Block Domain User without Invite / Admin Confirmation

Hi Asana please take care urgently: any user, with an email of an organization (domain), may enter in Asana, linked to organization, even if he hasn’t an invite.

1 Like

Hi @Riccardo_Mares :wave:t3:

This is an expected behaviour! Anyone in org with a @domain.com email address can automatically join your Organisation. If some of your colleagues don’t know Asana you can invite them to join, but this is also something they can do on their own :slight_smile: More info in this guide article: Setting up an organization in Asana | Product guide • Asana Product Guide

Hope this helps!

Sorry but I see it as a security bug.
You can’t relate a partecipation to a project management tool with the membership.

For company with a limited user plan, every time someone is added to a project (for error) it automatically enter in the Asana Organization of that domain.

I think the best thing you can do it’s to add an optional control “Admins need to confirm a new organization member”.

Thanks

4 Likes

I believe they will get added but then you get a warning you are over the limit for a few days, giving you a chance to remove that person (or others).

Yes I know, but it’s a palliative.
It’s sad to hear from Asana that it’s an “expected behavior”, as if really ASANA thinks that every member of a company has the right to access to the project management tool of the same company!

After more than 2 years, this task is still pending.
It’s incredible a system as Asana continues to permit users with an email based on the “company domain” (set in Asana) can enter without any authorization by the admins!

Really are you not able to add a fu**ing option on the workspace setting “require admin confirmation to create a new user” here:
image

Or you don’t plan it, because so you can obtain new unaware paid users, with a big security bug?

2 Likes

I’m with you. I complain about this to our Customer Success person every time we talk. As an Admin, it’s such a huge pain since everyone in our org is not ‘allowed’ to have a license, but I can’t control it so have to constantly audit it to keep our license count down. It’s so time consuming.

I hate that Asana does it as a way to drive more revenue and it feels like we’re just getting beaten down to increase our license count, even though not everyone needs a license. As a non-profit, we’re very focused on keeping costs down and every license has to be accounted for.

5 Likes

This is an issue for my organization, as well. It sounds like divisions does not really solve the issue and we aren’t big enough to be enterprise. It seems it creates more work all around by not having this stopgap in place.

  • I needed to remind license holders not to invite other domain users
  • Billing admin needed to remove user and decrease seat tier to the lower level
  • I needed to contact support to ensure a refund would be issued for the upgrade charge.

I opened a support ticket on April 1 and have now spent 5 days going back and forth with support to issue the refund. A total of 4 messages on my side and 3 from the support rep so far. So more work for multiple people at my org and more work on Asana’s side to reply to my support ticket and issue the refund (which hasn’t been initiated still…). All of which could be prevented by making this change.

1 Like

I understand that this “expected behaviour” is an added value for the economy of ASANA, but it continues to be a problem for your clients and an enormous security bug.

1 Like

Has anyone successfully received a refund after a licensed domain user mistakenly/without approval added a new user and increased the subscription level and cost?

We are a small nonprofit with limited tech funds, so I must now explain to my operations and finance leads why my team “allowed” an unauthorized increase in our Asana costs, so I am trying to rectify this if at all possible. So far, it looks like the SSO workaround and the team admin feature are only enterprise options and that divisions does not actually solve the issue either.

  1. A licensed user added a new user mistakenly and increased our cost and seat limit without approval

  2. We rectified our seat level to 15 seats within 24 hours by removing users to bring us back down to 15 seats used.

  3. We reached out to the user to remind them not to add any new users without contacting us for approval

  4. There is no way to prevent domain users from being added to our Asana license through Asana itself. When a licensed user attempts to add a new user to our account and it would increase our subscription level, they are given no warning nor is the request sent to an admin for approval. Should a domain user navigate independently to Asana and create their own account, they too are given no warning nor is the request sent to an admin for approval.

  5. We contacted Asana Support on April 1

  6. We sent 7 requests for a refund, inclusive of the initial support request logged

  7. Asana Support has continued to deny our refund because of the Annual Plan policy- despite the flaws outlined in #4 above- and stated that we must continue to pay the increased 20-seat fee through our annual subscription renewal date of December 2 2024 (even though we immediately went back to 15-seats)

1 Like

I totally agree. Just as soon as our pilot of Microsoft Planner is final, I hope to convince our Asana user community to convert all their projects to that tool. This is nothing more than a money grab for Asana while as Ricardo said - a severe security bug. I asked for a list of users who had signed up using our domain for a “trial” so I could get my arms around this from an IT administrative perspective, and they refused me that information and I’m the CIO! If the executive who went behind my back and paid for this with her purchasing card was still employed here, we’d be having a talk.

2 Likes