Can't remove Twingte users (Azure AD as IdP)

I’ve configured Azure AD for our IdP.

In the Azure/Twingate Portal (Azure Portal → Enterprise Applications → Twingate), there are only 2 users listed, but the Twingate console lists 5 users.

The Twingate console won’t let me remove these users, and I can’t find anything in the Azure Portal to even suggest that these extra users should be able to access Twingate.

How can I remove these extra users ?

Not sure if it’s relevant, but I just noticed on the Twingate console that the last user sync with Azure was 2 months ago, but Azure says the last sync was 4 minutes ago and repeats every 40 minutes.

Ran into this as well today - seems to be that the duplicate user gets created when the user adds their device? I’m seeing the originally synced user without any devices listed and then the duplicate without and email address but a device.

The Twingate user docs say this on removing users:

Users are automatically synchronized from your Identity Provider and cannot be modified in the Twingate Admin Console. Any changes to users—for example, creation or deactivation—are received directly from your configured IdP via SCIM and will update Twingate immediately.

I think the issue to address is why those duplicates are being synced from the IdP - will be trying some scenarios based on the device addition theory and provide any findings.

Granted it’s not a lot of money, but we’re billed monthly for the users that shouldn’t be there.

If a user exists in Twingate but has no access to any resources, is it still billed as an active user?

I’ve got my IdP team looking into what might be going on with both scenarios.

First thing - we currently bill based on active users, so if you’ve got 100 users in your dashboard but only 10 of them are actively logging in to the client and accessing resources, you only get billed for 10. :slight_smile:

That being said, if either of you want to email me at arthur(at) with your tenant slug and the particular users you’d like deleted, I can take care of it manually for now.

Sorry for the inconvenience!



1 Like

Hi @Arthur,

Your mention of active users is a detail I’ve been hoping to find about Twingate, and this is the first reference to it I’ve seen.
Is there a public definition of “active”? I ask this because I have subscription services that work similarly, counting “engaged” users, where “engagement” has a defined meaning. It’s possible for them to do read-only actions, but content modification moves them into a billable category.

So for Twingate, is it “any use at all in a month” = active?

Hey Steve,

For Twingate, we consider any user that has both
A) Logged into the Twingate Client and
B) Accessed a resource
to be “active”.

So yes, technically it would be “any use at all”.

Hope that helps!