The global admin console provides a single surface for enterprise administrators to administer and operationalize OpenAI products from one place, including identity and access, analytics, agents, and governance. Access to the global admin console is currently limited to workspace owners and admins on ChatGPT Business and ChatGPT Enterprise plans.
Introduction
The Global Admin Console introduces a new level of hierarchy in the organizational structure: the Tenant. A single Tenant can contain support the following:
One or multiple ChatGPT workspaces
One or multiple API Platform organizations
Multiple verified domains
A single SSO connection
One or multiple Tenant Admins
The Global Admin Console also introduces a new, global role: Global admins. Global admins are able to:
Manage (add/remove/verify) domains
Set up SSO across their ChatGPT workspaces, API Platform organizations, and the Global Admin Console itself
Add or remove additional users as Global Admins
Change the name of their Tenant
This will impact the connection name that their users will see when logging in with SSO
Navigating the Global Admin Console
In the following sections, we will walk through each of the pages currently available in the Global Admin Console.
Overview
The Overview tab provides a high-level view of the current components of your Tenant. It allows you to see which workspaces and organizations are currently a part of the Tenant and navigate to the additional Tenant settings.
Access
The Access tab is your centralized hub for SSO management.
Domains
The Domains section allows you to add and remove verified domains. Please refer to our documentation page here for a walkthrough on verifying a domain.
As mentioned previously, a unique domain can only be verified once. If you attempt to verify a domain and receive a message indicating it is already in-use, please reach out to Support for further assistance.
Domain Eligibility and Mapping
Domain Mapping allows you to choose which of your verified domains apply to different workspaces and organizations within the Tenant. Mapped domains apply to the following features:
SSO
(ChatGPT) Automatic Account Creation
(ChatGPT) External Invites
(ChatGPT) Account Merges
In order for SSO to apply to a particular workspace + domain, you must ensure that the domain is mapped accordingly. If SSO is only enabled for the workspace or organization, but no domains are mapped, then the connection is effectively inactive.
When you first verify a domain, we default it to Not Mapped to help ensure that it doesn't immediately apply to your workspaces or organizations and potentially lock out users before you're ready.
You can choose between mapping the domain to All Workspaces/Orgs or else a subset of workspaces. While mapped domains can be applied on a per-workspace basis, they apply globally across all API orgs (even those outside of the Tenant). This is because API Platform SSO remains entirely domain-based, compared to ChatGPT SSO which is workspace-and-domain-based:
Let's take a deeper look into each of the remaining features addressed by domain mapping. Please note that both Automatic Account Creation and External Invites are configured at the workspace level rather than directly from the Global Admin Console.
Automatic Account Creation (AAC)
When enabled on a ChatGPT workspace, a new user whose email matches the verified domain(s) will automatically receive an invitation to the Enterprise workspace when they sign up.
If you have mapped a domain to multiple workspaces, the user will automatically receive invitations to each workspace.
We do not recommend enabling AAC if you are using SCIM.
Keep in mind that if AAC is enabled, all users with a matching, verified domain will be forced to merge any preexisting personal accounts into the Enterprise workspace. Review our documentation page here for more information.
External Invites
This setting controls whether or not users with non-verified domains can be invited to the workspace. Users from external domains will not be required to log in through SSO, as SSO settings only apply to users belonging to the verified domain(s).
Account Merge
Please review our documentation page here to better understand how the Account Merge implementation looks, along with its corresponding logic.
Single Sign-On (SSO)
The Single Sign-On section allows you to establish a single SSO connection which you can then apply to all of your Tenant’s API organizations as well as select ChatGPT workspaces. You can follow our documentation page here to establish a new SSO connection, or use the Manage SSO button to modify an existing connection.
Once you’ve successfully established an active SSO connection, you must ensure the following to successfully apply it:
The SSO connection is enabled on ChatGPT or the API
Your verified domains are mapped to the workspace or organization
Both ChatGPT and the API Platform allow for the following SSO settings:
Required:
Optional:
Off:
When SSO is off, ChatGPT and Platform users can log in with Social Authentication or Password.
Note: Customized Workspace SSO settings take priority over the general workspace setting. For example, if your Workspace SSO settings are “Required,” then you can still customize an individual workspace to “Optional” and have the latter take precedence.
ChatGPT SSO Settings
You now have the ability to customize the application of your SSO connection across multiple workspaces within the Tenant:
The custom setting options mirror the options available on ChatGPT itself. As mentioned previously, the custom SSO settings defined on a single workspace take precedence over the global ChatGPT SSO settings:
Platform SSO Settings
Similar to ChatGPT, you can choose how to apply your SSO connection to your API organization(s). The key difference is that Platform SSO remains domain-based at this time. This means that when SSO is enabled (required or optional), it applies to all Organizations both within your Tenant and outside your Tenant:
As a result, we do not allow for customization of SSO on API Platform organizations.
Admin Portal SSO Settings
The Admin Portal SSO Settings determine how Tenant Admins log into admin.openai.com. The options follow the same logic discussed in the above SSO section.
Manage Invites
At this time, the Manage Invites section is a work-in-progress and a view of what’s to come. We plan to add support for user provisioning and management (both directly and via SCIM). Thank you for your patience while we work to add support for this functionality.
People
The People tab shows all of the users across your Tenant’s various workspaces and organizations. From the default view, you can search for specific users by name or by email, and have the ability to promote individual users to be Tenant admins:
Additionally, you can view the access that each user has across the different Tenant workspaces and organizations:
Analytics
The "Analytics" area helps admins review adoption and usage from one place. Admins can compare trends over time, review active-user and message activity, and drill into views for GPTs, projects, skills, and users, including metrics such as total messages, active users, tool interactions, connector interactions, and workplace health.
Dashboard
The Dashboard section provides an overview across Workspace Agents and Codex, giving admins a high-level view of adoption and usage from one place.
Leaderboard
The new Leaderboard section helps eligible admins compare adoption and activity across users from the console. It highlights user-level usage across Workspace Agents and Codex, so admins can identify top users, understand where adoption is concentrated, and view key metrics such as tokens used, credits consumed and lines of code written.
Codex
The new Codex section in Analytics gives eligible admins a concise Codex-specific view of usage in the console. It shows Codex adoption and activity, such as active users, completed runs, token and credit usage, lines of code generated, plugin calls, access tokens, and code review activity where available.
Access follows the existing Codex analytics availability for Enterprise, Edu, and Business workspaces: workspace owners, admins, and analytics viewers (Enterprise only) can view Codex analytics such as credit usage and code review. Note that export functionality has not been added in yet - to export data, use the Analytics tab in Codex settings on web.
Learn more about workspace roles in ChatGPT Business and ChatGPT Enterprise.
Workspace members can view their personal Codex usage in Codex settings on web.
Agents
The “Agents” area helps admins understand which workspace agents exist across their organization and how they are being used. Admins can open an agent to review details such as its Agent ID, move into the Builder to edit it, inspect recent activity, connected apps, and memory files, manage schedules, and review agent analytics such as unique users and runs over time.
Adding/Removing Workspaces and Organizations
If you would like to add or remove additional workspaces or organizations from your Tenant, please reach out to support@openai.com for assistance.
Troubleshooting Global Admin Console
"Unable to login / You are not a global admin" error
Membership to the Global Admin Console is separate from membership to workspaces and organizations. It's likely that other workspace and organization owners are global admins and can invite you. If not, please ensure you are an owner of each of your workspaces and organizations, then reach out to support@openai.com with the IDs for each organization and workspace. These identifiers can be found at platform.openai.com/settings/organization/general and chatgpt.com/admin respectively.