# Manage user batched `PATCH https://api.airtable.com/v0/meta/enterpriseAccounts/{enterpriseAccountId}/users` Batch manage enterprise account users. One of `id` or `email` must supplied in the body. If both are supplied, `id` will be used as the identifier in changing user email to the `email` specified in the request. *WARNING:* We recommend performing actions on up to 10 users at a time to avoid timeouts. Though we currently do not enforce a limit on the number of users you can manage at once, we are monitoring the performance of this endpoint and may enforce a limit in the future. ## Requirements - **Authentication:** [Personal access token](https://airtable.com/developers/web/api/authentication.md#types-of-token), [OAuth integration](https://airtable.com/developers/web/api/authentication.md#types-of-token) - **Scope:** [`enterprise.user:write`](https://airtable.com/developers/web/api/scopes.md#enterprise-user-write) - **User role:** Enterprise admin - **Billing plans:** Enterprise (pre-2023.08 legacy plan), Enterprise Scale ## Path parameters - `enterpriseAccountId: string` ## Request body - `users: array` — required - `id: string` — optional A user ID - `state: "provisioned" | "deactivated"` — optional [provisioned](https://airtable.com/developers/web/api/org-management-glossary.md#provisioned-user) | [deactivated](https://airtable.com/developers/web/api/org-management-glossary.md#deactivated-user) Can only change the state of [managed](https://airtable.com/developers/web/api/org-management-glossary.md#managed-user) users. - `email: string` — optional Enterprise account must own both the original and destination email domains. *WARNING:* If SSO is required for your enterprise account, you must follow these steps precisely to avoid locking the end user out of their account or creating duplicate accounts. - Use this API to update the user's email to a new value (this effectively logs the user out) - Use your SSO provider's (e.g. Okta's) admin panel to update the user's email to the new value - Tell the user to log into Airtable with the new email - `firstName: string` — optional - `lastName: string` — optional ## Response format - `errors: array` — required - `id: string` — optional A user ID - `type: string` — required - `message: string` — required - `email: string` — optional - `updatedUsers: array` — required - `id: string` — required A user ID - `state: "provisioned" | "deactivated"` — optional Only returned if it is provided in the request body. - `email: string` — optional Only returned if it is provided in the request body. - `firstName: string` — optional - `lastName: string` — optional ### Example — Success response ```sh curl -X PATCH "https://api.airtable.com/v0/meta/enterpriseAccounts/{enterpriseAccountId}/users" \ -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ --data '{ "users": [ { "email": "foo@bar.com", "id": "usrL2PNC5o3H4lBEi", "state": "provisioned" }, { "id": "usrsOEchC9xuwRgKk", "state": "deactivated" }, { "email": "foo@bam.com", "id": "usrL2PNC5o3H4lBEi" }, { "email": "bam@bam.com", "state": "provisioned" } ] }' ``` ```json { "errors": [ { "id": "usrqccqnMB2eHylqB", "message": "User not found", "type": "MODEL_ID_NOT_FOUND" }, { "email": "foo@bam.com", "message": "Email not found", "type": "NOT_FOUND" } ], "updatedUsers": [ { "email": "foo@bar.com", "id": "usrGcrteE5fUMqq0R", "state": "provisioned" }, { "id": "usrsOEchC9xuwRgKk", "state": "deactivated" } ] } ``` ## Error responses ### 403 **Action on self failure** — Don't deactivate yourself or you might lose access. If action must be performed, add another admin. ```json { "error": { "message": "Cannot perform action on self", "type": "INVALID_PERMISSIONS" } } ``` **External user account** — Cannot modify external user state since they are not considered part of the enterprise account. ```json { "error": { "message": "User does not belong to the enterprise email domain", "type": "INVALID_PERMISSIONS" } } ``` **FLA account error** — The provisioned and deactivated states apply only to ELA and "claiming" enterprise accounts. FLA users are always provisioned. ```json { "error": { "message": "State modification is not enabled for FLA enterprise accounts", "type": "INVALID_PERMISSIONS" } } ``` **Non-managed user account** — Can only manage information of managed users. ```json { "error": { "message": "User is not managed by the enterprise account", "type": "INVALID_PERMISSIONS" } } ``` ### 422 **Email in use failure** — Email cannot be taken already. ```json { "error": { "message": "Email already in use", "type": "EMAIL_ALREADY_IN_USE" } } ``` **ID or email not specified** — Either id or email must be supplied in the request body. ```json { "error": { "message": "Invalid request: either ID or email must be specified. Check your request data.", "type": "INVALID_REQUEST_UNKNOWN" } } ``` **Must own target domain** — Enterprise account must own target email domain. ```json { "error": { "message": "Target email domain not owned by this enterprise account", "type": "TARGET_EMAIL_DOMAIN_NOT_OWNED_BY_ENTERPRISE" } } ``` **Service accounts must be on verified domains** — A service account email must be on a verified email domain ```json { "error": { "message": "Service Account must be on verified enterprise email domain", "type": "SERVICE_ACCOUNT_MUST_BE_ON_VERIFIED_DOMAIN" } } ``` **Two factor error** — Email cannot be changed while the user has two factor authentication enabled. ```json { "error": { "message": "Cannot change email when two factor authentication is enabled", "type": "CANNOT_CHANGE_EMAIL_WHILE_TWO_FACTOR_ENABLED" } } ```