Labsco
openai logo

twilio-organizations-setup

✓ Official4,081

by openai · part of openai/plugins

Set up and manage Twilio Organizations for centralized account and user governance. Covers the Organization > Account > Subaccount hierarchy, roles (Owner/Admin/Standard), managed vs independent accounts, domain registration, SSO enforcement, SCIM provisioning, and Organization merging. Use this skill when managing multiple Twilio accounts or users across teams.

🧩 One of 7 skills in the openai/plugins package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Overview

Every Twilio customer automatically gets an Organization when they sign up (auto-created since May 2024 for new signups; since June 2024 for existing paying customers). An Organization is the top-level container that groups accounts, users, and security policies. The creation has no effect on existing account functionality. Most developers never need to touch it — but as soon as you have multiple accounts, teams, or compliance requirements (SSO, HIPAA), Organization setup becomes essential.

Hierarchy: Organization > Accounts > Subaccounts

LayerWhat it isWhen you need it
OrganizationCentralized governance: users, accounts, domains, SSOMultiple teams or accounts, SSO, HIPAA designation
AccountApplication boundary: all Twilio products, resources, billing live hereAlways — you need at least one
SubaccountIsolated partition under an account: separate resources, consolidated billingMulti-tenant apps, per-customer isolation

Organization vs Subaccount — When to Use Which

DimensionOrganization (Managed Accounts)Subaccounts
ManagementConsole UI + Organizations APIREST API (/2010-04-01/Accounts)
BillingIndependent per accountConsolidated to parent account
Account limit10 per Organization (default)1 per unupgraded account; 1,000 per upgraded account (contact AE for more)
User managementFull lifecycle: invite, roles, SSO, SCIMNone — no user concept
SSO/SCIMSupportedNot applicable
HIPAA designationPer-account toggle in Admin consoleInherits from parent (new only)
Resource isolationSeparate accounts, separate credentialsSeparate but parent can access all
CostFreeFree

Rule of thumb: Use Organizations when different teams/users need separate billing and access control. Use Subaccounts when your application needs programmatic multi-tenant isolation with consolidated billing.


Organization Roles

RoleCapabilitiesLimit
OwnerFull control + sole authority to delete the Organization1 per Organization
AdministratorInvite/remove users, add/create accounts, modify settingsUnlimited
Standard UserAccess only to specified accounts — no org managementUnlimited (default)

The Organization creator is automatically assigned the Owner role.


Setting Up Your Organization

Find Your Organization

All Twilio customers have an Organization (auto-created at signup). Access it via:

  • Console > Settings (gear icon) — shows Organization settings, or
  • Twilio Admin link in the top-right navigation — opens the Organization admin panel

Add Accounts to Your Organization

Create a new account:

  1. Console > Admin > Accounts
  2. Click Create New Account
  3. Name the account, select Twilio or Flex usage
  4. Confirm — the account starts in trial mode with fresh defaults

Import an existing account:

  1. Console > Admin > Accounts > Add Existing Account
  2. Enter the account's SID (find it in Console > Account > General settings)
  3. The account owner receives an email and must confirm

Requirement: The account owner's email must match your Organization's verified domain.

Account Types

TypeDescription
ManagedOwned by your Organization — full lifecycle control
IndependentExternal account your users can access — you do NOT control it
PendingAdded but awaiting owner confirmation

Transfer Account Ownership

Only between managed users in the same Organization:

  1. Console > Admin > Accounts > select account
  2. Remove current owner, enter new owner's email or User SID
  3. Save

Domain Registration

Register your company's email domain to control how employees interact with Twilio.

Console > Admin > Domains

SettingBehavior
RestrictedUsers with your domain email can't sign up unless explicitly invited
Auto-enrollmentUsers who sign up with your domain automatically join your Organization
BlockedUsers with your domain email cannot join this Organization

Domain registration also enables Organization merging — the Prime org must have verified domains.

