The admin console empowers all Asana admins and super admins with the administrative capabilities they need to champion Asana within their organizations.
Access the organization admin console
To access the admin console:
- Click on your profile photo
- In the drop-down menu, select Admin Console
Team admins cannot access the admin console.
From the Insights tab, you can:
- Understand how your organization is using Asana through high-level metrics
- See recently added teammates
- View the most influential members in your organization (active members with the most invites sent, teams created, and projects shared in Asana)
- With Asana Advanced or legacy tier Business, you can view detailed engagement activity over time to spot trends in your organization's usage of Asana
Manage all members in an organization
From the Members tab, you can see how many members and guests you have in your Asana organization as well as how many seats you have available. If you need to add members, grant admin access, or deprovision a member, you can easily do so.
From the members tab, you can:
- Invite new members to join a team in your organization
- Identify the number of members, guests, pending invites and the number of available seats in your organization
- Search for someone in your organization
- View each person's name, whether they're an admin, member or guest and when they were last active in your organization
- Edit profile settings or Remove by hovering over their name, clicking the three dot icon and selecting one of the options
Deactivating a member in your organization
To remove a person from your organization, navigate to the Members tab of your admin console.
Find the name of the person by scrolling down or using the search bar. Once you’ve found the person, click the three dot icon and select Remove.
From the next tab, you can:
- Choose the member you want to reassign the tasks to
- Click Remove to confirm the deactivation
The deactivated member will then show in your member’s list as Removed.
What happens to a deprovisioned person’s tasks?
After you have deprovisioned someone from your organization, a private project containing their previously assigned tasks will be auto generated. You can assign this to yourself or another member of your organization. This allows you to easily assign pending tasks to the appropriate person to manage.
A simple next step solution to delegating would be to multi-select deprovisioned tasks, where you can take mass actions on tasks and even bulk assign them to yourself or other organization members.
You can read more about this in our FAQ article.
The time of the deactivation will appear in the Last activity column.
Restoring a deactivated member
Available on paid plans, automatic reactivation means that previously deactivated users returning to Asana have access to their previous data including projects and teams, provided they return with the same email address as used previously.
Automatic reactivation can be configured in the Admin Console for Enterprise and Enterprise+ tiers by selecting the Security tab in the sidebar and then clicking Reactivation settings. Here Enterprise and Enterprise+ organizations will be able to select to turn this feature on or off. If you choose to turn this setting off, you will still be able to restore data access manually. Only Super Admins will be able to turn this feature back on once it's switched off.
For Business and Premium organizations this feature will automatically be selected and cannot be turned off.
User's reactivation only happens after the user accepts their invite or completes signing up for Asana on the website. Inviting a user by itself doesn't reactivate the user.
Automatic reactivation will only be available for users who were deactivated less than two years ago.
Automatic reactivation does not apply to guest users.
Restore a deactivated member by finding their name in your member’s tab. Then click the three dot icon and select Restore.
From the next window, select Restore.
If your reactivation fails, the admin for your organization will receive a task asking them to reach out to our Support team.
Filter by member type
From the Members tab of your admin console, you can filter your member list by member type. To do this click on the drop-down arrow next to the member type filter and choose from All, Admin, Member, Guest, Invited or Removed.
The Team access tab on a member's My Settings gives admins insight into what specific users have access to and the ability to edit membership status.
From Edit profile settings admins can navigate to a member's My Settings to access and manage teams.
To access a member's My Settings:
- Click on the three dot icon across from a selected member to view options
- Click on Edit profile settings from the drop-down list
From here navigate to Team Access where you can browse teams, edit team access and add or remove members from teams.
Click on Team Access to:
- View the teams a user belongs to
- Add a user to any team in the organization
- Untick to remove the user from any team
- Save changes after any updates
Sort members by name, type and last activity
You can also sort your member, guest type and last activity by name (alphabetical order or reverse alphabetical order)so that you can see how recently anybody has last logged into the organization or if there are any outstanding invitations.
Export membership data to CSV
To export membership data to CSV:
- Click on the three dot icon from the Members tab
- Click Request CSV of Members
You will then receive an email message with the link to download.
The CSV file downloaded has the following fields:
- Email address
- Date joined organization
- Invited by
- Inviter email
- First login date
- Login method
- MFA state
- Last activity
- Number of teams
- Number of projects
From the Teams tab, you can:
- Create a new team in your organization
- View each team's name, number of members, privacy permissions, creation date & creator
- Edit a team by hovering over the three dot icon next to the Created by field and clicking the Edit team option that appears
Export team data to CSV
Super admins of a paid organization or a division can export their team list to CSV through the teams tab of their admin console.
