
Admins remove members from the **Team** settings page. The removed user's membership is deleted immediately, but an already-signed-in browser session can remain valid for up to 24 hours. You cannot remove yourself.

ADO Pilot has three organization roles. The **Role permissions** card on the **Team** settings page in the dashboard shows each role's description.

- **Admin** — Full access to all settings, billing, team management, and repository configuration.
- **Member** — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
- **Viewer** — Read-only access to review history and repository status. Cannot change settings.

| Capability                                  | Admin | Member | Viewer |
| ------------------------------------------- | ----- | ------ | ------ |
| View dashboard, reviews, and findings       | Yes   | Yes    | Yes    |
| View repository status and integration page | Yes   | Yes    | Yes    |
| View team members                           | Yes   | Yes    | Yes    |
| View pending invites                        | Yes   | No     | No     |
| View billing and subscription               | Yes   | Yes    | Yes    |
| Configure repository settings               | Yes   | No     | No     |
| Change notification settings                | Yes   | No     | No     |
| Test webhooks                               | Yes   | No     | No     |
| Invite team members                         | Yes   | No     | No     |
| Cancel pending invites                      | Yes   | No     | No     |
| Remove team members                         | Yes   | No     | No     |
| Start Stripe checkout                       | Yes   | No     | No     |
| Open the Stripe billing portal              | Yes   | No     | No     |
| Change the overage cap                      | Yes   | No     | No     |

## Remove a member

{% steps %}

### Step 1 — Open the Team page

In the dashboard, go to **Settings → Team**.

### Step 2 — Find the member

Locate the row in the **Members** list. Double-check the email — a confirmation dialog will ask you to confirm before the removal takes effect.

### Step 3 — Open the row's action menu

At the end of each member row is a three-dot dropdown trigger (the `⋯` icon). Click it to open the action menu, then choose **Remove member**. A confirmation dialog ("Remove [member name]?") appears — click **Remove member** to confirm or **Cancel** to abort. Once confirmed, access is removed immediately and cannot be undone. The user account itself is preserved on a successful removal so review history and audit logs stay intact.

{% /steps %}

## What changes immediately

As soon as removal succeeds:

- Their membership row is deleted and the org pointer on their account is cleared, so a fresh sign-in has no org to land in. An already-open browser session is **not** invalidated immediately — see [The 24-hour stale-session window](#the-24-hour-stale-session-window) below.
- Removing a member has no effect on billing. ADO Pilot bills by monthly review credits (RCs), not by the number of team members — see [Plan tiers](../billing/plan-tiers.md).
- They no longer appear in the **Team** page or in audit lists for this org.

Removal affects only this org. It doesn't touch the person's underlying ADO Pilot account, which they're still free to use to sign in to — or later join — a different org.

## The 24-hour stale-session window

ADO Pilot's portal authenticates with a JWT-strategy session whose `maxAge` is 24 hours. A removed user retains their session for up to 24 hours **from when they last signed in** — not from the moment of removal — and the role and org membership baked into the JWT are not re-validated on every request. In the worst case the cookie is brand-new at removal time and stays valid for nearly the full 24 hours; if they signed in earlier in the day, the remaining window is correspondingly shorter.

In practice this means:

- A removed user's open browser tab can still load pages it has already cached and replay requests that the server-side authorization layer happens to allow.
- A removed **member or viewer** still gets the usual 403 on admin-only mutations, since their JWT no longer carries an admin role. A removed **admin**, however, keeps their admin role baked into the JWT and can still perform admin actions on this org until the session expires — which is exactly why an emergency lock-out needs the IdP step below, not just removal from ADO Pilot.
- Once the user signs out, closes the tab, or hits the 24-hour expiry, they can no longer access this org. A fresh sign-in still succeeds — the account itself is not disabled — but finds no membership record, so it lands in the signed-in-but-no-org state instead of this org's dashboard.

{% callout type="warning" title="If you need a hard cut-off" %}
Removing a member does not invalidate their existing session token. If you need to lock someone out immediately — for example, a compromised account or an emergency offboarding — rotate or revoke their identity provider credentials at the IdP (Microsoft Entra, Google Workspace, etc.) in addition to removing them from ADO Pilot. The next page load will then fail at sign-in even within the 24-hour window.
{% /callout %}

## You cannot remove yourself

In the dashboard, the **Remove member** option is greyed out for your own row, so you can't start this action there. The remove endpoint also refuses it server-side as a backstop: whether a direct API call targets your own user ID or the literal sentinel `self`, the response is:

- HTTP `400`
- Body: `{ "error": "Cannot remove yourself" }`

This is intentional — leaving an org with no admins would lock everyone out of billing and team management. To leave the org yourself, ask another admin to remove you. If you are the only admin, you cannot remove yourself — first promote another member to admin using the **Change role** option in the three-dot action menu, then ask them to remove you (or remove yourself once you are no longer the last admin). Contact ADO Pilot support if you need further help restructuring your org's admin access.

## Last-admin protection

In the dashboard, **Remove member** (and **Change role**) are greyed out for the last remaining admin's row, so you can't start the action there either. Attempting it directly against the API returns an error:

- HTTP `409`
- Body: `{ "error": "Cannot remove the last admin" }`

At least one admin must remain in the org at all times. To remove the last admin, first promote another member to admin using the **Change role** option in the three-dot action menu, then remove the original admin.

## Re-adding a removed member

A removal is final but not permanent — you can invite the same email back at any time. See [Inviting team members](./inviting-members.md). The new invite creates a fresh membership row when accepted; prior review history attributed to that user remains in your org's audit trail under their original user ID.


