Summary and recommendation
Cofense user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Cofense PhishMe is an enterprise phishing defense and security awareness training platform. It manages two distinct user types: Administrators, who control campaigns and reporting, and Recipients (end users), who are targeted by simulations and tracked for training completion. Native SCIM 2.0 provisioning is available via the Recipient Sync feature, but only on the Enterprise plan.
Quick facts
| Admin console path | Admin > Settings (exact path not publicly documented; requires authenticated access to app.phishme.com or cofense.com tenant) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Administrator | Full platform access including user management, campaign creation, reporting, and system configuration. | Exact role names and permission boundaries are not publicly documented; details require vendor contact or authenticated admin access. | |||
| Reporter / End User (Phishing Simulation Target) | Receives phishing simulation emails; can report suspicious emails via Cofense Reporter button. No admin console access. | Cannot access admin console, create campaigns, or view reports. | ~$10/user/year estimated; custom enterprise pricing applies | End users are managed as 'recipients' or 'reporters' rather than named platform accounts in the traditional sense; provisioning is typically done via SCIM or CSV sync. |
Permission model
- Model type: role-based
- Description: Cofense PhishMe uses a role-based access model for administrative users. Specific role names, granular permission sets, and whether custom roles are configurable are not publicly documented.
- Custom roles: Unknown
- Custom roles plan: Not documented
- Granularity: Not publicly documented; assumed coarse-grained (admin vs. non-admin) based on available information.
How to add users
- Log in to the Cofense PhishMe admin console at app.phishme.com.
- Navigate to the user or recipient management section (exact path not publicly documented).
- Enter required user fields and assign role.
- Save or invite the user; user receives an email invitation to set up their account.
- Alternatively, configure SCIM provisioning via an IdP (Okta, Entra ID, OneLogin) to automate user creation.
Required fields: Email address, First name, Last name
Watch out for:
- Detailed manual add-user steps are not publicly documented; the above is inferred from standard Cofense onboarding references and IdP integration docs.
- SCIM provisioning via Recipient Sync is the recommended method for large organizations; manual addition may not scale.
- SSO and SCIM setup requires contacting Cofense support or a dedicated implementation engineer.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Reported as available for recipient/group import; exact admin console path not publicly documented. |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: Unknown
- Delete/deactivate behavior: The Okta and Entra integration documentation confirms a 'Deactivate Users' operation is supported via SCIM. Whether hard deletion of user records is possible through the admin UI is not publicly documented.
- Via SCIM/IdP: Deprovisioning the user in the connected IdP (Okta, Entra ID, OneLogin) will trigger a deactivation in Cofense via SCIM.
- Via admin console: Navigate to user/recipient management, locate the user, and use the deactivate or disable option (exact steps not publicly documented).
| Data impact | Behavior |
|---|---|
| Owned records | Not publicly documented. |
| Shared content | Not publicly documented. |
| Integrations | SCIM deprovisioning disables the user account; impact on active campaign assignments or reporting data is not publicly documented. |
| License freed | Not publicly documented; assumed seat is freed upon deactivation but confirmation requires vendor contact. |
Watch out for:
- Deactivation behavior when done manually vs. via SCIM may differ; not publicly documented.
- Historical simulation and training data associated with a deactivated user's retention policy is not publicly documented.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Recipient / End-User Seat | Phishing simulation targeting, security awareness training access, Cofense Reporter button usage. | Custom enterprise pricing; estimated ~$10/user/year at low end. |
| Admin Seat | Full platform administration, campaign management, reporting. | Typically bundled with platform license; not separately itemized in public documentation. |
- Where to check usage: Not publicly documented; assumed accessible within the admin console reporting or dashboard section.
- How to identify unused seats: Not publicly documented; no self-serve license audit tool confirmed. May require vendor-provided reporting or manual review of last-login data.
- Billing notes: Pricing is not publicly disclosed. All licensing is negotiated directly with Cofense sales. Enterprise contract required for SCIM provisioning and SSO features.
The cost of manual management
Manual user management in Cofense is constrained by limited self-serve documentation - the admin console path is not publicly documented and requires authenticated access to app.phishme.com. SSO and SCIM setup both require contacting Cofense support or working with a dedicated implementation engineer, adding coordination overhead to every app onboarding or offboarding event.
There is no confirmed self-serve license audit tool, meaning identifying unused seats likely requires manual review of last-login data or a vendor-provided report.
What IT admins are saying
Reviewers on G2 and TrustRadius flag the admin interface as complex, with onboarding at scale requiring careful coordination with the Cofense team. A recurring friction point is that SSO configuration is not self-serve - support must be contacted to complete setup.
Pre-purchase evaluation of user management capabilities is also difficult because most admin documentation sits behind authenticated portals.
Common complaints:
- Must contact support for SSO setup; not self-serve.
- Admin documentation is largely behind authenticated portals, making pre-purchase evaluation of user management capabilities difficult.
- SCIM/Recipient Sync configuration requires implementation assistance and is not straightforward to self-configure.
- Reviewers on G2 and TrustRadius note that the admin interface can be complex and that onboarding new users at scale requires careful planning with the Cofense team.
The decision
Cofense PhishMe is well-suited for enterprise security teams that already operate an IdP (Okta, Entra ID, or OneLogin) and can invest in the initial SCIM/Recipient Sync configuration. Once SCIM is live, user lifecycle events flow automatically and every app provisioning action is handled by the IdP.
Teams without an IdP, or on sub-Enterprise plans, will face manual provisioning overhead with limited tooling support. The permission model is coarse-grained (admin vs. non-admin); granular role customization is not publicly documented.
Bottom line
Cofense PhishMe delivers reliable phishing simulation and awareness training at enterprise scale, but its user management story is heavily dependent on SCIM/IdP integration to be operationally sustainable. Manual provisioning is possible but poorly documented and does not scale.
Budget for implementation assistance when setting up Recipient Sync, and confirm Enterprise plan access before committing to an automated provisioning workflow.
Automate Cofense workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
