Summary and recommendation
Box user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Box is an enterprise cloud content platform with a role-based access model operating on two distinct layers: account-level roles (Admin, Co-Admin, Managed User, External User) and per-item collaboration roles (Owner through Uploader) applied at the folder or file level. User management lives at Admin Console > Users & Groups > Users.
SSO via SAML is supported on Business and above; provisioning through Okta or Microsoft Entra ID is available but relies on IdP-specific connectors, not a generic SCIM endpoint.
Quick facts
| Admin console path | Admin Console > Users & Groups > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Business or Enterprise |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Admin | Full administrative access: manage all users, groups, content, security settings, reports, and billing. Can assign Co-Admin roles and configure SSO/IdP settings. | Cannot be managed by Co-Admins. Only one primary Admin per account. | All paid plans | Counts as a licensed seat | Transferring Admin ownership requires contacting Box Support or using the Admin Console transfer flow; it is not self-service in all cases. |
| Co-Admin | Subset of Admin permissions as granted by the Admin. Can manage users, groups, and content depending on permissions assigned. Cannot access billing by default. | Cannot manage other Co-Admins or the primary Admin. Cannot exceed permissions granted by the Admin. | Business and above | Counts as a licensed seat | Co-Admin permission granularity is limited to predefined permission categories; fully custom role definitions are not available. |
| Managed User | Standard end-user access to upload, download, share, and collaborate on content within the enterprise account. Subject to admin-enforced policies. | Cannot access Admin Console. Cannot change account-level security settings. | All paid plans | Counts as a licensed seat | Managed Users must have a unique email address. Email domain does not need to match the enterprise domain but is recommended for SSO enforcement. |
| External User (Collaborator) | Can collaborate on specific folders or files shared with them. Access is limited to what has been explicitly shared. | Cannot access the enterprise Admin Console. Cannot see other enterprise content. Not provisioned as a Managed User. | No seat required on the inviting account; external user must have a Box account (free or paid). | Does not consume a licensed seat on the inviting enterprise account | Admins can restrict external collaboration by domain whitelist/blacklist. External users are not subject to the enterprise's DLP or security policies. |
| App User | Programmatically created user tied to a Box application (JWT or OAuth 2.0 app). Used for platform/API-driven workflows. Has its own storage quota. | Cannot log in to the Box web app UI. Cannot be converted to a Managed User without API operations. | Enterprise or Enterprise Plus (requires Box Platform access) | Pricing depends on Box Platform agreement; not a standard named-user seat | App Users are invisible in the Admin Console Users list by default; they must be queried via API. |
| Service Account | Automatically created when a JWT application is authorized. Acts as the application's identity for API calls. Can be granted Admin-level API scopes. | Cannot log in to the Box web UI. Not a human user account. | Enterprise or Enterprise Plus | Does not consume a standard named-user seat | Service Account email is auto-generated and cannot be changed. Revoking the JWT app authorization immediately disables the Service Account. |
Permission model
- Model type: role-based
- Description: Box uses a role-based model with fixed system roles (Admin, Co-Admin, Managed User, External User) at the account level, and a separate folder/item-level collaboration permission model (Owner, Co-Owner, Editor, Viewer Uploader, Previewer Uploader, Viewer, Previewer, Uploader) applied per content item. Co-Admin permissions are configured from a predefined set of administrative permission categories rather than fully custom roles.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Account-level: 4 fixed roles (Admin, Co-Admin, Managed User, External User). Content-level: 8 collaboration roles per folder/file. Co-Admin permissions are toggled from ~10 predefined administrative permission categories.
How to add users
- Log in to Box as Admin or Co-Admin with user management permissions.
- Navigate to Admin Console (https://app.box.com/master/users).
- Click 'Users & Groups' in the left sidebar, then select 'Users'.
- Click the '+ Add User' button in the top-right corner.
- Enter the user's name and email address.
- Optionally set storage quota, user role (Managed User or Admin/Co-Admin), and group memberships.
- Click 'Add User' to send an activation email to the new user.
Required fields: Full name, Email address
Watch out for:
- The email address must be unique across all Box accounts globally, not just within the enterprise.
- If SSO is enforced, the user's email must match the IdP identity; mismatches prevent login.
- New users receive an activation email; if they already have a personal Box account with that email, they must convert or merge it before joining the enterprise.
- Storage quota defaults to the account-level default unless overridden per user.
- Co-Admin creation requires the creating Admin to explicitly assign permission categories after account creation.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Admin Console > Users & Groups > Users > Import Users (CSV upload) |
| Domain whitelisting | Yes | Automatic domain-based user add |
| IdP provisioning | Yes | Business or Enterprise (requires SSO; supported via Okta, Microsoft Entra ID, OneLogin, and other SAML 2.0 IdPs) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Box supports both deactivation and permanent deletion. Deactivating a user suspends their access while preserving their account, content, and audit logs. Deleting a user permanently removes the account; content must be transferred or deleted before or during the deletion process. Deletion is irreversible.
- Navigate to Admin Console > Users & Groups > Users.
- Click on the user's name to open their profile.
- Click the gear/settings icon or 'Edit User'.
- Select 'Deactivate User' from the options.
