Summary and recommendation
SendGrid user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
SendGrid's access model splits users into two distinct types: Teammates (collaborators sharing one account) and Subusers (isolated child accounts with separate sending identities, stats, and suppression lists).
Teammates are managed from Settings → Teammates;
Subusers from Settings → Subusers.
There is one Account Owner per account, and ownership transfer requires contacting SendGrid support directly.
The permission model uses predefined scope categories - approximately 15 toggleable areas such as Mail Send, Stats, Template Engine, and API Keys - rather than named roles.
Restricted Teammates receive only the scopes selected at invite time, though permissions can be edited afterward.
Unlike every app that offers a soft-disable state, SendGrid Teammate removal is a hard delete with no deactivation option.
Quick facts
| Admin console path | Settings → Teammates |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Pro |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Account Owner | Full access to all account settings, billing, API keys, Subusers, and Teammates management. Cannot be restricted. | Cannot be demoted to a Teammate role; only one Owner per account. | All plans | Included; no additional seat cost. | The Owner credential is tied to the account's primary email address. Transferring ownership requires contacting SendGrid support. |
| Teammate (Administrator) | Full access equivalent to Owner except billing and account ownership transfer. Can manage other Teammates. | Cannot access billing settings or transfer account ownership. | Essentials and above (Teammates feature not available on Free plan for granular permissions; Free plan allows limited Teammates). | No per-seat charge documented; included in plan. | Administrator-level Teammates can invite and delete other Teammates, which may be unintended for some organizations. |
| Teammate (Restricted) | Scoped to specific permission sets selected at invite time (e.g., Mail Send, Stats, Template Engine, Suppressions, Marketing Campaigns, etc.). | Cannot access areas outside their assigned permission scopes. Cannot manage billing or other Teammates unless explicitly granted. | Essentials and above. | No per-seat charge documented; included in plan. | Permissions are set at invite time and can be edited afterward, but the Teammate must re-authenticate if SSO is enabled. |
| Subuser | Separate sending identity with its own API keys, sending statistics, suppression lists, and templates. Managed from the parent account. | Subusers cannot log in to the parent account UI; they have their own isolated SendGrid account context. | Pro and above (Subuser creation requires a Pro or Premier plan). | No explicit per-seat cost documented; subject to plan limits on number of Subusers. | Subusers count against plan-level Subuser limits. Deleting a Subuser is irreversible and removes all associated data including sending history and suppression lists. |
Permission model
- Model type: permission-sets
- Description: SendGrid uses a permission-set model for Teammates. When inviting a Teammate, the admin selects from a predefined list of permission scopes (e.g., Mail Send, Marketing Campaigns, Stats, API Keys, Suppressions, Template Engine, Tracking, Alerts, Scheduled Sends, Inbound Parse, Billing). There are no fully custom-named roles; permissions are toggled per scope category.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Scope-level (approximately 15 predefined permission categories, each toggled on/off per Teammate). Read vs. read-write granularity is available within some scopes.
How to add users
- Log in to the SendGrid account as Owner or Administrator-level Teammate.
- Navigate to Settings → Teammates (https://app.sendgrid.com/settings/teammates).
- Click 'Invite Teammate'.
- Enter the invitee's email address.
- Select 'Administrator' for full access or 'Restricted Access' to configure individual permission scopes.
- If Restricted Access, toggle on the desired permission scopes.
- Click 'Send Invite'.
- The invitee receives an email invitation and must click the link to set a password and activate their Teammate account.
Required fields: Email address of the invitee, Access level selection (Administrator or Restricted)
Watch out for:
- Invitation links expire; if the invitee does not accept within the expiry window, a new invite must be sent.
- If SSO is enabled on the account, Teammates provisioned via SSO may not be able to set a password and must log in via the SSO flow.
- The invitee's email address must not already be associated with another SendGrid account.
- Free plan accounts have limited or no access to the Teammates feature for granular permission scoping; check current plan entitlements.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Pro and above (SAML SSO required; supported with Okta and Microsoft Entra ID per official SSO docs) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: SendGrid officially supports deleting Teammates. From Settings → Teammates, an Owner or Administrator can click the delete (trash) icon next to a Teammate to permanently remove their access. There is no documented 'deactivate' or 'suspend' state for Teammates; removal is a hard delete of the Teammate relationship. The underlying email address is not deleted from SendGrid's system and could be re-invited.
