Enterprise: Prevent users from signing up with personal accounts using email domain associated with organization

We have an enterprise account where users are provisioned from Azure AD using SCIM. This works as intended, however we do see that some users are not following the instructions correctly from the invitation emails, and end up with personal (free) accounts associated with their corporate domain email address. As admins we have no way of telling when users have created personal accounts, other than the indicator that they are still listed with the ‘invited’ tag in the portal. If we re-send the invite, they are able to join the organization, so at least that part’s working.

Since the invitation emails are going out automatically when users are provisioned, and we cannot customize them in any way, it would be great if there was an option to lock down the (verified) domain name(s) associated with an enterprise account, so that users attempting to register would not be able to create personal accounts with their work email and instead would be set up automatically within the organization (since the user is already provisioned with the email address it should be possible to match up the accounts?) We have the ‘single organization’ policy enabled, but this doesn’t apply for the sign-up process, it only prevents users from joining other orgs once they’ve joined ours.

1 Like

Thanks, the team is working towards a solution on this one!

1 Like

Awesome, thanks!

Hello, is there anything concrete on the roadmap to get this control as an org admin added as a feature?

1 Like

Can the team respond to this one? Is it possible to restrict users to a specific domain?

Hi all - this will be part of account management and deprovisioning outlined on the roadmap. The way it will be designed is that organizations will verify their domain and then all users created with that domain will automatically be owned by the organization. More to come once that work gets started!

2 Likes

Hello Gina,

Sorry to be a bother, we were just wondering if this is still in the process of being put on the roadmap? We’re not sure that we can see it on the current roadmap, but maybe it’s still in the works?

Thanks!

(Update: a Bitwarden team member confirmed to me that it’s still in the works.)

Update: As of the most recent update, Bitwarden has made it so that organizations with verified domains can prevent users with email addresses containing that verified domain from leaving the organization.

Thanks to the Bitwarden team for pushing this out.

Yes, but as I understood it, this is not preventing someone from creating a personal account with an email on a claimed domain.

Which is what this FR is asking for.

“ackshually…” it seems like they thought of that with claimed domains as per the first paragraph of Claimed Accounts | Bitwarden it seems like any account created with a domain name that’s been claimed will be added to the organization automatically, regardless of when it is created.

This could potentially cause a really serious problem though: If a past employee that used their work address to register a personal account is suddenly added to the org long after they quit the company, they will lose access to their account if the org enforces SSO and the user no longer has a valid login.

Also it could cause some issues with SCIM provisioning erroring for any claimed user if the target API doesn’t properly handle it (if a claimed user doesn’t exist in Entra, will it be automatically revoked by SCIM after it’s claimed and added to the org?)

IMO, claiming existing users should be a manual process and any automatic inclusion of accounts for should only apply for new accounts that are created with a domain after the domain has been claimed.

Additionally, is an event log entry added and/or is there any visual indicator in the member list for when an account is claimed, so we as organization admins can discern accounts that have recently/historically been claimed?

I don’t understand it that way.