2 Ways to Remove a User from a Group in Twingate

See two ways to remove a user from a group in Twingate, with practical options for managing group membership in your organization
The author of the article Chris Shuptrine
Aug 2025
2 Ways to Remove a User from a Group in Twingate

Need to remove someone from a Twingate group without breaking access for everyone else? Cleaning up group membership is key to least-privilege access and smooth offboarding.

In this guide, you’ll learn two practical paths: remove a user in the Twingate Admin Console, or manage membership in your IdP when groups sync to Twingate (Okta, Azure AD, Google Workspace). We’ll help you decide which method fits your setup and change scope before walking through the steps.

Table of Contents

Pro Tip: Too long? Ask ChatGPT to summarize →

Use Twingate’s UI

Here, you’ll use the Twingate Admin Console to remove a user from a group. This follows Twingate’s own docs for managing group membership in the UI.

Open the Admin Console

Sign in to the Twingate Admin Console with an admin account that can manage Teams.

Go to Groups

  • In the left menu, select Teams.
  • Click Groups.

Open the group you want to edit

  • Use search if you have many groups.
  • Click the group name to open its details.

Remove the user from the group

  • Go to the Members tab or section.
  • Find the user in the member list. Use the search field if needed.
  • Click Remove next to the user’s name. In some layouts, you may see an X icon or a three dots menu with Remove.
  • Confirm the removal if you’re prompted.

Save and confirm it worked

  • If there is a Save button, click it. Some changes save automatically.
  • Make sure the user no longer appears in the group’s Members list.

Verify access changes

  • Group membership updates take effect quickly. If the user still sees group-based access, have them:
    • Disconnect and reconnect the Twingate Client
    • Sign out and sign back in to refresh policy

If you can’t remove the user

  • You might see a lock icon or a note that the group is synced from your identity provider. Per Twingate’s docs, membership for synced groups is read-only in the Admin Console.
  • If you don’t see Remove, you may not have the right admin role. Ask an Org Admin or someone with Teams permissions to make the change.

Use Torii

Rather than working in Twingate directly, you can use Torii, a SaaS Management Platform, to remove user from group in Twingate. SMPs centralize SaaS app management and integrations, allowing teams to programmatically onboard/offboard users, view subscription and license details, and more.

Instead of a manual step in Twingate, Torii lets you automate the task so it runs whenever a defined event occurs. Triggers can include a new hire, a departing employee, a contract renewal, and similar events. This is especially useful if you need to repeat the action often, saving time and reducing errors.

To remove user from group in Twingate straight from Torii, follow these steps:

1. Sign up for Torii

Contact Torii, and request your free two-week proof-of-concept.

2. Connect your Twingate account to Torii

Once your account is active, connect Twingate to Torii (assuming you already have an account). Here are the instructions for the Twingate integration.

torii twingate dashboard

3. Create a Torii workflow for Twingate

In Torii, you can build automated workflows to remove user from group in Twingate. Go to the Workflows tab, choose a trigger, then add an action that will remove user from group in Twingate. From then on, whenever the trigger occurs, Torii will update Twingate automatically.

creating twingate workflows in torii

Frequently Asked Questions

Sign into the Twingate Admin Console, go to Teams > Groups, open the group, choose Members, remove the user, then save and confirm. If the group is IdP-synced manage membership in your identity provider, or automate removal with Torii workflows.

If a group is synced from your IdP, membership is read-only in Twingate. You must remove the user in Okta, Azure AD, or Google Workspace. After IdP changes sync, verify the user no longer appears in the Twingate group and their access is revoked.

Group membership updates apply quickly. If access persists for the removed user, have them disconnect and reconnect the Twingate Client or sign out and back in to force a policy refresh. Allow a short propagation window for larger deployments.

If you don’t see Remove, the group may be IdP-synced or you lack required admin rights. Confirm your role has Teams management permissions or ask an Org Admin to change membership. For synced groups, edit membership in your identity provider.

Torii connects to Twingate and runs workflows to remove users automatically based on triggers like offboarding, hire events, or contract changes. Set a trigger and action in Torii to programmatically update group membership and reduce manual errors.

Follow least-privilege principles: remove users from groups promptly, prefer IdP-managed group syncs for centralized control, and automate repetitive offboarding tasks with Torii. Regularly audit group membership and verify access is revoked after changes.