Bitwarden for MSPs - How to structure clients

To start I want to say that I am in no way intending to bash Bitwarden in this post as they have designed a really nice product that does seem to work more reliably and has better features than most other products in this realm I have tried. That being said, I have a major migration pain that I am hoping someone has some insight on how to resolve.

I have been demoing Bitwarden in thinking about switching from Passportal (for a plethora of reasons). The only wall I am running into is a good path for how to structure the passwords for my clients. The suggested method by Bitwarden is to create a new Organization vault for each one. The problem here is that, while you can waive your existing employees licensing fees for each client organization via request to support, they will only waive up to 3 of your internal users.

To use separate organization vaults, first you would have to send an invite to each of your employees who need access individually each time you added a new client vault. Second, you would be limited to only three employees per client instead of everyone that needs the access for day to day support.

If you go with collections to manage each client as opposed to Bitwarden’s (and the intuitive) route of separate org vaults, you run into a new problem: what if my user now wants to purchase bitwarden licenses and get access to their passwords that you manage for them? You cannot do inter-organization sharing so you would have to add them as a seat in YOUR organization which seems wrong, leads to mixture of clients and employees in same org audit logs, but does get you the ability to use group-based access management for your team so you don’t have to keep inviting users.

I am curious how others are handling this situation. I really like Bitwarden more than Passportal but it seems like they never really considered how some MSPs work before blogging about how they are a great fit for all MSPs. I suppose, in their defense, there are MSPs who assign certain employees to certain clients, and orgs may work really well for them as you wouldn’t need more than 3 user seats per client org.

Anyone have any experience they can share on a path forward here?

@LTS_Tom How do you handle this scenario?

I don’t understand, organizations are not limited to three users.

From their plan page Password Manager Plans | Bitwarden Help Center

image940×746 63.1 KB

@LTS_Tom Sorry if I didn’t explain that as well as I thought. It isn’t a limit of users. That is the limit that Bitwarden will waive the license cost of for you to put your own users in to manage the vault for the customer and also have access to their passwords.

Do you store your clients’ passwords just in collections under your organization or do you create a vault for each one?

If you create an organization for each client, do you not have to give your employees access by adding them as users under each organization and thus get billed for each user additional licenses for each org you put them in?

Essentially, if you only had 3 clients and 4 employees that you wanted to have access to their passwords, you would have to pay for 16 licenses for your employees; 1 each for access to your organization and 1 each for each client organization you add them to.

Obviously this doesn’t scale… The only solution I can think of is to do 1 collection per client instead. The only problem there is that, if the client also wants to have bitwarden and access to their passwords that you keep for them, you would have to add them as a user under your organization and assign access to just their collection.

We DO NOT share password with out clients so this is not an issue for us.

Thanks for clarifying your use case.

I guess this is a limitation of Bitwarden but only if you intend to give customers access to their passwords. I will need to think on this some I guess to decide the way forward my business.