Today I tested this myself in a throwaway account.
First, the messy details:
Your passwords and 2FA settings will be reversed after doing this.
To do the role swap for real I’ll need a copy of my client’s password and 2FA seed. I’ll get them reset after confirming that the swap has worked.
You’ll need to wait between 3 and 24 hours between email address changes for the same user. Any sooner will fail with a 429 “Too many requests” error.
The delay is mentioned by judge and cloonan in similar forum questions. I didn’t see it mentioned in the docs.
Any email notifications that might be sent in the 3-24 hours between changes would presumably be sent to the temporary address. You might want to make sure that temporary address is routed back to you somehow so you don’t miss anything.
You will need to log in once as [email protected] (or whatever temp address you chose) to complete the switch over. This just feels weird.
Each user’s email address will need to be verified again after being fully swapped over.
It turns out that each user in Cloudflare automatically has an account created for them and becomes the super administator of that account. This happens even if the user is created through an invitation to an existing account. So my client has access to the account I created for them and access to another empty account named after their email address.
After performing the role swap, I will have access to the account created for my client’s email address. In our case it’s not a problem because nothing else has been created there. I’ll just be left with an extra empty account.
I was unable to test the effect on certificate transparency monitoring because in my throwaway account I didn’t properly set up any domain.
And now the good news:
Swapping the email addresses doesn’t rewrite anything that was already in the audit log. Any email address logged before the change stays the same.
The passive origin settings will be unaffected. It appears that the email addresses entered here are not linked to Cloudflare users or accounts.
And something that is kind of good news, but kind of confusing:
A “Change email” event is recorded in the audit log when the invited user’s email address changes to the temp address, and another event recorded when the address changes again to that of the iniviting user.
The event metadata looks like this:
{
"New email": "[email protected]",
"Old email": "[email protected]"
}
{
"New email": "[email protected]",
"Old email": "[email protected]"
}
However, I only saw two email change events in the audit log to record the operation. I was expecting three.
In my test I followed the procedure like this:
- I changed the email address for the invited user (Administrator) to [email protected]
- I changed the email address for the inviting user (Super Administrator) to the invited user’s old email address
- I change the email address for the invited user again to the inviting user’s old email address.
I saw two email change events logged for events 1 and 3 but not for 2.
I’m not sure if that’s how it’s supposed to work or if some logging problem exists in my account. I haven’t found detailed documentation for the log events.