[Domain Control] [Tracking] Bring Domain Control to New Expensify

[mountiny]

DESIGN DOC ➡️

Predesign links

Whatsnext post - https://expensify.slack.com/archives/CC7NECV4L/p1764620384793629
Predesign - https://expensify.slack.com/archives/C07NMDKEFMH/p1764869641871379
Figma link - https://www.figma.com/design/XOfZbNPUeThgn3rycFX14x/Domains---SAML?node-id=1076-48767&p=f&t=dtiKmOWY337x6AxR-0
Data storage predesign - https://expensify.slack.com/archives/C07NMDKEFMH/p1764870173949399
Canvas with API and UX Pattern considerations - https://expensify.enterprise.slack.com/docs/T03SC9DTT/F0A1R9T88RK

Proposal

Background

Today, domain admins rely on Classic to perform essential enterprise governance tasks, including adding or removing domain members, granting domain admin privileges, and organising users via security groups to manage policy access and enforce company-wide standards. These tools are heavily used by IT, finance, and compliance teams across mid-market and enterprise organisations.

Currently, New Expensify offers no native interface for managing domain membership, adjusting domain admin permissions, or creating and maintaining domain security groups. This prevents us from migrating these customers who use these features to New Expensify. The only Classic Domains feature in NewDot now is the SAML setup and configuration.

Problem

When a domain admin needs to manage domain members, domain admins, or security groups, if they attempt to perform these actions in New Expensify, then they are forced back into Classic—undermining trust in NewDot as an enterprise-ready environment and increasing the likelihood they stop using it altogether.

Solution

Build native domain management capabilities in NewDot by extending the new Domains section within the Workspaces tab to support full domain configuration. This will provide a unified experience for enterprise admins and eliminate the last remaining domain-control dependency on Classic. These features will sit alongside the existing SAML configuration already supported in NewDot.
The suggested release would be:

1. Release 1: Domain admins configuration - Introduce Domain Admins subpage in the domains settings where admins can:
   • Add or remove domain admins
   • Set primary contact for the domain
   • Enable/ disable consolidated domain billing
2. Release 2: Domain members management flow - Bring Domain Members subpage in the domains settings where admins can:
   • Add/remove domain members
   • See the list of domain members with their appropriate domain security group
3. Release 3: Domain members configuration - More complex configuration of the domain members handled in the RHP:
   • Close the domain member account
   • Enable, disable or reset their 2FA
   • Report Suspicious activity
   • Set or unset a vacation delegate
   • Export the domain members
4. Release 4: Domain Security groups configuration - Bring over the Domain Security Groups subpage in the domains, where admins can:

• Create and delete domain security groups
• Edit existing domain security groups through RHP
• In the members page, allow admins to move members between different security groups

For this project, our goal is to close the feature gap as quickly as possible while ensuring the UI remains intuitive for migrated admins. To achieve this, we will closely mirror Classic’s configuration experience, with UX improvements considered out of scope for this initial phase.

Tasks

• Post Proposal (full Problem/Solution statement) in #whatsnext https://expensify.slack.com/archives/CC7NECV4L/p1764620384793629
• Wait at least one full business day, and until the post has a majority (2/3) of positive reactions (👍)
• Paste Proposal in the space above with a link to the Slack thread
• Email strategy@expensify.com and paste in the Proposal
• Host a pre-design meeting (example) in an appropriate slack channel to discuss any necessary details in public before filling out the High-level of proposed solution section. https://expensify.slack.com/archives/C07NMDKEFMH/p1764869641871379
• Fill out the High-level overview of the problem, Timeline, Terminology, and High-level of proposed solution sections of the Design Doc
• Email strategy@expensify.com (continue the same email chain as before - your last message should be the WN Proposal) with the link to your Design Doc containing your high-level problem and solution
• Add the DesignDocReview label to get the High-level overview of the problem and High-level of proposed solution section reviewed
• Respond to any questions or concerns and bring up blockers in Slack to get a consensus if necessary
• Confirm that the doc has the minimum necessary number of reviews before proceeding
• Host another pre-design meeting in the appropriate slack channel to ask for engineering feedback on the technical solution. https://expensify.slack.com/archives/C07NMDKEFMH/p1764869641871379
• Fill out the Detailed implementation of the solution and related sections.
• Re-add the DesignDocReview label to this issue
• Respond to any questions or concerns and bring up blockers in Slack to get consensus if necessary
• Confirm that the doc has the minimum necessary number of reviews before proceeding
• Email strategy@expensify.com one last time to let them know the Design Doc is moving into the implementation phase
• Implement the changes
• Add regression tests so that QA can test your feature with every deploy (instructions)
• Send out a follow up email to strategy@expensify.com once everything has been implemented and do a Project Wrap-Up retrospective that provides:
  • Summary of what we accomplished with this project
  • What went well?
  • What could we have done better?
  • What did we learn?

Issue Owner

Current Issue Owner: @mountiny

[melvin-bot]

Triggered auto assignment to @strepanier03 (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details. Please add this bug to a GH project, as outlined in the SO.

[tgolen]

@vit, should this issue have been created with the design doc issue template?

[melvin-bot]

Current assignee @strepanier03 is eligible for the NewFeature assigner, not assigning anyone new.