To export team data to CSV:
- Navigate to Teams tab
- Click on Export CSV
You will then receive an email message with the link to download.
The CSV file downloaded has the following fields:
- Member count
- Created on
- Members (email)
- Limited access members (email)
- Pending invite (email)
CSV exports of organizations and divisions allow admins to keep track of which departments are using Asana to monitor seat usage and maintain the central billing within IT. The department or team field can be pre populated using our SCIM integrations with Azure AD and Okta.
Large organizations can benefit from CSV exports when trying to facilitate departmental chargebacks.
Team privacy settings
When set, this will be the pre-selected option when creating a new team. Team creators can still create teams with other privacy levels as they choose.
To set your default privacy settings navigate to your admin console and click on the Security tab. Then, click on Team privacy settings.
From the next tab, you can select your default setting.
Manage time periods
Asana sets up a default fiscal year for all organizations, and new goals will immediately have time periods attached. These time periods help you to align Asana with your fiscal year, and can be used for company and team goals. The default annual start date is January 1st, but you can use your admin console to change this.
From your admin console, click into the Settings tab and then Time periods From there select the time period to match your organization's annual operating rhythm and choose when you want this time period change to begin. Time periods are organization-wide and you will need to be an organization-wide admin to update these time periods. Only organization and workspace admins can update time periods through the admin console, all other admins will need to contact support to update time periods.
Individual users can also manually add time periods to existing goals. When admins make changes to their fiscal year, those changes are reflected and applied across all goals where there is no custom due date, or is different from the time period date range.
Manage billing information
The information contained in this section specifies that admins and super admins can now manage subscriptions and access billing information, just as the billing owner can. Please note that this ability has only been rolled out to auto-pay customers. Manually invoiced plans may still only be managed by the billing owner.
Both billing owners and admins of paid organizations can access billing information through the admin console. If an admin makes changes in the billing tab, the billing owner will receive an email notification.
You can find more information on how to review and update your admins here.
From the billing tab, you can:
- Change your subscription type or cancel your plan
- Update your billing information and add a payment method
- View and download your latest invoice or your invoice history
- View your seat utilization and add or reduce seats
- Reassign billing ownership of the account
- Contact our support team
The options above may vary depending on your plan type.
View and download invoices
Billing owners and admins can view and download all past invoices.
You can view your latest invoice and your invoice history under Invoices in the Billing tab of the admin console. You also have the option to download all invoices for a particular year.
To access your invoice history:
- Click on Invoice history
- View All invoices
- Click on the download symbol to download the year in bulk or select a particular month
Change or edit your plan size and tier
To change your plan:
You must be the plan's billing owner or an admin in order to edit its size or change tier.
From the security tab super admins can manage the following:
- Enable or disable Google SSO for your organization
- SAML authentication
- Two-factor authentication
- Set how long members can stay signed in to Asana
- Password settings
- Set password requirements for organization members
- Force organization-wide password reset
- Admin controls
- Guest invite settings
- File attachment options
- Team privacy settings
- Read-only link sharing permissions
- Forms access permissions
- Reporting permissions
- Video recording permissions
- Time tracking permissions
- Admin access: Determine who the admins are for your organization.
- Data residency
- Mobile Apps
- Mobile data controls are available to Enterprise customers.
Manage organization admins
From your admin console, you can determine your organization’s admins and super admins.
Organization admins have edit access to the company’s mission statement.
Visit our pricing page for more information.
You can choose your password strength by clicking into the Security tab of your admin console and clicking on Password strength.
You can choose between a simple and strong password. Simple passwords must have at least 8 characters and strong passwords must have at least 8 characters and must include characters from at least three of the following types: lowercase, uppercase, numbers, and special characters.
Changes to the password strength will only affect newly created passwords.
Organization-wide password reset
From the admin console, you can force an organization-wide password reset for users that have access to your organization.
1. Members or guests who have an Asana password will be logged out. They will then receive an email with a password reset link and be forced to choose a new password before logging in again.
2. Members or guests who do not have an Asana password will only be logged out.
3. Members or guests who log in with SAML or Google SSO and don't have an Asana password will only be logged out.
Users who initially signed up to Asana by setting a password and have since upgraded to login with SAML or Google SSO will receive an email asking them to reset their password. This will have no effect on their SAML/Google SSO password.
