken by admins and owners from the web app Admin Console.

Restricted access to account actions

Users with member accounts will be restricted from:

  • Changing their account email address to a different domain (members can still change the username portion of their email address).

  • Leaving the organization.

  • Purging their vault.

  • Deleting their account.