Have the ability to disable the ability for users to create their own accounts under a domain

brianmandeville

It would be optimal for domain managers/admins to have the ability to disable users from being able to create their own accounts under that managed domain.

Ted Harris

@brianmandeville - you can easily enable SAML and link a SAML provider to manage who has and doesn't have access to create an account in Expensify with an email on your domain.

brianmandeville

yes, but the problem is users can still create their own accounts under that managed domain.

Stevie LaFortune

Welcome to the Community @brianmandeville! Great news - that is an option!

Domain Groups can be accessed if you have claimed and verified your domain. Groups are used to set rules or permissions for groups of users.

You can read more about the group settings in the attached Community post.

Deep Dive: Domain Groups and permissions — what are they all about?

brianmandeville

not what I am referring to, i am talking about user creation. I know with Groups I can restrict them from switching away.

The expensify login page still allows users to create their accounts under domains being managed and required with SAML.

Ted Harris

Ah, good point of clarification @brianmandeville you're right. Of course, they can't login to use that account at all though if you have SAML required.

What extra control does preventing this step of creating the account give you that having SAML enabled doesn't? Is it just that you don't like to see them in the list?

brianmandeville

When they create the account, they are logged in for that first time. And they can create Expense reports. Since we use Advanced Routing, setup routing for each individual user. Users think their report is pending, but in reality their account is not setup properly

Also, they will never be able to login again for a second time once logged out. Hence giving the ability to create accounts on SAML required domain is pretty pointless :)

Ted Harris

When they create the account, they are logged in for that first time

Hmm, this isn't quite correct if you have SAML enabled. When they click the validation link they're shown this:

After going "back" they then choose to login, when they're then redirected to their SAML provider. At that point, as long as they've not been allowed access to this app within the SAML provider, they will error upon login.

brianmandeville

That's not what I have been seeing on my instance. Users are getting in and creating expense reports.

Ted Harris

If that's the case, I think we'll need to dig in and figure out why! Could you message Concierge and reference this thread? It's likely we'll need you to test out a new user and show us this happening. FWIW, I just tested with our test accounts and there's no way I can get in when SAML is required.

brianmandeville

Possible there is a mobile app loophole?

Ted Harris

@brianmandeville that's a good question! I'll try to test that too shortly.

Ted Harris

@brianmandeville - you were right! Great spot - we're working on this now.

KSakamoto

Yes, we have same issue. People able to add themselves to our domain without our approval. Problem is if they aren't on one of our policies and they submit a report, it goes nowhere. So is there a way to block folks from adding themselves to our domain without an invite? Or is this a bug that is being worked on? Daily we have random folks in our very large organization adding themselves. It is quite painful to respond to each of them and let them know it is by invite only and they cant actually submit anything that way.

Rachael Hopkins

Hi @KSakamoto no it's not a bug, it's intentional. 🙂 You can create a Domain Group and set it as the default, and potentially add a default policy. That way you can periodically check that group/policy for people to add to your Policies, and your users can get a head-start on uploading their expenses.

KSakamoto

No. we don't want people to be able to join our domain without our permission. when that happens, and they aren't on a policy (and they wouldn't be because they don't have our permission), they will submit a report and it literally goes nowhere, only they don't know it. It looks to them like they have submitted a report, but no one in our organization actually gets the reports. It is not good. We pay for the licenses and we invite only certain level employees to use the software. It is not good.

Victoria O'leary

Hi @KSakamoto

That's no problem at all, if you want to manage who has and doesn't have access to create an account in Expensify with an email on your domain, all you need to do is enable SAML and link a SAML provider. As mentioned above, there is a small issue with this solution within the mobile app at the moment, but our engineering team are working on this and we'll post an update to this thread as soon as we have one.

Cheers!

Rachael Hopkins

Hi again @KSakamoto, I just want to explore this a little more as I'm having trouble wrapping my head around your use-case here. Are you saying you have users who will never be reimbursed by your company, who are currently submitting reports to no one?

Just to note: You only pay for users active on your Group Policies, so if users have accounts that are only used personally, you are not charged for these.

Is the concern here that employees who are not eligible for reimbursement may think they can be reimbursed? Even if they will never actually be reimbursed?

KSakamoto

YES! Exactly. These are employees who unknowingly go through the wrong channel for reimbursement. They end up very unhappy because they think they have submitted something to us and are waiting for reimbursement, only to reach out a month or two later inquiring about it, and we say, "oh, your report never reached us, because you aren't on our policy" and please submit via other method X. I can see their confusion as there is a "submit" button, but it simply goes nowhere, (or at least it never reaches us), and rightly so. If they weren't able to be add themselves to our domain without our permission this would never happen. We never used to have this problem, so it seems like something changed, but I don't have any proof other than anectodal. If you read the entire thread above, it seems like the past Expensify person was able to recreate the issue and said they were working on it.

KSakamoto

Thank you for your comment on SAML. I have no idea what that is, and how it works, I'll have to look into that.

Alejandro Paz

Thanks for the context @KSakamoto !

It still sounds like you would benefit from a combination of policy restrictions for your Domain Groups and SAML. If the documentation that was shared earlier is a bit confusing, I recommend reaching out via Concierge directly within the app and we can help get you set up!

alopez

I am also experiencing something similar as well. Our employees should be coming from Netsuite. We have that integration configured correctly but as soon as we added SAML only login via Okta now all users in that domain are invited to create an account even though they have not been added in the People section via the Netsuite integration.

This is causing the employees who were assigned the Okta app to have access to our policies even though they have not been "approved" by having a profile created for them in the People section. Is there a way to stop Okta/SAML integration from inviting users to our policy?