Individual password reset
Guest invite controls
Super admins of Asana Enterprise and Enterprise+ tiers, as well as legacy tier Legacy Enterprise organizations or divisions can control who can invite organization guests (those without a company email address) into your Asana organization. Super admins can select one of the three options below to decide who has the ability to invite organization guests:
Admins & organization members
Everyone (this includes both organization members & guests)
If you'd like to enable one of these options for your organization, you can do so by accessing the Admin Console and then navigating to the Security tab.
To access the guest invite controls:
- Navigate to the Security tab of the Admin Console
- Under Admin Controls, click Guest invite settings
From here, you need to:
- Select one of the guest invite options
- Click Save changes
Once this has been enabled, those who no longer have the ability to invite organization guests will receive an error message when trying to do so in Asana.
If you are not the super admin, you can find your organization's admin(s) by clicking on your profile photo in the top right corner, accessing the Admin Console and viewing the super admin under the Members tab by selecting Admin from the Member type dropdown arrow.
Trusted guest domains
Available on the Asana Enterprise+ tier.
Admins and super admins can make use of the trusted guest domains feature, allowing them to create a list of approved external domains from which users with guest invite permissions can invite guests. See the section above on guest invite controls for more.
Guest invites can only be sent to those email domains on the approved list, ensuring greater security and control over your organization's collaborations. If a user attempts to send a guest invite to someone from an unlisted domain, they will receive an error message.
Setting up trusted guest domains
Trusted guest domains can only be enabled if guest invite permissions are set to Admins and members or Admins, members, and guests. The feature cannot be activated if guest invite permissions are set to Admins only.
- Navigate to the Security tab of the Admin Console.
- Under Admin Controls, click Guest invite settings.
- Within the Trusted guest domains section, select Only trusted domains.
- Click Add domains and type in the domains you trust. Hit Add domains again to confirm.
Ensure the domains are an exact match. Adding the domain acme.com does not cover subdomains like app.acme.com or acme.co.uk. Such subdomains must be added separately.
Removing trusted guest domains
Find the domain in the list you want to remove, click the trash icon, and confirm your choice by pressing save.
Deactivating the trusted guest domains feature:
To revert the settings, simply switch the trusted guest domains control back to Any domain.
Mobile data controls are available on Asana Enterprise and Enterprise+ tiers, as well as legacy tier Legacy Enterprise.
Add additional security to the Asana mobile apps (iOS and Android) to protect your organization’s data while enabling your team to work and collaborate from anywhere.
As a super admin, you can utilize the following mobile data controls for your organization:
By activating biometric authentication, you can allow users to unlock Asana on mobile devices using their fingerprint or facial recognition. You can set the frequency at which users will need to re-authenticate.
Screen capture permissions (Android only)
Choose whether users in your organization can take screenshots of the mobile app.
Restrict downloads or the ability to share attachments in Asana on mobile devices.
Restrict the Asana home widget on mobile devices, so users are unable to view tasks directly from the phone’s home screen.
Copy and paste permissions
Limit copy and paste permissions in the mobile app.
Security contact email
Super admins for paid organizations have the ability to add a security contact e-mail in their admin consoles to receive security updates from Asana. This feature means that Asana knows where to send these important communications.
Super admins for paid divisions can access this feature by contacting our support team.
As a super admin for a paid organization, log into the Asana account with the super admin role for your organization. From there navigate to the admin console, then click Security in the sidebar and then click Security Contact Email.
Enter the email address you would like Asana to send communications to regarding security.
Super admins must first log in with their Google account in order to enable Google SSO. If you logged in with email and password, simply log out and in again using the blue Use Google Account button instead.
When you click Google Apps Authentication in the Security tab, you can:
- Set Google Sign-in as either optional or required for all members
- Once you've chosen an option, click Save Configuration
Organization guests can always log in with email and password, regardless of whether Google SSO is required for members or not.
SAML session timeout
Super admins can set SAML session timeout between 1 hour and 30 days in the admin console. Members will be automatically logged out and asked to log in again after the specified timeout set.
From the settings tab, you can:
- Change the name of your organization
- View or change your organization’s list of verified domains
- Request an export of all the data in your organization as a JSON file
Admin Controls for artificial intelligence features
Asana Intelligence features use artificial intelligence (AI) to sort, filter, categorize, or otherwise analyze data and/or content to help users in your organization optimize their work.
To learn more about what data is used and which AI-powered features can be administered by admin controls, please refer to this Help Center article.
