Claimed Domains

Enterprise customers can claim domain ownership (eg. mycompany.com) for their organizations. Claiming a domain supports the following features:

• Claimed member accounts: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. jdoe@mycompany.com) will also be claimed by your organization. Claimed member accounts are functionality owned by the organization, restricting users from taking some account actions and allowing administrators to delete the account outright instead of only removing them from the organization. Learn more.

• Easier SSO for members: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. jdoe@mycompany.com) will, during SSO, automatically bypass the step that would require them to enter an SSO identifier.

• Automatically verify member emails: When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. jdoe@mycompany.com) will have their email automatically verified when onboarded.

Domains can be claimed with a valid and unique-to-Bitwarden DNS TXT record.

In order to claim a domain, Bitwarden must verify that:

• No other organization has verified the domain.

• Your organization has ownership of the domain.

Bitwarden will use a DNS TXT record to validate a domain claim. This DNS TXT record must be kept active and available at all times, as Bitwarden will continually check for it.

To claim a domain:

1. Log in to the Bitwarden web app and open the Admin Console using the product switcher:

   

2. Navigate to Settings → Claimed domains:
   

   

3. On the Claimed domains screen you will see a list of active domains, along with status checks and options. If you have no active domains, select New domain.

   tip

   If you're claiming a domain for the first time, the single organization policy will automatically be activated during the claiming workflow. This policy is required for organizations claiming domains moving forward, however if you claimed a domain prior to the 2025.1.1 release you will not be subject to this requirement.

4. In the pop-up window, enter a Domain name.
   

   note

   The format of the domain name entry should not include https:// or www..

5. Copy the DNS TXT record and add it to your domain.

6. Select Claim domain.

You can manage and view the status of your domains from the Claimed domains page.

Select the domain name, or the  menu located on the right side of the domain item if you wish to edit, or delete a domain.

The  menu provides additional options to Copy DNS TXT records, and to manually verify domain if automatic verification was not successful during the new domain setup.

Domains will have a status of UNVERIFIED or VERIFIED.

Domain setup activities will be logged in the organization event logs. To view events, navigate to Reporting → Event logs in the Admin Console.

Once your domain is claimed and verified, your organization will gain access to the following:

When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. jdoe@mycompany.com) will also be claimed by your organization. Claimed member accounts are functionality owned by the organization, resulting in a few key changes to the way the account works:

Org-managed account deletion

Claimed member accounts can be outright deleted by organization administrators, instead of only being able to be removed from the organization. Owners and admins can delete a claimed account from the Admin Console's Members page using the  menu:

Members of your organization that do not have claimed accounts can be Removed from the organization instead.

Restricted access to account actions

Users with member accounts will be restricted from:

• Modifying their account email address.

• Leaving the organization.

• Purging their vault.

• Deleting their account.

When you claim a domain, any organization member accounts that have email addresses with a matching domain (e.g. jdoe@mycompany.com) will, during SSO, automatically bypass the step that would require them to enter an SSO identifier.