Important: Common domains (gmail.com, hotmail.com, etc.) cannot be verified — you cannot invite users from common domains. Enter domains without "www." (e.g., corporate.com, not www.corporate.com). You can verify the same domain under multiple Organizations (with restrictions) or use subdomains (stage.corporate.com).


SSO and SCIM

  • SSO: Enforce Single Sign-On at the Organization level via your identity provider (Okta, Azure AD, etc.). See SSO docs.
  • SCIM: Automate user provisioning and deprovisioning via the SCIM 2.0 API. See SCIM docs.

When SSO is enabled on a verified domain, all users with that domain email must authenticate via SSO.


Organization Merging

Combine two Organizations: the Prime absorbs the Candidate.

Requirements:

  • Prime must have verified domains
  • Candidate Owner's email must match Prime's verified domain
  • Candidate must have NO verified domains of its own

Post-merge: Candidate ceases to exist. All accounts and users transfer to Prime. Billing and functionality unchanged. If Prime has SSO enabled, it applies to merged users.


HIPAA Designation

Requires an executed BAA with Twilio. After BAA:

  1. Console > Admin > Accounts > select account
  2. Enable HIPAA flag
  3. Save

Each account must be individually flagged — existing accounts do NOT auto-inherit. New accounts created after designation DO inherit. See twilio-security-compliance-hipaa for full HIPAA guidance.


User Management

Users are separate from accounts. A user is defined by their login (email + password) and can own or have access to many accounts.

  • Users can only belong to ONE Organization — if they need access to multiple orgs, create a dedicated user per org (e.g., user+org1@corporate.com)
  • Owner's accounts are auto-added — any account owned by the Organization Owner is automatically added to that Organization and cannot be "independent"
  • New accounts by managed users are auto-added — accounts created by any managed user (Owner, Admin, Standard) automatically join the Organization
  • New user signup behavior is controlled by domain settings (Restricted/Auto-enrollment/Blocked)

Admin actions for managed users:

  • Reset password: Admin Center > Users > Managed Users > select user > Reset Password (logs out user, sends 24-hour reset link)
  • Reset 2FA: Admin Center > Users > Managed Users > select user > Reset 2FA (removes current 2FA number, prompts for new one on next login)
  • Bulk user import: Available via Admin Center (contact Support if not enabled on your Organization)

CANNOT

  • Cannot create accounts via API at the Organization level — Account creation within Organizations is Console-only. Subaccount creation via REST API is separate and lives under the parent account.
  • Cannot close or delete an Organization from Console — There is no self-service delete. To remove an Organization, merge it into another one.
  • Cannot transfer ownership to an independent user — Account ownership transfers are restricted to managed users within the same Organization.
  • Cannot merge Organizations if the Candidate has verified domains — Remove Candidate's domain verification first, or the merge will fail.
  • Cannot assume configurations transfer to new accounts — New managed accounts start with fresh defaults. Product configurations, phone numbers, and settings do not inherit.
  • Cannot manage independent accounts' lifecycle — You can grant your users access to independent accounts, but you cannot close, suspend, or modify them.
  • Cannot have multiple Owners per Organization — Exactly one. Transfer ownership before the current Owner leaves the company.
  • A user cannot belong to multiple Organizations — One user = one Organization. Use email aliases for multi-org access.
  • Cannot verify common email domains — gmail.com, hotmail.com, etc. are not supported for domain verification or user invitations.
  • Cannot invite users from unverified domains — Domain must be verified first before you can invite users with that domain email.
  • Billing is NOT consolidated at the Organization level — Each managed account is billed independently. For consolidated billing, use subaccounts under a single parent account instead.

Next Steps

  • Account and subaccount setup: twilio-account-setup
  • Authentication methods (API Keys, OAuth2): twilio-security-api-auth
  • HIPAA account configuration: twilio-security-compliance-hipaa
  • Credential security: twilio-security-hardening
  • Docs: Organizations overview | Managed accounts