Customers can choose to enable Asana Intelligence features for their organization. If Asana Intelligence features are not enabled:
- The users in the organization will not have access to the AI features.
- The organization's data will not be processed to power these features.
Super admins can enable or disable Asana Intelligence features as follows:
- Click your profile picture in Asana and navigate to the Admin console
- Click the Settings tab
- Under Domain settings select Optimize with Asana Intelligence
From this window you can choose to enable or disable Asana Intelligence for your entire organization/domain by checking or unchecking the appropriate box.
If you are an admin of an organization that does not have any super admins, you can disable these features, but cannot enable them again. To enable them, you will need to complete the super admin verification process or contact the Support team. A warning banner will be displayed in-product before an admin makes this change.
To learn more about how Asana processes your information, see Asana’s Privacy Statement.
Visit this Help Center article to learn more about Asana Intelligence.
Profile field editability controls
Visit our pricing page for more information.
Asana has SCIM integrations with leading identity provider platforms that enable customers to import user profile information such as title and department into Asana. As this information is imported from identity systems, admins may want to control whether or not users can edit this information in Asana using profile field controls.
Super admins can choose which profile fields users can edit by going to Admin console > Security > SCIM-related settings > User profile settings
We only recommend restricting users from editing this information in Asana if your organization is syncing user profile fields via SCIM to Asana. Otherwise, users will lack the ability to add this information to their profiles.
Admins can still update locked attributes on behalf of other users by making changes to the users’ profiles from the Members tab in the admin console.
Super admins can toggle profile field editability controls on or off for Job title or Department or team.
When super admins have restricted edits to Job title and Department or team fields, users will see these fields locked for edits when they go to their profile settings.
Super admins can request an export of all the data in your organization as a JSON file. You can do this from the settings tab of your admin console. Please note that domain export feature is only available on Asana Enterprise+ tier, as well as legacy tier Legacy Enterprise.
Super admins can choose to export only text, or export text and attachments.
Certain attachment types including video transcriptions, cover photos for forms, and user profile pictures are not currently included in the attachment export. If you require data that you aren't able to export, please contact us.
App management and integrations
Visit our pricing page for more information.
App management provides organization super admins the ability to monitor and control the apps, personal access tokens (PATs) and service accounts that are active in their domain.
Division admins and non-super admins users will not have access to this feature
Super admins can now self serve the following in the admin console:
- See which apps are connected and have access to data in the domain
- Block certain apps from being used by users in the domain
- Place a domain in 'approval mode' where no apps are allowed unless explicitly approved by the super admin
- Manage service accounts
- Allow or disallow the usage of PATs in the domain.
- Allow or disallow rules from being triggered by web requests from external services.
If you have additional queries around feature blocking or controls, please reach out to your Customer Success team contact or Asana Support.
To learn more about service accounts take a look at our service accounts article.
Viewing connected apps
- Navigate to the admin console
- Navigate to the Apps section in the left sidebar and you should land on the Manage apps, Connected apps tab. This will show a list of all the apps connected by users in the Asana domain along with when the app was last used in this domain (this takes 24 hours to update)
Clicking on any of these will bring you to an app's page. This is populated with details about the app. Details include:
- Brief description of the app if available
- Recent usage stats
- Permissions granted to the app
Global app settings
A super admin should decide how they want to manage apps. There are 3 main modes of control which can be found in the global app settings page.
Allow all apps (default)
Admins can manage a list of blocked apps, otherwise all apps can be used by default
Require app approval
Admins manage a list of approved apps. Apps cannot be used unless it is on a list of approved apps.
External automation permissions
Admins can allow or disallow rules from being triggered by web requests from external services.
If an organization is in "require app approval" mode, and a guest using an app that is not approved joins the organization, the app will be blocked from working and the guest will be notified by email.
This is used to explicitly block apps.
- Navigate to the apps page of a specific app from the Connected apps page
- Click the Block button
This will prevent all users in the domain (members + guests) from being able to connect to and use these apps. Existing users may see errors and the app may cease to function. For users in multiple domains, the block will prevent them from using the app in any of their domains
Navigate to the apps page of a specific app from the connected apps page Click the Unblock button. If your organization is in “require app approval” mode (see below), you will unblock by approving the app instead.
Once blocked existing users may be required to re-setup/reauthenticate depending on how the app behaves
If the organization is in the “require app approval” mode, users will be prevented from connecting any apps that are not on the approved list which super admins can manage. Users will instead see a message with an option to request admin approval.
