Braze User Management Guide

• Model type: hybrid
• Description: Braze uses a hybrid model combining predefined Administrator access with custom permission sets that can be assembled from granular individual permissions and assigned per workspace. Named 'Roles' (reusable permission set templates) are available and can be assigned to multiple users. Permissions are workspace-scoped, meaning a single dashboard user can have different permissions in different workspaces.
• Custom roles: Yes
• Custom roles plan: Available on all plans; Roles (reusable named permission templates) are a standard feature.
• Granularity: Individual permission toggles per workspace, covering campaigns, canvases, segments, cards, media library, user data export/import, PII access, email settings, subscription groups, tags, billing, dev console, external integrations, app management, and dashboard user management.

1. Log in to the Braze dashboard as an Administrator.
2. Navigate to Settings > Company Settings > Manage Users.
3. Click 'Invite User'.
4. Enter the new user's email address.
5. Select the user's permission level: Administrator or assign a custom permission set per workspace.
6. Click 'Send Invitation'.
7. The invited user receives an email and must accept the invitation to activate their account.

Required fields: Email address, Permission level or workspace-specific permission set

Watch out for:

• Only Administrators can invite new users.
• Invited users must accept the email invitation before they can log in.
• If SAML SSO is enforced, users must authenticate via the configured IdP; password-based login may be disabled.
• Workspace-level permissions must be configured individually per workspace for limited users.
• SCIM provisioning (via IdP) requires SAML SSO to be configured and is available on Pro/Enterprise plans.

• Can delete users: Yes
• Delete/deactivate behavior: Braze allows Administrators to delete dashboard users from the Manage Users page. Deletion removes the user's access immediately. SCIM DELETE endpoint is also available for IdP-driven deprovisioning. There is no documented 'deactivate/suspend' state distinct from deletion for dashboard users; removal is permanent.

1. Log in to the Braze dashboard as an Administrator.
2. Navigate to Settings > Company Settings > Manage Users.
3. Locate the user to be removed.
4. Click the delete (trash) icon next to the user's name.
5. Confirm the deletion in the prompt.
6. Alternatively, use the SCIM DELETE /scim/v2/Users/{id} API endpoint to deprovision via IdP.

Watch out for:

• Deletion is immediate and irreversible through the UI; there is no soft-delete or suspension state.
• If SSO is enforced, revoking access in the IdP alone may not immediately remove dashboard access unless SCIM deprovisioning is configured.
• API keys created by the deleted user are not automatically invalidated.
• SCIM-based deprovisioning requires Pro/Enterprise plan and active SAML SSO configuration.

• Where to check usage: Settings > Company Settings > Manage Users (lists all current dashboard users); billing and MAU usage visible under Settings > Subscription and Usage or via account manager.
• How to identify unused seats: No built-in 'last login' report is prominently documented in official docs for identifying inactive dashboard users. Administrators can review the user list manually. SCIM API GET /scim/v2/Users can be used to enumerate all provisioned users programmatically.
• Billing notes: Braze billing is based on Monthly Active Users (end-users/customers) processed through the platform, not on the number of dashboard (internal) users. Adding or removing dashboard users does not directly change the subscription cost. Contract terms and MAU overages are managed through the account team.

Braze billing is based on Monthly Active Users of your end-user base, not on the number of internal dashboard users. Adding or removing dashboard users does not directly affect subscription cost.

That said, the operational cost is real: workspace-level permissions must be configured per workspace for every limited user, and there is no built-in last-login report to surface inactive accounts, so identifying stale access requires manual review of the user list.

The most consistent friction point reported by Braze administrators is workspace-level permission sprawl - a single user can hold different permission sets across multiple workspaces, and each must be managed individually.

Teams also flag the absence of any native user activity or last-login reporting, making access hygiene difficult to maintain at scale. SAML JIT provisioning has documented constraints depending on IdP configuration, and smaller customers on plans below Pro cannot access automated provisioning at all.

Common complaints:

• Pro/Enterprise plan required for SCIM provisioning and SAML SSO, locking smaller customers out of automated user lifecycle management.
• SAML JIT (Just-in-Time) provisioning limitations; IdP-initiated flows have constraints depending on configuration.
• No built-in last-login or user activity reporting for dashboard users, making it difficult to identify and clean up inactive accounts.
• Workspace-level permission management is manual and time-consuming when managing many workspaces and users.
• No native CSV bulk import for dashboard users; bulk provisioning requires SCIM API setup.

Manual management is viable for small, stable teams with few workspaces. It breaks down quickly when you need consistent access control across every app in your stack, because there is no bulk tooling, no activity visibility, and no way to enforce deprovisioning automatically without SCIM.

If your team manages more than a handful of Braze workspaces or needs audit-ready offboarding, the manual path introduces meaningful compliance risk - deletion is immediate and irreversible, and revoking IdP access alone does not remove dashboard access unless SCIM deprovisioning is active.

Bottom line

Braze's manual user management is straightforward for small teams but does not scale. The permission model is genuinely granular - individual toggles per workspace, reusable role templates, and a clear Administrator vs.

limited-user split - but every configuration step is manual, there is no last-login visibility, and offboarding without SCIM leaves a gap between IdP revocation and actual dashboard access removal.

Teams that need consistent, auditable user lifecycle management across every app will find the manual path insufficient without investing in SCIM on a Pro or Enterprise plan.