Learn how to enforce full account control over members with verified organization email addresses using the Control Verified Domain Accounts policy.
The Control Verified Domain Accounts policy allows enterprise organizations to enforce strict separation between organizational and personal email addresses on Pivot accounts. When enabled, your organization gains full control over accounts that use your verified domain emails.
This is an opt-in enterprise feature. It defaults to off and must be explicitly enabled by an organization admin. Your organization must have at least one verified domain before this policy has any effect.
When this policy is enabled:
alice@acme.com) cannot add personal email addresses (e.g. alice@gmail.com) to their Pivot account.Members with email addresses at domains not verified by your organization are completely unaffected by this policy.
This policy also enables organization admins to update profile details and organization email addresses for eligible managed members.
From the sidebar, click your profile picture, then select Organization admin and choose your organization. Navigate to the Domains and Security tab.
If you haven’t already, add and verify your organization’s domain. The policy only applies to verified domains. See Adding a Domain for instructions.
Under the security settings, enable Control Pivot accounts for all members that have verified organization email addresses. The policy takes effect immediately for new actions.
After this policy is enabled, organization admins can update basic profile details for eligible managed members from the Members tab in Organization admin.
Admins can update:
When an email address is changed, the new email must belong to one of the organization’s verified domains. The new organization email becomes the member’s primary email address.
A member can be edited by an organization admin when:
Pivot does not let organization admins use this flow to take over personal accounts, change unrelated external emails, or manage users whose account cannot be clearly associated with the organization.
Click your profile picture, choose Organization admin, then select the organization.
Select Members from the Organization admin tabs.
Find the member you want to update. If the member is eligible for organization management, open the member actions and choose Edit user.
Edit the member’s first name, last name, or organization email address. Email changes must use a verified domain for the organization.
Click Save. Pivot validates the change before applying it.
If you do not see the edit option for a member, check that you are an admin for the organization, the organization’s domain is verified, this policy is enabled, and the member’s account uses a verified email address for your organization.
Enabling the policy does not affect existing users who already have mixed personal and organizational email addresses on their account. It only prevents new violations going forward. Before enabling this policy, you may want to:
When the policy is disabled, all email restrictions are lifted. Members can freely add personal or organizational email addresses to their accounts, and invitations can be accepted regardless of existing email addresses.
This policy is a prerequisite for using the SCIM integration. SCIM-based member management requires that your organization has full control over member accounts, which this policy enforces.
Was this guide helpful?