- Confirm the deactivation. The user is immediately logged out and cannot log back in.
| Data impact | Behavior |
|---|---|
| Owned records | Content owned by the user remains in their account when deactivated. On deletion, the Admin is prompted to transfer owned content to another user or delete it permanently. If not transferred, owned content is deleted. |
| Shared content | Collaborations on shared folders remain intact when the user is deactivated; collaborators retain access. On deletion, the user is removed from all collaborations. |
| Integrations | Third-party app authorizations (OAuth tokens) tied to the user are revoked upon deactivation or deletion. Box Drive and Box Sync sessions are terminated. |
| License freed | Deactivation does not free the licensed seat; the seat remains consumed. Deletion frees the seat and makes it available for reassignment. |
Watch out for:
- Deactivated users still count against the license seat total; to reclaim the seat the account must be deleted.
- Content transfer must be initiated before or during deletion; there is no post-deletion recovery.
- If the user owns a folder that is the root of a collaboration, deleting without transferring will remove collaborator access to that folder.
- Box does not provide a native 'offboarding workflow'; admins must manually handle content transfer, group removal, and external collaboration cleanup.
- Deleted user accounts cannot be restored; Box Support cannot recover a deleted account.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Business Starter | Up to 10 users, 100 GB storage, basic collaboration, limited integrations | $5/user/month (billed annually) |
| Business | Unlimited users, unlimited storage, full collaboration, SSO, user provisioning via IdP | $15/user/month (billed annually) |
| Business Plus | Everything in Business plus advanced workflow (Box Relay), enhanced security, custom branding | $25/user/month (billed annually) |
| Enterprise | Everything in Business Plus plus Box Governance, advanced admin controls, Box Platform API access, SAML SSO, IdP provisioning | $35/user/month (billed annually) |
| Enterprise Plus | Everything in Enterprise plus Box AI, Box Sign unlimited, enhanced compliance features | $50/user/month (billed annually) |
- Where to check usage: Admin Console > Account & Billing > Account Info (shows total licensed seats vs. active users); also visible at Admin Console > Users & Groups > Users (user count displayed)
- How to identify unused seats: Admin Console > Reports > User Activity report can be run to identify users with no login activity within a specified date range. Admins can also export the full user list to CSV and filter by 'Last Login' date.
- Billing notes: Seats are billed annually by default. Adding users mid-cycle results in prorated charges for the remainder of the billing period. Deactivated users still consume a seat; only deleted users free the seat. Enterprise discounts of 15–56% are available via direct sales negotiation. Box does not auto-downgrade seats; unused seats must be manually removed at renewal.
The cost of manual management
Every app has a deactivation-versus-deletion gap, but Box makes it operationally expensive: deactivated users continue consuming a licensed seat until a separate deletion step is completed.
Deletion is irreversible and requires content to be transferred first - Box provides no native offboarding workflow, so admins must manually handle content transfer, group removal, and external collaboration cleanup for every departing user. External collaborator auditing has no bulk tooling, making large-scale access reviews a manual, export-and-filter exercise against the Users CSV.
What IT admins are saying
The most consistent friction reported by Box admins centers on provisioning architecture and offboarding gaps.
Box's user provisioning API does not conform to the SCIM 2.0 standard - the userName field is not required and schema deviations exist - which breaks assumptions made by generic identity automation tooling.
Admins relying on Okta or Microsoft Entra ID for provisioning are locked into those IdP-specific connectors rather than a portable SCIM endpoint.
The deactivated-user-still-billed behavior is a recurring source of unexpected license costs, and the absence of a structured offboarding flow means every app offboarding is a multi-step manual process with no guardrails against content loss.
Common complaints:
- Not SCIM-compliant despite being enterprise file storage; Box's user provisioning API does not follow the SCIM 2.0 standard (e.g., userName field not required, schema deviations).
- Confusing provisioning story: Box has IdP-based provisioning via Okta and Microsoft Entra ID but this is not native SCIM; it relies on IdP-specific connectors.
- Must use IdP-specific integrations (Okta app, Entra ID enterprise app) rather than a generic SCIM endpoint, creating vendor lock-in for provisioning.
- Deactivated users continue to consume licensed seats, requiring a separate deletion step to reclaim licenses - a common source of unexpected billing.
- No built-in offboarding workflow; content transfer, group removal, and collaboration cleanup must be done manually or scripted via API.
- External collaborator management is difficult at scale; there is no bulk tool to audit or remove all external collaborators across the enterprise.
- Co-Admin permission model is not granular enough for some organizations; permissions are toggled from a fixed category list rather than being fully customizable.
- Users with existing personal Box accounts on the same email must go through a conversion process before joining an enterprise, causing friction during onboarding.
The decision
Box manual management is viable for teams under ~50 users with a stable roster and an existing Okta or Entra ID deployment handling provisioning. Beyond that scale, the absence of native SCIM compliance, no offboarding workflow, and the seat-billing behavior on deactivated accounts create compounding operational overhead.
Teams that need to enforce consistent access reviews across every app in their stack, or that use an IdP other than Okta or Entra ID, will find Box's provisioning story particularly limiting. The two-layer permission model (account roles plus per-item collaboration roles) also means access audits require checking both layers independently.
Bottom line
Box delivers robust enterprise content management but its identity lifecycle story has meaningful gaps: provisioning depends on IdP-specific connectors rather than standard SCIM, there is no native offboarding workflow, and deactivated users continue to consume licensed seats until manually deleted.
For organizations managing access across every app in their environment, these gaps translate directly into audit risk and unrecovered license spend.
Teams with Okta or Entra ID already in place will get the most out of Box's provisioning capabilities; everyone else should plan for scripted or manual workarounds to cover the gaps.
Automate Box workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
