User Management

A "user seat" refers to a license for a single user within an organization. A user seat, while occupied by a member of your organization, grants that member access to Bitwarden services under your specific plan. A user seat is not permanently attached to that member; when they leave the organization that user seat is made available for use by a new member.

Bitwarden cloud

will automatically scale up user seats as you

invite

new users. You can set a

seat limit

on scaling to prevent your seat count from exceeding a specified number, or

manually add seats

as desired. Regardless of how you choose to add seats, you will need to

manually remove

seats you're no longer using.

Adding and removing user seats will adjust your future billing totals. Adding seats will immediately charge your payment method on file at an adjusted rate so that you will only pay for the remainder of the billing cycle (month/year). Removing seats will cause your next charge to be adjusted so that you are credited for time not used by the already-paid-for seat.



note

Only an an

organization owner

or

provider service user

can add or remove seats, as this directly affects billing.



note

The number of seats a self-hosted organization has will always mirror its

counterpart cloud-organization

. You will be required to manage your seat count through the cloud Admin Console, however

billing sync

can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license.

To set a limit on the number of seats your organization can scale up to:

1. Log in to the Bitwarden

   web app
   and open the Admin Console using the product switcher:

   

2. Navigate to Billing → Subscription and check the Limit subscription checkbox:

   

3. In the Seat limit input, specify a seat limit.

4. Select Save.



note

Once the specified limit is reached, you will not be able to invite new users unless you increase the limit.



note

The number of seats a self-hosted organization has will always mirror its

counterpart cloud-organization

. You will be required to manage your seat count through the cloud Admin Console, however

billing sync

can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license.

To manually add or remove seats to your organization:

1. Log in to the Bitwarden

   web app
   and open the Admin Console using the product switcher:

   

2. Navigate to Billing → Subscription.

3. In the Subscription seats input, add or remove seats using the hover-over arrows:

   

4. Select Save.



note

If you are increasing your Subscription seats above a specified Seat limit, you must also increase the seat limit so that it is equal to or greater than the desired subscription seat count.

To ensure the security of your organization, Bitwarden applies a 3-step process for onboarding a new member,

→

accept

→

confirm

.



tip

This document covers the manual onboarding flow for adding users to Bitwarden organizations, however Bitwarden offers two methods for automatic user and group provisioning:

• Teams and Enterprise organizations can use SCIM integrations for

  Azure AD
  ,
  Okta
  ,
  OneLogin
  , and
  JumpCloud
  .

• Teams and Enterprise organizations can use Directory Connector for

  Active Directory/LDAP
  ,
  Azure AD
  ,
  Google Workspace
  ,
  Okta
  , and
  OneLogin
  .



tip

For Enterprise organizations, we recommend configuring

enterprise policies

prior to inviting users to ensure compliance on-entrance to your organization.

To invite users to your organization:

1. Log in to the Bitwarden

   web app
   and open the Admin Console using the product switcher:

   

2. Navigate to Members and select the  Invite User button:

   

3. On the Invite user panel:

   • Enter the Email address where new users should receive invites. You can add up to 20 users at a time by comma-separating email addresses.

   • Select the Member role to be applied to new users.

     Member role
     will determine what permissions these users will have at an organizational level.

   • In the Groups tab, select which

     groups
     to add this user to.

   • In the Collections tab, select collects to give this user access to and what

     permissions
     they should have to each collection.

4. Click Save to invite the designated users to your organization.



note

Invitations expire after 5 days, at which point the user will need to be re-invited. Re-invite users in bulk by selecting each user and using the  options menu to Resend invitations:

If you're self-hosting Bitwarden, you can configure the invitation expiration period

using an environment variable

.

Invited users will receive an email from Bitwarden inviting them to join the organization. Clicking the link in the email will open the Bitwarden web app, where the user can log in or create an account to accept the invitation:

You must fully log in to the Bitwarden web app to accept the invitation. When you accept an invitation, an administrator will need to

access. Once confirmed, you'll be notified that you can access the organization. Additionally, organization members will have their

email automatically verified

when they accept an invitation.



tip

The 3-step

invite

→

accept

→

confirm

procedure is designed to facilitate secure sharing between organizations and users by maintaining end-to-end encryption.

Learn more

.

To confirm accepted invitations into your organization:

1. Log in to the Bitwarden

   web app
   and open the Admin Console using the product switcher:

   

2. Navigate to Members.

3. Select any Accepted users and use the  options menu to  Confirm selected:

   

4. Verify that the

   fingerprint phrase
   on your screen matches the one your new member can find in Settings → My account:

   

Each fingerprint phrase is unique to its account, and ensures a final layer of oversight in securely adding users. If they match, select Submit.



note

If Never prompt to verify fingerprint phrases has been toggled on, fingerprint phrase verification be reactivated by clearing the browser cache and cookies.



tip

For information on revoking, removing, or deleting members accounts, refer to:

• Temporarily Revoke Access

• Permanently Remove Access

• Delete Member Accounts

The 2FA status of users can be viewed from the Members page. If the user has a  icon, two-step login has been enabled on their Bitwarden account.