Automatic Confirmation

By default, users invited to join a Bitwarden organization must be confirmed by an administrator once they accept an invitation to join. Confirmation is a crucial step that completes the three-step onboarding process designed to facilitate end-to-end-encrypted sharing of items between organizations and their members.

Enterprise organizations can optionally set up automatic confirmation of users if it is not desired that administrators manually confirm each user joining the organization.

In order to be eligible for automatic confirmation functionality:

• Added by your Bitwarden team: In order to gain access to this automation, Bitwarden support will need to add it to your organization. The first step is to contact us.

• Single organization policy will extend to all roles: The Single organization policy must be on and all members, including owners and admins who are not typically subject to the policy, must be compliant with it.

• No emergency access: To mitigate some risks of using automatic confirmation, emergency access will be removed for all members of your organization. Members using emergency access will receive an email informing them it's been turned off.

• No provisioned provider accounts: A member of a provider may not be an provisioned member of in your organization. A provider can still manage your organization, but its members cannot occupy a seat in your organization.

• Accept potential security risks: Automatic confirmation could pose a security risk to your organization's data. Before using automatic confirmation, make sure you read about the risks outlined in this article and accept them.

Once activated, automatic confirmation is a background process executed by unlocked browser extensions belonging to owners, admins, and custom role members with the Manage users permission. Learn how to activate automatic confirmation in the following sections.

In order to turn on automatic confirmation of new members, you must turn it on both at the organization level and for each Bitwarden client that you want executing the process.

To turn on automatic confirmation for your organization, make sure you've met the eligibility requirements described above. Once you've contacted your Bitwarden team, an activation panel will be issued to organization owners the next time they log in.

Once the functionality is added for your organization by Bitwarden, Automatic confirmation can also be activated via a policy from the Settings → Policies menu in the Admin Console. Either way, select Continue to turn on automatic confirmation for the organization:

Once turned on for the organization, each owner, admin, and custom role member with the Manage users permission will be issued an activation panel in the browser extension inviting them to turn automatic confirmation on for that client.

Administrators that close this dialog can toggle automatic confirmation on or off from the browser extension's Settings → Admin menu. Either way, select Turn on to begin automatic confirmation:

In order for members to be automatically confirmed, at least one owner, admin, or relevant custom role member must turn this on. The automatic confirmation process runs in the background of each unlocked browser extension client that chooses to turn it on.

Before turning on automatic confirmation, make sure you understand the potential risks associated with its use.

Decryption of your organization's data requires that a user goes through a three-step (Invite → Accept → Confirm) onboarding workflow in order to facilitate the secure sharing of encryption keys and maintain an end-to-end encrypted environment. In this workflow, manual confirmation operates as a final protection to ensure that only members who are intended to access organization data can do so; if an unintended person or malicious actor has accepted an invitation, they could be caught and denied at the confirmation step to prevent unwanted access.

Actors with unrestricted access to the database used by your Bitwarden server, whether self-hosted or cloud-hosted, could fabricate an invitation to join your organization and accept it. With automatic confirmation running, there would be no manual intervention that would allow administrators to catch and deny access to such an actor.