Cisco Umbrella User Management Guide

• Model type: role-based
• Description: Cisco Umbrella uses a role-based access control model for dashboard administrators. Built-in roles (Full Admin, Read-Only Admin) are assigned per admin account. There is no support for creating fully custom roles with granular permission sets; admins receive either full or read-only access. End-user identities are managed as policy targets, not as dashboard roles.
• Custom roles: No
• Custom roles plan: Not documented
• Granularity: Coarse - two built-in admin roles (Full and Read-Only). No per-feature or per-policy granular permission assignment for admins.

1. Log in to the Umbrella dashboard at https://dashboard.umbrella.com.
2. Navigate to Admin > Administrators.
3. Click Add.
4. Enter the new admin's email address, first name, and last name.
5. Select the role: Full Admin or Read-Only Admin.
6. Click Create. An invitation email is sent to the specified address.
7. The invitee must accept the email invitation and set a password (or authenticate via SSO if configured) to activate the account.

Required fields: Email address, First name, Last name, Role (Full Admin or Read-Only Admin)

Watch out for:

• Admin accounts are distinct from end-user identities. Adding an admin does not provision an end-user license.
• End-user identities for policy enforcement are typically synced from Active Directory via the Umbrella Virtual Appliance (VA) connector, not added manually through the dashboard.
• SCIM provisioning for end-user identities requires an Enterprise plan and an SSO/IdP integration (Okta, Azure AD/Entra, or OneLogin).
• If SSO is enforced for the organization, invited admins must authenticate through the configured IdP and cannot use local password login.
• Cisco ended support for the Roaming Client in April 2025; new deployments must use Cisco Secure Client.

• Can delete users: Yes
• Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.

1. For admin accounts: Log in to the Umbrella dashboard, navigate to Admin > Administrators, locate the admin account, click the delete/remove icon, and confirm deletion.
2. For SCIM-provisioned end-user identities: Deprovision or deactivate the user in the connected IdP (Okta, Entra ID, or OneLogin); SCIM will propagate the removal to Umbrella.
3. For AD-synced identities: Disable or remove the user in Active Directory; the Umbrella Virtual Appliance connector will sync the change on the next polling interval.

Watch out for:

• The primary owner/super-admin account cannot be deleted without first transferring ownership.
• Removing a user identity that is referenced in active policies may cause those policies to fall back to network-level or default policy enforcement.
• AD sync removal depends on the VA polling interval; removal is not instantaneous.
• SCIM deprovisioning requires the Enterprise plan and an active IdP integration; without SCIM, manual cleanup in the Umbrella dashboard may be required.

• Where to check usage: Admin > Licensing within the Umbrella dashboard displays current seat consumption, license type, and expiration dates.
• How to identify unused seats: Compare the list of active identities under Deployments > Core Identities (or the AD Users/Groups sync list) against licensed seat count in Admin > Licensing. Users synced but not associated with any active policy or recent DNS activity can be considered candidates for removal.
• Billing notes: Licensing is per-user (or per-device for network-only deployments). Cisco Umbrella is sold through Cisco and authorized resellers; pricing is not publicly listed for SIG tiers and requires a quote. The Roaming Client was end-of-support April 2025; organizations must migrate to Cisco Secure Client, which may affect licensing SKUs. SCIM provisioning (for automated seat management) requires the Enterprise/SIG tier.

Every app in a security stack carries a hidden cost when offboarding is slow - Umbrella is no exception. AD sync removal is not instantaneous; the Virtual Appliance polling interval introduces a delay that can leave deprovisioned users active in policy enforcement after they have left the organization.

Without SCIM (which requires the Enterprise plan and a fully configured SSO integration), admin cleanup must be done one account at a time - there is no CSV import or bulk removal path for admin accounts. The two-role model (Full Admin vs.

Read-Only) also forces organizations to grant full dashboard access to staff who only need limited scope, increasing blast radius when accounts are not removed promptly.

Practitioners managing Umbrella at scale consistently flag the 200 AD group sync limit as a hard constraint that breaks policy segmentation for large enterprises.

The coarse admin role model - only Full Admin or Read-Only - is a recurring complaint from teams that need delegated administration for helpdesk or regional staff.

The April 2025 end-of-support for the Roaming Client has added redeployment overhead, as organizations must migrate endpoints to Cisco Secure Client, which may affect licensing SKUs.

SCIM provisioning is also noted as unreliable for on-premises AD environments because it requires a direct IdP integration and does not work through the Virtual Appliance connector.

Common complaints:

• Virtual Appliance SCIM limitation: SCIM provisioning does not work through the Virtual Appliance connector; it requires a direct IdP integration, which limits automation options for on-premises AD environments.
• 200 group limit: Umbrella enforces a limit on the number of AD groups that can be synchronized, which causes policy management issues for large enterprises.
• Must migrate from Roaming Client: Cisco ended support for the Umbrella Roaming Client in April 2025, requiring migration to Cisco Secure Client, which involves redeployment effort.
• Coarse admin roles: Administrators report that the two-role model (Full Admin vs. Read-Only) is insufficient for organizations that need delegated administration with limited scope (e.g., helpdesk staff who should only manage specific policy sets).
• No bulk admin import: There is no CSV import or bulk creation path for admin accounts; each admin must be invited individually.
• AD sync latency: User identity removal from Active Directory is not reflected in Umbrella immediately; the VA polling interval introduces a delay that can leave deprovisioned users active in policy enforcement.

Umbrella is the right choice when DNS-layer security and identity-based policy enforcement are the primary requirements and the organization already operates within the Cisco ecosystem (SecureX/XDR, Secure Client, Meraki). Teams on the Enterprise or SIG tier get SCIM-based lifecycle automation, which meaningfully reduces manual overhead across every app and identity touchpoint.

Organizations on lower tiers, or those running purely on-premises AD without a cloud IdP, will carry more manual provisioning and deprovisioning burden. The coarse admin role model is a real limitation for enterprises that need delegated administration - evaluate whether Full Admin or Read-Only is sufficient before committing.

Bottom line

Cisco Umbrella delivers strong DNS security and SASE capabilities but its identity management story is tiered: automated lifecycle management via SCIM is gated behind the Enterprise plan and requires SSO to be fully configured first.

Manual admin management is invitation-only with no bulk path, and AD sync latency means deprovisioning is never immediate.

For organizations already invested in the Cisco stack with a cloud IdP in place, the automation payoff is real - but teams without those prerequisites should plan for ongoing manual overhead across every app and policy touchpoint.