User Management
User seats
A "user seat" refers to a license for a single user within an organization. A user seat, while occupied by a member of your organization, grants that member access to Bitwarden services under your specific plan. A user seat is not permanently attached to that member; when they leave the organization that user seat is made available for use by a new member.
Bitwarden cloud Teams and Enterprise organizations will automatically scale up user seats as you invite new users. You can set a seat limit on scaling to prevent your seat count from exceeding a specified number, or manually add seats as desired. Regardless of how you choose to add seats, you will need to manually remove seats you're no longer using.
Adding and removing user seats will adjust your future billing totals. Adding seats will immediately charge your payment method on file at an adjusted rate so that you will only pay for the remainder of the billing cycle (month/year). Removing seats will cause your next charge to be adjusted so that you are credited for time not used by the already-paid-for seat.
note
Only an an organization owner or provider service user can add or remove seats, as this directly affects billing.
Set a seat limit
note
The number of seats a self-hosted organization has will always mirror its counterpart cloud-organization. You will be required to manage your seat count through the cloud Admin Console, however billing sync can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license.
To set a limit on the number of seats your organization can scale up to:
Log in to the Bitwarden web app and open the Admin Console using the product switcher:
Product switcher Navigate to Billing → Subscription and check the Limit subscription checkbox:
Set a seat limit In the Seat limit input, specify a seat limit.
Select Save.
note
Once the specified limit is reached, you will not be able to invite new users unless you increase the limit.
Manually add or remove seats
note
The number of seats a self-hosted organization has will always mirror its counterpart cloud-organization. You will be required to manage your seat count through the cloud Admin Console, however billing sync can be setup to make these changes reflect for your self-hosted organization without requiring you to re-upload you license.
To manually add or remove seats to your organization:
Log in to the Bitwarden web app and open the Admin Console using the product switcher:
Product switcher Navigate to Billing → Subscription.
In the Subscription seats input, add or remove seats using the hover-over arrows:
Add or remove seats Select Save.
note
If you increase your Subscription seats above a specified Seat limit, you must also increase the seat limit so that it's equal to or greater than the desired subscription seat count.
Onboard users
To ensure the security of your organization, Bitwarden applies a three-step process for onboarding a new member: invite → accept → confirm. This is designed to facilitate secure sharing between organizations and users by maintaining end-to-end encryption.
note
This page covers the process for manually adding users to organizations. Other methods, however, are available for automatic user and group provisioning:
Teams and Enterprise organizations can use SCIM.
Teams and Enterprise organizations can use Directory Sync.
Enterprise organizations can use JIT.
Invite
tip
For Enterprise organizations, Bitwarden recommends configuring enterprise policies prior to inviting members to ensure compliance on entrance to your organization.
To invite users to your organization:
Log in to the Bitwarden web app and open the Admin Console using the product switcher:
Product switcher Navigate to Members and select Invite User:
Invite member to an organization On the Invite user panel:
Enter the Email address where new users should receive invites. You can add multiple users at a time by comma-separating email addresses.
Select the Member role to be applied to new users. Member role will determine what permissions these users will have at an organizational level.
In the Groups tab, select which groups to add this user to.
In the Collections tab, select collects to give this user access to and what permissions they should have to each collection.
Click Save to invite the designated users to your organization.
note
Invitations expire after five days, at which point the member will need to be re-invited. Re-invite members in bulk by selecting each member and using the Options icons to select Resend invitations:
If you're self-hosting Bitwarden, you can configure the invitation expiration period using an environment variable.
Accept
Invited users will receive an email from Bitwarden inviting them to join the organization. Clicking the link in the email will open the Bitwarden web app, where the user can log in or create an account to accept the invitation:
You must fully log in to the Bitwarden web app to accept the invitation. When you accept an invitation, an administrator will need to confirm access. Once confirmed, you'll be notified that you can access the organization. Additionally, organization members will have their email automatically verified when they accept an invitation.
Confirm
To confirm accepted invitations into your organization:
Log in to the Bitwarden web app and open the Admin Console using the product switcher:
Product switcher Navigate to Members.
Select any
Acceptedusers and use the options menu to Confirm selected:Confirm member to an organization Verify that the fingerprint phrase on your screen matches the one your new member can find in Settings → My account:
Fingerprint phrase
Each fingerprint phrase is unique to its account, and ensures a final layer of oversight in securely adding users. If they match, select Submit.
note
If Never prompt to verify fingerprint phrases has been toggled on, fingerprint phrase verification be reactivated by clearing the browser cache and cookies.
Manage existing members
From the Members page, you can also review and update individual members' accounts, like adding them to groups, collections, or the Secrets Manager. Select the Menu icon for available options per user:
Review 2FA status
The 2FA status of users can be viewed from the Members page. If the user has a Lock icon, two-step login is used on their Bitwarden account:
Download list of members
If you want to view or share a list of all organization members outside of the Admin Console, owners, admins, and custom role users with Manage users permission can export a .csv. This is available to all organizations.
To export your member list, go to Members and select the Download icon:
note
Custom role users with Manage account recovery permission but not Manage users permission can download a .csv that only shows members who are enrolled in account recovery. All other members are excluded from the file.
Included data
The member list export includes the following information about each account:
Column | Description |
|---|---|
The email address of the account | |
Name | The name of the user, from Settings → My account |
Status | Shows where the account is in onboarding (Invited, Accepted, or Confirmed) or if the account is Revoked from the organization |
Role | The user's member role in the organization |
Two-step login | Shows if the user logs in with any two-step login method |
Account recovery | Shows if the user is enrolled in account recovery |
Secrets Manager | Shows if the Secrets Manager is activated for the member |
Groups | Lists all groups that include the member |
tip
Enterprise organizations can review the Member access report to learn which collection(s) members have access to, their level of permission within each assigned collection, and more.
Remove users
The Members page is also where you can withdraw someone from an organization. There are three methods:
Delete organization member accounts
warning
Deleting an account is permanent and cannot be undone or restored. To create a backup of your vault data to store in a safe location, export your vault data.