If the user clicks Send request, an email will be sent to the desired email addresses as configured on the global app settings page. By default this is all super admins but can be configured.
The admin will receive an email similar to the above example.
Clicking Manage app in Asana will take the super admin to the app details page to be able to approve the app.
The requesting user will also receive an email letting them know that their admin has been notified. The user’s email address is also included in the app request email. We recommend having a process in place to monitor requests that come in and/or notifying users on what the next steps may be depending on how your company handles this.
Available on Asana Enterprise and Enterprise+ tiers, as well as legacy tier Legacy Enterprise.
Organization admins can now view a list of all apps that have been requested. To view all approval requests:
- Navigate to the Admin Console and click on Apps in the left bar.
- Select Manage apps and choose the Approval requests tab.
Managing personal access tokens
Personal access tokens can be used by users in the organization to create their own scripts and automations. Personal access tokens have access to whatever the creator has access to. A list of active personal access tokens that have access to your organization, the user that created it, and the last time the token was used in your domain can be viewed on the Personal access token page.
Admins can revoke personal access tokens on demand by clicking the Revoke button. Once you revoke a personal access token (PAT) the token will be deleted, and can no longer be used. The developer who created the token will receive an email letting them know their PAT has been removed.
Personal access tokens can be enabled or disabled for the domain from the Global app settings page
Disabling personal access tokens will cause all existing personal access tokens belonging to users in their organization to be revoked and blocked. This may cause disruption to users so super admins should let users in their organization know before this is done.
Set default expiration for personal access or service account tokens
Super admins of Enterprise organizations can now set a default expiration date for all personal access tokens or service account tokens that users create in their organization.
Tokens have a default expiration of 10 years, however super admins of Enterprise organizations can now set tokens to expire within either 30, 60 or 90 days.
How can I change the default expiration date?
Super admins can update this setting as follows:
- Navigate to the Admin Console and select the Apps tab.
- Under Global App Settings you will find two options for setting expiration times under Token expiration.
- If a new option is selected, all existing tokens will have the new expiration policy applied.
- For existing tokens: if an expiration date of 30 days is selected, tokens created in the past will be set to expire 30 days from when the policy is set.
- Newly created tokens: all newly created tokens will be set to expire 30 days after they are created.
- If a member with existing tokens is added to your organization (like a guest), those tokens will expire immediately.
- If an expiration date is set, developers will get a warning 7 days before their token expires along with a warning when the token expires.
- If the token expiration is set to 30 days and is then extended from 60 or 90 days, or back to the default, the token will expire within the original 30 day policy. Asana will not push the token dates out. The expectation is that the strictest expiration setting will apply. In this case, newly created tokens will follow the new policy’s expiration date.
- However if an expiration date is reduced, (from 90 days to 30 days for example), the token will expire based on the stricter, 30 day expiration.
From the resources tab, you can:
- Connect your team with onboarding tutorials and tips to help get started in Asana
- Find resources to help your team master and discover new ways to use Asana
- Explore and understand admin features
Disabling file attachments
The disabling file attachments feature allows super admins to ensure that Asana implementations across their organization meet all security and consistency requirements related to blocking any file attachments that are restricted as per their company’s security policies and preferred file integrations.
This feature gives better controls at a domain level to ensure strict upload policies in accordance with their organizational requirements.
IT admins will also have a quick way to enable or disable one or more or all of computer, Dropbox, Google Drive, Box and Onedrive / Sharepoint upload sources as per their company’s IT security policies and have it applied across all Asana product surface areas where attachments can be added.
How to access your file attachment options
Super admins can access their file attachments options settings through the Security tab of their admin console.
When you’ve opened the Security tab, scroll down to Admin controls and then click File attachment options.
The default setting is all attachments are enabled.
From the next window, you can select your file attachment preferences.
Unchecking “Allow attachments from Asana apps, API, and other features”
Deselecting this will disable attachment types on
- Web attachments
- Copy and paste
- Drag and drop
- Email forwarding
Disabling attachments from third party apps
To prevent the ability to attach files from third-party apps, you can block them from the Apps tab or select the desired app from the pop-up window. This means that the ability to add attachments from Dropbox, Google Drive, Box, and OneDrive/ SharePoint will no longer be allowed.
Disabling attachments on mobile
There’s no differentiation on the mobile app on attachments between uploads from third party apps and attachments from the device. This is because everything downloads to the device first.
The only way to disable on mobile is by disabling allow attachments from Asana's apps, API, and other features.
Like what you see? Get started with a free 30 day Asana trial today.