Marketo User Management Guide

• Model type: custom-roles
• Description: Marketo uses a role-based access control model. Roles are fully customizable collections of granular permissions. Each user is assigned one or more roles; permissions are additive. Roles can be scoped to specific Workspaces in multi-workspace configurations. There are no built-in standard roles other than the immutable Admin role.
• Custom roles: Yes
• Custom roles plan: All plans (Workspaces & Partitions for workspace-scoped roles require Select plan or higher)
• Granularity: Granular - permissions are broken into ~80+ individual permission checkboxes across categories: Access Admin, Access Analytics, Access Calendar, Access Design Studio, Access Lead Database, Access Marketing Activities, and sub-permissions within each (e.g., Approve Assets, Delete Leads, Export Lead, Import List, etc.).

1. Log in to Marketo Engage as an Admin.
2. Navigate to Admin (gear icon) > Users & Roles.
3. Click the 'Users' tab.
4. Click 'Invite New User'.
5. Enter the user's First Name, Last Name, and Email Address.
6. Optionally set an Access Expiration date.
7. Click 'Next'.
8. Select one or more Roles to assign to the user (and Workspace if applicable).
9. Click 'Next'.
10. Review the invitation summary and click 'Send'.
11. The user receives an email invitation and must click the link to set their password and activate their account (legacy Marketo identity) or accept via Adobe ID (Adobe IMS instances).

Required fields: First Name, Last Name, Email Address, At least one Role assigned

Watch out for:

• Invitation links expire after 3 days by default; if the user does not accept in time, the admin must resend the invitation.
• For instances migrated to Adobe Identity Management System (IMS), users must have or create an Adobe ID; the invitation flow goes through Adobe Admin Console instead of the Marketo UI.
• Email address must be unique across the Marketo instance; duplicate email addresses are not permitted.
• API-only users must have the 'API Only' checkbox selected during creation and cannot log into the UI.
• In multi-workspace instances, users must be assigned roles per workspace; a user without a workspace assignment cannot access that workspace.
• There is no bulk CSV import for users natively in Marketo; users must be invited one at a time through the UI or provisioned via Adobe Admin Console (IMS instances).

• Can delete users: Yes
• Delete/deactivate behavior: Marketo supports both deactivation (blocking login without removing the user record) and full deletion of users. Deleted users are permanently removed from the user list. However, assets, campaigns, and records previously owned or created by the deleted user remain in the system and retain attribution to that user's name. Deactivation is achieved by setting an Access Expiration date in the past or by removing all role assignments, effectively preventing login without deleting the account.

1. Navigate to Admin > Users & Roles > Users tab.
2. Locate the user to deactivate.
3. Click 'Edit User'.
4. Set the 'Access Expiration' date to today or a past date, OR remove all assigned roles.
5. Click 'Save'.
6. Alternatively, to fully delete: select the user checkbox, click 'Delete User', and confirm the deletion prompt.

Watch out for:

• Deleting an API-only user immediately breaks any active API integrations using that user's credentials; rotate credentials to a new API user before deleting.
• There is no 'suspend' or 'deactivate' toggle - deactivation must be done by expiring access or removing roles, which is less obvious than a simple toggle.
• For Adobe IMS-migrated instances, user removal must be performed in Adobe Admin Console; removing from Marketo UI alone may not fully revoke access if the user retains an Adobe product profile assignment.
• Deleted users cannot be recovered; deletion is permanent.
• Smart list filters referencing a deleted user (e.g., 'Lead Owner is [user]') may behave unexpectedly after deletion.

• Where to check usage: Admin > Users & Roles > Users tab - displays all active users. Count of active users visible in the list. No built-in seat utilization dashboard; admins must manually count active users against contracted seat count.
• How to identify unused seats: Marketo does not provide a native 'last login' timestamp column in the Users & Roles UI as of current documentation. Admins can use the Audit Trail (Admin > Audit Trail) to search for user login activity to identify inactive users. Some admins use the Marketo REST API (GET /rest/v1/users.json) to retrieve user lists and cross-reference with audit logs.
• Billing notes: Marketo Engage is sold on annual contracts with a fixed number of named user seats negotiated at signing. Seat counts are not dynamically adjustable via self-serve; overages or additions require a contract amendment with Adobe. Pricing is contact-based (number of leads/contacts in the database) in addition to user seats. Tiers (Growth, Select, Prime, Ultimate) determine feature access, not seat count directly.

With no bulk import and no Okta SCIM support, every new hire requires a manual invitation, role assignment, and - in multi-workspace setups - per-workspace configuration.

Offboarding is equally manual: there is no deactivation toggle, so admins must either expire access dates or remove all roles, then separately deprovision from Adobe Admin Console if the instance has migrated to Adobe IMS.

Marketo provides no native last-login column in the admin UI, so identifying inactive users means manually combing the Audit Trail or scripting against the REST API. Across every app in your stack, this kind of per-app manual overhead compounds into a real security and compliance liability - particularly when employees leave.

Common complaints:

• No native Okta SCIM provisioning support - Okta can be used for SSO but not automated user lifecycle management; feature requests have been submitted on Marketo Nation with no committed timeline.
• No bulk CSV user import - users must be invited one at a time, which is tedious for large team onboarding.
• No native 'last login' visibility in the admin UI - identifying inactive users requires manual audit trail review or API scripting.
• Adobe IMS migration is high-impact - migrating from legacy Marketo identity to Adobe IMS changes the admin workflow significantly and has caused confusion about where to manage users (Marketo UI vs. Adobe Admin Console).
• Invitation links expire in 3 days with no automatic reminder - admins must manually track and resend expired invitations.
• Deleting an API user immediately breaks integrations with no grace period or credential rotation workflow built in.
• No self-serve seat purchasing - adding users beyond contracted count requires engaging Adobe sales and a contract amendment, causing delays.

If your IdP is Azure AD or Google Workspace and your Marketo instance has been migrated to Adobe IMS, you have a limited SCIM path via Adobe Admin Console - but role and workspace assignments still require manual configuration inside Marketo after provisioning.

If your IdP is Okta, or your instance is still on legacy Marketo Identity, there is no automated provisioning path available today.

Teams managing more than a handful of Marketo users will need either a scripted solution against the User Management REST API or a dedicated SaaS layer that handles provisioning, deprovisioning, and role auditing across every app in the stack.

Bottom line

Marketo's user management is functional but deliberately manual: no bulk invite, no Okta SCIM, no last-login visibility in the UI, and a split admin experience between Marketo and Adobe Admin Console for IMS-migrated instances.

For small teams this is manageable; for organizations with frequent onboarding, offboarding, or compliance audit requirements, the manual overhead is significant and the security exposure during offboarding gaps is real.