Summary and recommendation
Xero user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Xero uses a fixed set of predefined roles - Adviser, Standard, Invoice Only, Read Only, and Subscriber - assigned per organisation through Settings > Users.
There are no custom roles;
admins select from the fixed list and toggle a small number of add-on permissions such as Payroll and Expenses.
Because Xero has no native SAML SSO or SCIM on any plan tier, every app that connects to Xero requires manual user lifecycle management through the web UI.
Quick facts
| Admin console path | Settings > Users |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Unknown |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Adviser | Full access to all areas of Xero including reports, bank reconciliation, invoicing, payroll (if enabled), and settings. Can invite and manage other users. | Cannot access the subscription/billing settings unless also set as a Subscriber. | All plans (Starter, Growing, Established) | Included in subscription; unlimited users on all plans | Adviser role is typically reserved for accountants or bookkeepers. Granting it to internal staff gives near-full access. |
| Standard | Access to day-to-day functions: invoicing, bills, bank reconciliation, expense claims, and reports. Cannot access payroll by default. | Cannot manage users, change organisation settings, or access payroll unless payroll access is separately granted. | All plans | Included in subscription; unlimited users on all plans | Payroll access must be explicitly enabled as an add-on permission even for Standard users. |
| Invoice Only | Can create and send invoices and quotes, and view contacts. Limited read access to some areas. | Cannot access bank accounts, bills, reports, payroll, or settings. | All plans | Included in subscription; unlimited users on all plans | Suitable for sales staff who only need to raise invoices. Does not count as a full user for billing purposes on some plan tiers. |
| Read Only | Can view most areas of Xero but cannot create, edit, or delete any records. | Cannot create or modify any transactions, invoices, bills, or settings. | All plans | Included in subscription; unlimited users on all plans | Useful for stakeholders who need visibility without edit access. |
| Payroll Admin | Full access to payroll including employee records, pay runs, and payroll reports. | Payroll Admin access is an add-on permission; the user still needs a base role (e.g., Standard) for other areas. | Payroll must be enabled on the subscription (available as add-on or included in Established plan depending on region) | Payroll add-on pricing applies; varies by region | Payroll access is controlled separately from the main user role. A user can have Standard access plus Payroll Admin. |
| Subscriber | The person who owns the Xero subscription. Has full access including billing, subscription management, and can close the organisation. | All plans (one Subscriber per organisation) | Included in subscription | Only one Subscriber per organisation. Transferring the Subscriber role requires the current Subscriber to initiate the transfer. If the Subscriber leaves the company, regaining control can be difficult. |
Permission model
- Model type: role-based
- Description: Xero uses a predefined set of user roles (Adviser, Standard, Invoice Only, Read Only, Payroll Admin, Subscriber). Roles are assigned per organisation. Some add-on permissions (e.g., payroll access, expense claims) can be layered on top of a base role. There are no fully custom roles; admins select from the fixed role list and toggle specific add-on permissions.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level with limited add-on toggles (e.g., payroll, expenses). No field-level or object-level permission customisation.
How to add users
- Log in to Xero as an Adviser or Subscriber.
- Go to Settings > Users.
- Click 'Invite a User'.
- Enter the user's first name, last name, and email address.
- Select the appropriate user role (Adviser, Standard, Invoice Only, Read Only).
- Toggle any additional access permissions (e.g., Payroll, Expenses) as needed.
- Click 'Send Invite'.
- The invited user receives an email and must accept the invitation to gain access. If they do not have a Xero account, they will be prompted to create one.
Required fields: First name, Last name, Email address, User role selection
Watch out for:
- The invited user must accept the email invitation before they can access the organisation; access is not immediate.
- If the invitee already has a Xero account under a different email, they must use the invited email address or the invite will not link correctly.
- There is no bulk CSV import for users; each user must be invited individually.
- Pending invitations count toward the user list but the user has no access until they accept.
- Xero does not support native SAML SSO or SCIM provisioning; all user invitations are manual.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Xero does not permanently delete users from an organisation. Instead, an Adviser or Subscriber can remove a user's access, which revokes their ability to log in to that organisation. The user's Xero account itself is not deleted. Historical transactions and records created by the removed user are retained and remain attributed to them.
- Log in to Xero as an Adviser or Subscriber.
- Go to Settings > Users.
- Locate the user in the list.
- Click on the user's name to open their profile.
- Click 'Remove User' (or 'Revoke Access' depending on UI version).
- Confirm the removal when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | All transactions, invoices, bills, and other records created by the removed user are retained in the organisation's data and remain visible in audit trails. |
| Shared content | Shared reports, templates, or files associated with the user remain accessible to other users in the organisation. |
| Integrations | Any API connections or third-party app authorisations made under the removed user's credentials may be affected; connected apps should be reviewed separately. |
| License freed | Removing a user frees their seat, as Xero allows unlimited users on all plans; however, removing the user means they no longer appear in the active user count. |
Watch out for:
- The Subscriber role cannot be removed by other Advisers; only the Subscriber themselves can transfer or relinquish the role.
- If the Subscriber leaves the organisation without transferring the role, regaining subscription control requires contacting Xero support.
- Removing a user does not notify them by email automatically; communication must be handled separately.
- A removed user can be re-invited at any time using the same email address.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Standard user (all roles) | Unlimited users across Adviser, Standard, Invoice Only, and Read Only roles are included on all Xero plans at no per-seat charge. | Included in plan subscription fee |
| Payroll (employee seats) | Payroll is priced per employee paid per month, not per Xero user. The number of employees on payroll determines payroll add-on cost. | Varies by region and plan; payroll is included in Established plan in some regions or available as a paid add-on |
- Where to check usage: Settings > Users (shows all active users and their roles; pending invitations are also listed)
- How to identify unused seats: Review the 'Last active' or login date column in Settings > Users to identify users who have not logged in recently. Xero does not provide an automated inactive-user report.
- Billing notes: Xero does not charge per user seat for standard roles; the subscription fee is flat per plan tier. Payroll costs are based on the number of employees processed, not the number of Xero users with payroll access. Plan pricing (approximate, USD, subject to change): Starter ~$20/mo, Growing ~$47/mo, Established ~$80/mo after promotional periods.
The cost of manual management
Every joiner must be individually invited by email and must accept that invitation before access is granted - there is no bulk CSV import path. Every leaver requires a manual removal step in Settings > Users, and Xero does not send the removed user an automated notification, so offboarding communication must be handled separately.
User seats for standard roles carry no per-seat charge; the subscription fee is flat per plan tier.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Xero is appropriate for teams that can accept fully manual user provisioning and deprovisioning across every app that depends on Xero access. If your security posture requires IdP-driven lifecycle management, you will need a third-party middleware layer such as miniOrange or AuthDigital to bridge SSO - Xero does not provide this natively.
The Subscriber role transfer risk is worth addressing proactively: confirm the Subscriber is a shared or role-based account before any personnel changes occur.
Bottom line
Xero's flat-fee user model removes per-seat cost friction, but the complete absence of native SCIM and SAML SSO means every user change - across every app that depends on Xero access - is a manual operation.
Teams with straightforward accounting workflows and low user churn will find the role model adequate. Teams with compliance requirements around access auditing or automated deprovisioning should plan for third-party identity middleware from the outset, and should resolve Subscriber role ownership before it becomes an incident.
Automate Xero workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
