The admin console isn't a one-person show. Pull your operations + security teammates in. Invitations are how.
Send an invitation
Section titled “Send an invitation”Members → Invite member.
Fill in:
- Email — must be a real address; the invitee receives a link there.
- Role — Administrator / Operator / Viewer (or any custom role you've defined).
- Note (optional) — a short message attached to the invitation email. Useful for "I'm adding you so you can take over MFA recovery on-call rotation".
Send. The invitation appears in the Members list with state pending.
The invitee gets an email titled "You've been invited to administer the <tenant> tenant". They click the link, set a password (or sign in with an existing IntelliAuth admin account), pass through MFA enrolment if your policy requires it, and land on the Dashboard.
What each role can do
Section titled “What each role can do”The shipped roles in a fresh tenant:
| Role | Can do |
|---|---|
| Administrator | Everything in this tenant. Including inviting new members, changing roles, deleting users, configuring policies. |
| Operator | Day-to-day operations — view audit, reset a user's MFA, disable a user, look at threat intel. Cannot change tenant policy or invite new members. |
| Viewer | Read-only. Useful for auditors, compliance officers, or stakeholders who want context without click-power. |
Custom roles live in Roles & scopes. You can carve out finer-grained roles (e.g., "Branding editor — can only touch the Branding section"); see the roles overview.
Invitation lifecycle
Section titled “Invitation lifecycle”Each invitation has a state:
- Pending — sent, not yet clicked. Default TTL is 7 days; configurable per tenant.
- Accepted — clicked + account created. The row moves into the active Members list.
- Expired — TTL passed without acceptance.
- Revoked — you cancelled it before acceptance.
Resend or revoke
Section titled “Resend or revoke”Pending invitations in the list have a kebab menu (three dots) with:
- Resend — re-email the link (extends the TTL).
- Revoke — invalidate the link immediately. Useful if you sent to the wrong email.
Both actions are audit-logged.
Change a member's role
Section titled “Change a member's role”Click a member in the list to open their detail page. Click the role chip to change it. Saves on selection; audit log records who changed what, when.
Remove a member
Section titled “Remove a member”Member detail → menu → Remove. Their tenant admin sessions are revoked immediately; future sign-ins to the admin console refuse. The audit log preserves their historical actions; removing a member doesn't erase their past.
Common pitfalls
Section titled “Common pitfalls”- Inviting an email that's already a member. Refuses with "this user is already a member". To change their role, open their detail page instead.
- Inviting yourself. The link won't work — you can't accept an invitation while signed in as the same email. Sign out first, or have someone else send a fresh invitation.
- The invitation email is in spam. Common on corporate Gmail. Resend; if it keeps happening, your SPF / DKIM may need tuning. See the Email SMTP integration page.