Help an employee regain access to Ramp

Overview

This article is for Ramp admins, IT admins, and Business Owners who need to help an employee who cannot sign in to Ramp. It covers what you can check, what you can do directly, and when to direct the employee to self-serve recovery.

If you are the person who cannot sign in, see Troubleshooting Ramp sign-in & MFA issues instead.

Step 1: Confirm the employee's account status

Before troubleshooting the sign-in method, verify that the employee has an active Ramp account.

Check if the employee is active

1. Go to People and search for the employee by name or email.
2. If the employee appears and their status is Active , their account exists and is not deactivated. Move to Step 2 .
3. If the employee's status is Inactive , reactivate their account. Once reactivated, they should be able to sign in again.
4. If the employee does not appear at all, they may not have been invited yet. See Inviting users to Ramp .

Check for pending or expired invites

1. Go to People and select the Invites tab.
2. If the employee appears here, they have not yet accepted their invitation. Click the paper plane icon next to their name to resend the invite.
3. If the invite is stuck or the employee reports it expired, click the trash can icon to delete the old invite, then send a new one.

Step 2: Verify their sign-in method

If the employee's account is active but they still cannot sign in, the issue is likely related to their sign-in method. Check which sign-in methods are enabled for the employee's role.

1. Go to Settings > Company settings > Security , then under Account access click Configure .
2. In the User roles tab, review which sign-in methods (password, Google SSO, SAML SSO) are enabled for the employee's role.
3. If the employee's role only allows SSO, confirm that their email domain is configured for the correct identity provider.
4. If the employee needs password access but their role is set to SSO-only, you can add them to the exception list. See Managing sign-in controls in Ramp for details on the exception list.
5. Confirm the employee is using the correct email address — the one they were originally invited with.

Step 3: Direct them to the right recovery path

Once you have confirmed the employee's account is active and you know their sign-in method, direct them to the appropriate self-serve recovery path based on their situation. Note that the self-serve MFA recovery flow is available to employees who sign in with a password. If the employee's role is set to SSO-only and they need MFA recovery, contact Ramp Support.

They never received or accepted their invite

Resend the invite from People > Invites tab. If the old invite is stuck, delete it and send a new one. Make sure the email address on the invite is correct.

They forgot their password

Direct them to the Ramp sign-in page and have them use the password reset form. They will receive a reset link at their email address on file.

They cannot receive verification codes

Share Troubleshooting Ramp verification codes with the employee. Common causes include carrier blocking of short code SMS, opting out of Ramp texts, or using an international phone number that cannot receive US short codes. Voice call is often the fastest workaround.

They changed phones or lost their device

You can initiate a phone number change on the employee's behalf from their profile on the People page. The employee will need to verify the new number before the change takes effect. Alternatively, the employee can go through the self-serve MFA recovery flow — direct them to Updating your multi-factor authentication (MFA) method. On the verification screen during sign-in, the employee should look for the recovery option indicating they no longer have access to their phone number, then follow the prompts to verify their identity and register a new device.

They lost their authenticator app

Direct them to Updating your multi-factor authentication (MFA) method. On the verification screen during sign-in, the employee should look for the recovery option indicating they cannot access their authenticator app. The recovery flow will require identity verification before a new authenticator can be set up.

Their passkey is not working

Suggest they try a different browser (password manager extensions can interfere with passkey prompts) and make sure Bluetooth is on if they are verifying with their phone on another device. If an alternate verification method is available on the sign-in screen, they can use that instead. For more details, see Troubleshooting Ramp sign-in & MFA issues or Signing in with Passkeys.

SSO is not working for them

1. Confirm the employee is signing in with the correct email address — the one that matches their identity provider account.
2. Verify they are in the correct group or assignment in your identity provider (Okta, Microsoft Entra, Google Workspace, etc.). If the employee was removed from the IdP group, your identity provider may block their SSO sign-in — re-add them in the IdP and have them try again.
3. Check that the email domain is configured for the right identity provider in Settings > Company settings > Security .
4. For detailed SSO configuration guidance, see Setting up single sign-on (SSO) in Ramp .

What you can do as an Admin

Here is a summary of the actions available to you as an admin when helping an employee regain access.

• Resend or re-create invites — Go to People > Invites tab to resend an invite (send icon) or delete and re-create one (trash icon).
• Check and update sign-in method settings — Go to Settings > Company settings > Security > Account access > Configure to see which sign-in methods are enabled per role.
• Add a password exception for an individual user — If an employee needs password access but their role is SSO-only, add them to the exception list in the sign-in controls panel. See Managing sign-in controls in Ramp .
• Verify SSO and identity provider configuration — Confirm email domain mapping, IdP group membership, and SAML attribute settings. See Setting up single sign-on (SSO) in Ramp .
• Initiate a phone number change — If the employee has a new phone number, you can start the change from their profile on the People page. The employee will need to verify the new number before it takes effect.
• Confirm the email address on file — Search for the employee in People to verify the email address matches what they are using to sign in.
• Reactivate an inactive account — If the employee was previously deactivated (for example, they left and returned), select them on the People page and reactivate their account.

You cannot reset an employee's password, remove their authenticator app or passkey, or bypass MFA on their behalf. For these actions, the employee must use the self-serve recovery flows linked in Step 3 above.

When to contact Ramp support

In most cases, the steps above will resolve the issue. Contact Ramp Support if:

• The employee uses SSO-only and needs MFA recovery (self-serve MFA recovery requires password sign-in).
• The employee's identity verification failed during the MFA recovery flow and they cannot complete recovery.
• The employee's account appears locked and you cannot resolve it through the People page.
• An SSO misconfiguration is preventing sign-in and the issue is not resolvable from your identity provider settings.
• The employee sees "Account is missing required information" or another error that does not have a self-serve resolution.
• An inactive account cannot be reactivated through the standard process.

Frequently asked questions

Can I reset an employee's password for them?

No. The employee must reset their own password using the reset form on the Ramp sign-in page. You can confirm which email address their account is under so they use the correct one.

Can I remove an employee's MFA method?

No. You cannot remove or change an employee's MFA phone number or authenticator app. The employee must go through the self-serve recovery flow described in Updating your multi-factor authentication (MFA) method, or contact Ramp Support if recovery is not possible.

Can I turn off MFA for one employee?

No. MFA requirements are determined by your business-level security settings and Ramp's risk checks. They cannot be disabled for individual users. For more on how MFA works, see Multi-factor authentication (MFA) overview.

An employee has two Ramp accounts — what should they do?

If the employee belongs to multiple Ramp businesses, they may have separate accounts. They should make sure they are signing in to the correct one. For details on switching between businesses, see Unified sign-in.

A Guest user cannot use SSO — is that expected?

Yes. Guest users always retain password as a sign-in method. You can enable additional sign-in methods (including SSO) for Guests, but password access cannot be removed. This means Guests cannot be set to SSO-only. See Managing sign-in controls in Ramp for more details.