Datadog User Management Guide

• Model type: hybrid
• Description: Datadog uses a role-based access control (RBAC) model with three built-in default roles (Admin, Standard, Read Only) available on all plans. Enterprise plans unlock fully custom roles built from a granular permission catalog covering individual product areas (Monitors, Dashboards, Logs, APM, Infrastructure, etc.) and specific actions (read, write, delete). Permissions are assigned to roles; roles are assigned to users. Restriction policies can further limit access to specific resources.
• Custom roles: Yes
• Custom roles plan: Enterprise
• Granularity: Per-product and per-action permissions (e.g., 'Monitors Write', 'Logs Read', 'Dashboards Public Share'). Over 70 individual permissions documented in the permissions reference.

1. Log in as a user with the Datadog Admin Role or User Management permission.
2. Navigate to Organization Settings > Team > Users (https://app.datadoghq.com/organization-settings/users).
3. Click the 'Invite Users' button in the upper-right corner.
4. Enter one or more email addresses in the invitation dialog.
5. Select the role(s) to assign to the invited user(s) from the role dropdown.
6. Click 'Send Invite'. Datadog sends an email invitation to each address.
7. The invited user must click the link in the email and complete account setup before they appear as 'Active'.

Required fields: Email address, Role (defaults to Datadog Standard Role if not specified)

Watch out for:

• Invited users appear in the Users list with 'Pending' status until they accept the invitation and log in.
• Invitation emails can expire; a new invite must be sent if the link is not used in time.
• If SAML SSO is enforced, users must log in via the IdP; password-based login is disabled.
• If SCIM is enabled, user provisioning should be managed through the IdP, not manually, to avoid conflicts.
• Disabling SAML JIT is strongly recommended when SCIM is active to prevent duplicate or conflicting user records.
• There is no native CSV bulk-import for users through the UI; bulk provisioning requires SCIM or the Datadog API.

• Can delete users: Verify in tenant
• Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.

1. Log in as a user with the Datadog Admin Role or User Management permission.
2. Navigate to Organization Settings > Team > Users (https://app.datadoghq.com/organization-settings/users).
3. Locate the user to deactivate using the search or filter.
4. Click the gear/action icon or the user's row to open the user detail or action menu.
5. Select 'Disable' (or 'Deactivate') from the available actions.
6. Confirm the action in the dialog. The user's status changes to 'Disabled' immediately.

Watch out for:

• API keys and application keys created by a deactivated user are NOT automatically revoked. Admins must manually audit and revoke these keys to prevent unauthorized API access.
• Deactivated users can be re-enabled by an Admin at any time, which restores their access and role assignments.
• If SCIM is in use, deprovisioning the user in the IdP will automatically deactivate them in Datadog; manual deactivation in the Datadog UI may conflict with IdP state.
• There is no bulk deactivation option in the UI; each user must be deactivated individually unless using SCIM or the Datadog API.
• Deactivated users still appear in audit logs and historical event data attributed to their account.

• Where to check usage: Organization Settings > Team > Users - filter by 'Active' status to see current active user count. Billing details at Organization Settings > Plan & Usage.
• How to identify unused seats: Filter the Users list by 'Last Login' date (if available in your org's view) or sort by status. Users who have never logged in appear as 'Pending'. Users who have not logged in recently can be identified and deactivated. Datadog does not provide a native 'inactive user' automated report; Admins must manually review last-login data or use the Datadog API (/api/v2/users) to export and analyze user activity.
• Billing notes: Datadog's primary billing metric is infrastructure hosts, containers, and product-specific usage (APM hosts, log volume, RUM sessions), not per-user seats in most plans. However, some enterprise agreements include user-count terms. Read-only users consume a full seat with no discount. SCIM and custom roles require Pro or Enterprise plan tiers respectively, which affects the base infrastructure pricing tier required.

No bulk-invite UI means each user must be added individually, and no automated inactive-user report means last-login audits require either manual review or a direct API export from /api/v2/users. Deactivating a user does not revoke their API or application keys - those must be located and revoked separately, or they remain live indefinitely.

Read-only users consume a full seat at the same cost as Standard users, so stakeholder access carries the same billing weight as an active contributor.

Practitioners consistently flag two friction points. First, SCIM provisioning with Microsoft Entra ID has been reported as unreliable for group sync due to Microsoft-side API freezes.

Second, SAML JIT and SCIM cannot safely coexist - disabling JIT is required before enabling SCIM, but it is easy to overlook, producing duplicate or conflicting user states.

SCIM itself is gated behind Infrastructure Pro or Enterprise, which is a real cost barrier for smaller teams that want automated user lifecycle management.

Common complaints:

• Team (group) provisioning via SCIM with Microsoft Entra ID has been reported as broken or unreliable due to Microsoft-side freezes or API changes.
• SAML JIT and SCIM must not be used simultaneously; disabling JIT is required but easy to overlook, causing duplicate or conflicting user states.
• SCIM provisioning is gated behind Pro or Enterprise infrastructure plans, which is a cost barrier for smaller teams wanting automated user lifecycle management.
• No native CSV bulk-import for users in the UI; bulk operations require SCIM or direct API usage, which adds technical overhead.
• Read-only users consume a full seat at the same cost as Standard users, which is seen as poor value for stakeholder or view-only access.
• No automatic revocation of API keys or application keys when a user is deactivated, creating a security gap that requires manual remediation.
• No built-in inactive user report; identifying stale accounts requires manual review or API scripting.
• Custom roles are locked to the Enterprise plan; Pro-tier customers cannot create custom roles and are limited to three default roles.

As with every app where access control complexity scales with headcount, manual management in Datadog is workable for small, stable user populations but becomes a liability as teams grow. The absence of bulk UI operations and the API-key revocation gap are the sharpest edges.

Custom roles - the primary tool for least-privilege access - are Enterprise-only, so teams on Pro or lower are limited to three fixed permission tiers regardless of how granular their access requirements are.

Bottom line

Datadog's manual user management is straightforward for small, stable teams but does not scale cleanly. The lack of bulk UI operations, the absence of automatic API key revocation on deactivation, and the Enterprise-only gate on custom roles mean that growing organizations will hit friction quickly.

SCIM provisioning resolves the lifecycle automation gap but requires SAML SSO to be active, JIT to be disabled, and the plan to be Infrastructure Pro or Enterprise - prerequisites that should be evaluated before committing to a tier.