Brex User Management Guide

• Model type: role-based
• Description: Brex uses a predefined role-based access control model with fixed roles (Admin, Bookkeeper, Employee/Cardholder, Manager). Admins can configure spending limits, approval chains, and expense policies per user or team, but the underlying role set is not fully customizable. Premium and Enterprise plans unlock additional policy controls and manager-level delegation.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Role-level permissions are fixed. Spending limits, card controls, and approval workflows can be configured per user or team by Admins, providing operational granularity within fixed roles.

1. Log in to the Brex dashboard at dashboard.brex.com.
2. Navigate to Team in the left-hand navigation menu.
3. Click Invite people (or Invite members).
4. Enter the invitee's work email address.
5. Select the appropriate role (Admin, Bookkeeper, Employee).
6. Configure card issuance and spending limit if applicable.
7. Click Send invite. The invitee receives an email to complete account setup.

Required fields: Work email address, Role selection

Watch out for:

• Invitees must use the email address the invitation was sent to; changing email after invite requires Admin intervention.
• If SSO is enforced, the invitee must authenticate via the configured IdP before accessing the dashboard.
• Card issuance is not automatic for all roles; Admins must explicitly enable a card for new employees if desired.
• Pending invitations count toward active user seats on Premium/Enterprise billing.

• Can delete users: No
• Delete/deactivate behavior: Brex does not permanently delete user accounts. Admins can deactivate (terminate) a user, which disables their access and cancels their corporate card(s). Historical transaction data and records associated with the user are retained for audit and accounting purposes.

1. Log in to the Brex dashboard at dashboard.brex.com.
2. Navigate to Team in the left-hand navigation menu.
3. Locate the user to be deactivated.
4. Click on the user's name to open their profile.
5. Select Terminate employee (or Deactivate user).
6. Confirm the action. The user's card(s) are immediately cancelled and dashboard access is revoked.

Watch out for:

• Deactivating the last Admin on the account is not permitted; at least one Admin must remain active.
• Card cancellation upon deactivation is immediate and irreversible; any pending transactions may still post.
• If SSO/SCIM is in use, deactivation should be performed in the IdP to ensure consistent deprovisioning; deactivating only in Brex may leave the IdP account active.
• Outstanding reimbursements or expense reports tied to the deactivated user should be resolved before deactivation to avoid workflow disruption.

• Where to check usage: Dashboard > Team - shows list of active, pending, and deactivated users. Billing details available under Settings > Billing.
• How to identify unused seats: Admins can review the Team list for users with no recent card activity or login. Brex does not provide a native 'last login' report in the standard dashboard; unused seat identification requires manual review or API queries via the Brex Team API.
• Billing notes: On Premium, billing is per active user per month. Deactivated users are removed from the billable count. Pending (invited but not yet accepted) users may count as active seats depending on billing cycle. Enterprise pricing is negotiated and may include volume discounts.

Brex specifically, deactivating a user immediately cancels their corporate card - so timing matters. If deactivation happens before a departing employee submits outstanding expenses, those reports stall and require Admin cleanup.

Brex retains no native last-login or activity report in the standard dashboard. Identifying unused seats on Premium requires either manual review of the Team list or API queries against the Brex Team API - neither of which scales well as headcount grows.

Pending invitations may also count toward billable seats depending on billing cycle, making seat hygiene harder to maintain without a deliberate audit process.

The most consistently reported friction point is the SSO-before-SCIM setup dependency. Admins who enable SCIM without first completing SSO configuration report silent provisioning failures that are difficult to diagnose.

This ordering requirement is not prominently surfaced during setup.

Entra ID users report deprovisioning lag - deactivating a user in Entra does not always reflect immediately in the Brex dashboard, creating a window where access may appear active.

Organizations enforcing SSO-only authentication also report confusion when some users still have email/password credentials active, particularly during IdP migrations.

The absence of a native activity or last-login report is a recurring complaint among admins trying to right-size Premium seat counts. The Manager role's approval routing being Premium-only surprises teams that assume basic approval workflows are included in Essentials.

Common complaints:

• Specific setup order required when configuring SSO and SCIM - SSO must be fully configured before enabling SCIM provisioning, or provisioning fails silently.
• Complexity with multiple authentication methods - organizations using both SSO and email/password login report confusion when enforcing SSO-only policies.
• No native 'last login' or user activity report in the dashboard, making it difficult to identify inactive seats without using the API.
• Deactivating a user immediately cancels their card, which can cause issues if the deactivation is done before pending expenses are submitted.
• Manager role and approval workflow features are gated behind Premium, which surprises teams expecting basic approval routing on Essentials.
• SCIM deprovisioning lag reported when using Entra ID - deactivation in Entra does not always reflect immediately in Brex dashboard.

Essentials is viable for small teams that need corporate cards and basic expense tracking without approval workflows or automated provisioning. The free tier is genuinely functional but has a hard ceiling: no SCIM, no manager-level delegation, and no custom expense policies.

When every app in the stack needs consistent joiner/mover/leaver handling, Essentials creates a manual gap specifically around spend controls.

Premium makes sense when the team exceeds the point where manual invite/deactivate cycles create real overhead, or when an IdP (Okta or Entra ID) is already in use and SCIM sync would reduce offboarding risk.

The $12/user/month cost should be weighed against the compliance exposure of delayed deprovisioning on a platform that issues corporate payment cards.

Enterprise is appropriate for organizations needing negotiated volume pricing, advanced controls, or dedicated support. Custom pricing means there is no published benchmark to evaluate against without a direct conversation with Brex.

Bottom line

Brex's manual user management is straightforward for small teams but accumulates operational debt quickly at scale. The fixed role model, absence of last-login reporting, and immediate card cancellation on deactivation all require deliberate process design to avoid compliance gaps and billing inefficiencies.

SCIM provisioning resolves the most acute risks but is locked to Premium and requires a working SSO configuration first - making the upgrade decision less about features and more about whether the offboarding risk on a spend management platform justifies the per-seat cost.