What is it?
Invite links give MSP admins a fast, controlled way to onboard new users into a tenant. Instead of manually creating accounts one by one, an admin generates a single shareable link. New users who click the link can create their own account and are automatically placed into the correct tenant with the correct role - no back-and-forth required.
Admins stay in full control at every step. They choose who can sign up, what role those users get, and can revoke access instantly.
Who can do what
MSP Admins (Admin Dashboard) can:
Enable or disable Automatic Account Creation for any tenant
Choose the default role assigned to new users
Restrict signups to specific email domains
Copy and share the invite link
Revoke an active link and generate a new one at any time
End users (Tenant Dashboard) cannot:
See or access any invite link settings
Generate, copy, or revoke invite links
Change the default role or allowed domains
New users (via the invite link) can:
Open the link and create an account using email/password or Microsoft sign-in
Join the tenant they were invited to - nothing more
How it works
Enabling the feature
From the Admin Dashboard, navigate to Tenants > [Tenant Name] > Users. An Invite Link button appears alongside the existing Add Users button.
Clicking Invite Link opens a dialog with the Automatic Account Creation settings:
Toggle it on. Before enabling, you must select a default role from the dropdown. This is the role every new user will receive when they join. Both custom roles and built-in default roles are available.
Restrict by email domain (optional). Enter one or more allowed email domains - one per line or separated by commas. Only users whose email matches an allowed domain can sign up. Leave this blank to allow any email domain. You can add up to 50 allowed domains per tenant.
Copy the link. Once enabled, the invite URL appears in the dialog. Copy it and share it however you like - email, Slack, Teams, etc.
Changing settings after enabling:
You can change the default role at any time without revoking the link. Select a different role from the dropdown and save - the same link stays active, and only future signups will receive the new role.
You can add or remove allowed email domains at any time. Changes take effect immediately for all future signups through the existing link.
What new users see
When someone opens an invite link, they land on a branded "Join [Organization Name]" page. They can sign up in two ways:
Continue with Microsoft - Uses Microsoft OAuth for single sign-on.
Email and password - A standard signup form: first name, last name, email, password, and password confirmation.
Password requirements are enforced automatically: at least 8 characters with a mix of uppercase, lowercase, numbers, and special characters. Users must also accept the Terms of Service and Privacy Policy.
On success, the account is created, the user is assigned to the tenant with the admin-selected role, and they're redirected into the product immediately.
Error scenarios:
If the link is invalid, expired, or has been revoked, the user sees: "This invite link is not valid or has been deactivated. Please contact your administrator."
If they try to sign up with an email that's already registered (on any tenant), the authentication system blocks it and displays: "User already registered." There is no risk of duplicate accounts.
If their email doesn't match an allowed domain, signup is rejected.
Users who already have an account can click through to the regular sign-in page.
Revoking and regenerating
If a link needs to be invalidated - for example, if it was shared beyond the intended audience - the admin clicks Revoke & Generate New Link in the same dialog. This:
Immediately disables the old link (anyone who has it will see an invalid-link message)
Generates a new link with a new token
Cannot be undone - the old link is permanently retired
Temporarily disabling without regenerating: You can toggle Automatic Account Creation off to disable the link immediately. Toggling it back on reactivates the exact same link (same URL and token). The token only changes when you explicitly revoke and regenerate.
Security controls
Control | Detail |
Admin-only access | All invite link settings require MSP admin permissions ( |
Email domain restrictions | Admins can lock signups to specific domains (e.g., |
Domain uniqueness | Allowed domains must be unique across sibling tenants within the same MSP, preventing cross-tenant signup collisions. |
Role assignment | A default role is required before the feature can be enabled. New users always receive exactly the role the admin chose - never more. |
Instant revocation | Admins can revoke the active link at any time. The old link stops working immediately. |
New accounts only | Invite links only work for brand-new accounts. They cannot be used to escalate access for existing users. |
SSO exclusion | If a tenant has SAML/SSO configured, invite links are automatically disabled. The toggle is grayed out with a message: "Not available - SSO is configured for this tenant." |
One active link per tenant | There is only ever one valid invite link per tenant. Generating a new one revokes the previous one. |
Duplicate account prevention | If someone tries to sign up with an email already registered to any account, the authentication system blocks it before any invite-link logic runs. |
Limitations
No audit trail: The system does not track which users joined via invite link vs. manual creation. If you need this information, you would need to cross-reference user creation timestamps with when the feature was enabled.
No expiration dates: Invite links do not expire automatically. They remain valid until you disable the feature or revoke the link manually.
No bulk generation: Invite links must be configured per tenant. There is no way to generate or manage links for multiple tenants at once.
No per-role links: Each tenant has one invite link tied to one default role. To assign different roles to different groups of users, you must change the role setting between sharing sessions or update user roles manually after they join.
Cross-tenant conflicts: If a user already has an account on any tenant within the MSP, they cannot use an invite link to create a second account with the same email. They must sign in with their existing credentials.
FAQ
Can I create different invite links for different roles? Not currently. Each tenant has one invite link tied to one default role. To assign a different role, the admin can update the user's role after they join or change the default role setting before sharing the link again.
What happens when I disable Automatic Account Creation? The invite link stops working immediately. Users who already joined are not affected. Re-enabling the feature reactivates the same link (unless it was regenerated).
Can I change the default role without generating a new link? Yes. You can change the role at any time from the dropdown. The existing link remains active - only future signups receive the new role. Users who already signed up keep their original role.
Do invite links expire? No. Invite links remain valid indefinitely until you disable the feature, revoke the link, or the tenant is canceled.
Can I temporarily disable a link and reactivate it later? Yes. Toggle Automatic Account Creation off to disable the link immediately. Toggle it back on to reactivate the same link. The URL and token do not change unless you explicitly revoke and regenerate.
If I update allowed email domains, do I need to share a new link? No. Domain restrictions are enforced at signup time, not when the link is generated. Changes to allowed domains take effect immediately for the existing link.
Is there a limit to how many users can sign up through one invite link? No. A single invite link can be used by an unlimited number of new users.
Can end users on the tenant dashboard see or manage invite links? No. The invite link feature is only accessible from the MSP Admin Dashboard. Tenant-side users have no visibility into these settings.
Does this work with SSO tenants? No. When SAML/SSO is configured for a tenant, Automatic Account Creation is disabled automatically and cannot be turned on.
What happens if someone already has an account and tries to use an invite link? If they try to sign up with an email that's already registered anywhere in the system, the authentication layer blocks it with a "User already registered" message. Invite links are strictly for new accounts - existing users must sign in normally.
What happens if a user starts signing up but doesn't finish? If they abandon the form before submitting, nothing happens. If the account is partially created due to an error, the system automatically cleans up the orphaned authentication record.