We’d like Bitwarden Enterprise to support automatically de-authorizing all devices for users placed in the Revoked state via SCIM.
Scenario:
Our organization uses SCIM, SSO (required), and master passwords (no trusted devices). When SCIM revokes a user, they lose SSO and org vault access. But if they’ve previously logged into a device, they can bypass email MFA (since no email access) and log in using that device. From there, they could change their email address and block us from deleting the account via Claimed Domains, creating risk if sensitive data is in their personal vault.
Today, our only options are manual master password resets via account recovery or manual deletions—both of which break automation and defeat the purpose of SCIM deprovisioning. The ability to reuse prior devices while revoked makes the Revoked status misleading.
This gap was mentioned in this community request, but not addressed even with the new Claimed Domains feature allowing for account deletion.
Ideal Solution:
When a user is revoked (via SCIM or otherwise), Bitwarden should automatically de-authorize all prior device logins to properly secure the account and enable clean automation.
Removing personal vaults could solve this, but managing individual org collections is too burdensome for small teams and individual vaults allow users to store personal business-related items in Bitwarden while not having to fear an Admin or Owner can read them (zero-knowledge).
Bitwarden documentation notes that SCIM cannot delete accounts, which seems like a missed opportunity for when an account is deleted from the Identity provider (it would be great to see the Bitwarden account also get deleted instead of simply removed from the org), but at least deauthorization of past device logins would force users to MFA somehow on next login.
Revoked users should not put an account in a more vulnerable state by suddenly removing SSO for authorization and allowing existing devices to log in without MFA.