- Navigate to Settings → Teammates (https://app.sendgrid.com/settings/teammates).
- Locate the Teammate to remove.
- Click the delete icon (trash can) next to their name.
- Confirm the deletion in the confirmation dialog.
| Data impact | Behavior |
|---|---|
| Owned records | Teammates do not own sending data independently; all email sends, stats, and logs are associated with the parent account or Subuser account. Deleting a Teammate does not delete sending history. |
| Shared content | Templates, marketing campaigns, and other content created by the Teammate remain in the account and are accessible to other users. |
| Integrations | API keys created by the Teammate remain active after the Teammate is deleted unless separately revoked. Admins should audit and revoke API keys before or after removing a Teammate. |
| License freed | No per-seat license cost is documented for Teammates, so no billable seat is freed upon deletion. |
Watch out for:
- API keys created by a deleted Teammate are NOT automatically revoked. Admins must manually revoke them under Settings → API Keys.
- There is no way to transfer ownership of content or API keys from a deleted Teammate; content remains in the account under the parent context.
- Deleting a Teammate is immediate and irreversible; the Teammate loses access instantly.
- If the account uses SSO, the IdP session may need to be separately terminated to prevent re-authentication.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Teammate seat | Access to the SendGrid UI and/or API under scoped permissions. No independent email volume allocation. | No documented per-seat charge; included within the plan subscription. |
| Subuser account | Separate sending identity with isolated stats, suppression lists, API keys, and templates. Shares the parent account's email volume pool unless separately allocated. | No documented per-Subuser charge; subject to plan-level Subuser count limits (Pro plan required). |
- Where to check usage: Settings → Teammates (https://app.sendgrid.com/settings/teammates) to view all active Teammates. Subusers visible at Settings → Subusers (https://app.sendgrid.com/settings/subusers).
- How to identify unused seats: No built-in 'last login' or activity report for Teammates is documented in the official UI. Admins must manually review the Teammates list; there is no automated idle-user report.
- Billing notes: SendGrid billing is based on email volume (emails sent per month), not on the number of Teammates or Subusers. Plan upgrades are required to unlock Subuser creation (Pro+) and SSO-based provisioning (Pro+). Annual plans carry approximately 15–20% discount per pricing seed data.
The cost of manual management
SendGrid has no built-in last-login or activity timestamp for Teammates in the UI. Identifying inactive accounts requires manually reviewing the Teammates list with no automated idle-user report to assist.
When a Teammate is deleted, API keys they created are not automatically revoked. Admins must separately audit Settings → API Keys and manually rotate or delete any orphaned keys - a step that is easy to miss and creates a real security gap.
Subuser deletion is permanent and irreversible: all associated sending history, suppression lists, and settings are destroyed. There is no soft-delete or deactivation state for Teammates; removal is immediate.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
SendGrid is appropriate for teams that need granular, scope-level access control over a shared email sending account. The Teammates model works well when permission needs map cleanly to SendGrid's predefined scope categories.
However, every app in a stack that lacks automated deprovisioning, last-login reporting, and API key cleanup after offboarding adds compounding manual overhead - and SendGrid is no exception.
SCIM provisioning is in Private Beta via Twilio Organizations and is not generally available; JIT provisioning via SAML SSO on Pro and Premier plans is the current automated provisioning path. Teams with high Teammate turnover or strict access hygiene requirements should account for the manual cleanup steps that SendGrid's native tooling does not handle.
Bottom line
SendGrid's Teammates feature gives admins workable, scope-level access control, but the manual overhead is real: no last-login data, no automatic API key revocation on Teammate deletion, and no soft-deactivation state mean that offboarding requires deliberate multi-step cleanup every time. Subuser management carries additional irreversibility risk.
Teams managing access across every app in their stack will feel these gaps most acutely at scale, particularly without a centralized identity layer compensating for what SendGrid's native tooling does not provide.
Automate SendGrid workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
