Summary and recommendation
Abnormal Security user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Abnormal Security is an enterprise email security platform focused on detecting and investigating threats such as phishing, account takeover (ATO), and vendor email compromise.
It does not support SCIM provisioning, which means every app in your stack that relies on automated lifecycle signals cannot receive provisioning or deprovisioning updates from Abnormal.
User identity data flows read-only from the connected mail environment (Microsoft 365 or Google Workspace), and portal access for administrators is managed through a role-based model whose specific role names and permission tiers are not publicly documented outside the authenticated portal.
Quick facts
| Admin console path | Portal > Settings / Administration > Users (exact labels vary by tenant and portal version) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | N/A - No SCIM |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Portal Administrator | Can access tenant configuration, integrations, security settings, and portal user administration. | Does not manage the underlying Microsoft 365 or Google Workspace identities that Abnormal ingests from the connected mail environment. | Exact role names and any analyst or read-only variants are not publicly documented outside the authenticated portal. |
Permission model
- Model type: role-based
- Description: Abnormal Security uses a role-based access control model for its portal. Specific role names, permissions, and tier requirements are not publicly documented outside the authenticated admin portal.
- Custom roles: Unknown
- Custom roles plan: Not documented
- Granularity: Not documented
How to add users
- Log in to the Abnormal Security portal as an existing administrator.
- Open the tenant Settings or Administration area and go to the Users section.
- Choose the option to invite or add a portal user.
- Enter the user's work email address and assign the appropriate admin or analyst role available in the tenant.
- Send the invitation and have the user complete the portal onboarding flow.
Required fields: Work email address, Role or access level
Watch out for:
- Public documentation does not fully describe the portal invite flow, so exact button labels can vary by tenant version.
- Portal access is distinct from the identities Abnormal ingests from the connected mail environment.
- If SSO is enabled for the portal, the invited user may need an IdP assignment before they can complete login.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Unknown | Not documented |
| Domain whitelisting | Unknown | Automatic domain-based user add |
| IdP provisioning | Yes | Not documented |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: Official documentation does not publicly describe delete or deactivate behavior for portal admin users.
- Open the portal Users section as an administrator.
- Locate the portal user record to remove or disable.
- Use the available disable, revoke, or remove action exposed by the tenant.
- Confirm the change and verify the user can no longer access the portal.
| Data impact | Behavior |
|---|---|
| Owned records | Public documentation does not describe portal-user ownership semantics in detail; security findings and detections are tenant objects, not personal workspaces. |
| Shared content | Shared detections, cases, and portal views remain tenant data rather than user-owned content. |
| Integrations | API keys or integration credentials created by the removed admin should be reviewed separately because token access can outlive interactive login if not explicitly revoked. |
| License freed | Seat reuse is contract-dependent and not publicly documented in detail. |
Watch out for:
- Official public docs do not clearly distinguish disable versus delete semantics for portal users.
- API tokens and external integrations should be audited separately during offboarding.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named portal admin user | Administrative or analyst access to the Abnormal Security portal. |
- Where to check usage: Portal > Settings / Administration > Users
- How to identify unused seats: Review the current portal user list and any available last-login or access metadata exposed in the tenant. Public docs do not describe a dedicated unused-seat report.
- Billing notes: Abnormal Security uses custom enterprise pricing. Public pricing and seat enforcement details for portal users are not documented in an official self-serve pricing page.
The cost of manual management
Because Abnormal Security has no SCIM support, admin portal access must be managed manually with no repeatable, auditable workflow for onboarding or offboarding. There is no public documentation describing the exact steps to add, deactivate, or delete portal users. Offboarding a departing employee requires out-of-band coordination rather than an automated process tied to your IdP.
The decision
Abnormal Security is best evaluated as a detection and investigation layer, not an identity management tool. Every app in a mature SaaS access program needs a provisioning path;
Abnormal's absence of SCIM means you will need a compensating control such as SSO enforcement via Okta or Entra ID for portal login, paired with a manual or API-driven offboarding process. Pricing is custom and enterprise-only; budget conversations should go through your Abnormal account team or reseller.
Bottom line
Abnormal Security delivers strong email threat detection but ships with no SCIM support and limited public documentation on portal user administration.
Teams managing access at scale will need to rely on SSO for portal authentication and build manual or API-based processes to keep portal membership in sync with their IdP.
The platform is purpose-built for security outcomes, not identity lifecycle management, and should be scoped accordingly in your SaaS access program.
Automate Abnormal Security workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
