Summary and recommendation
HaloPSA user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
HaloPSA is a PSA/ITSM platform priced at $90/agent/month (named, billed annually) or $180/agent/month (concurrent). All features are included across plans - there are no feature-gated tiers. SAML SSO is supported via Azure AD and AuthPoint, but there is no native SCIM provisioning; every agent must be created and deactivated manually through the admin console.
Two agent license types exist: named (one seat per individual) and concurrent (a shared pool of simultaneous sessions). End users - customers and portal contacts - do not consume agent seats and are managed separately under Customers > Contacts, not the Agents section.
Because every app without SCIM adds manual provisioning overhead, HaloPSA's absence of directory sync is a meaningful operational cost at scale.
Quick facts
| Admin console path | Configuration > Teams & Agents > Agents |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Enterprise |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Agent (Named License) | Full access to assigned modules (tickets, assets, projects, billing, reporting) based on role permissions. One dedicated login seat per agent. | Cannot share login credentials with another agent; seat is tied to a single named user. | Standard (all features included) | $90/agent/month (billed annually) | Named license seats are non-transferable mid-billing-cycle; deactivating an agent frees the seat for reassignment but billing adjustments depend on contract terms. |
| Agent (Concurrent License) | Same module access as named license agents; concurrent seats allow multiple named users to share a pool of simultaneous logins. | Cannot exceed the purchased number of simultaneous active sessions across the shared pool. | Standard (all features included) | $180/agent/month (billed annually) per concurrent slot | Concurrent licensing costs 2× named pricing; suitable for shift-based teams but requires careful pool sizing to avoid login lockouts. |
| End User (Customer/Contact) | Access to the self-service portal only: submit tickets, view own ticket history, approve quotes if enabled. No access to the agent-facing HaloPSA interface. | Cannot view other users' tickets, access configuration, or perform any agent-level actions. | Included; end users do not consume agent seats. | No additional cost; unlimited end-user portal accounts. | End users are managed under Customers > Contacts, not under the Agents section. Conflating the two during setup is a common onboarding error. |
| Administrator Agent | All agent permissions plus full access to Configuration settings, including user management, integrations, custom fields, and billing configuration. | Standard (all features included) | Consumes one named or concurrent agent seat; no additional cost for the admin role itself. | There is no separate 'super-admin' seat type; admin rights are granted via role assignment on a standard agent seat. |
Permission model
- Model type: custom-roles
- Description: HaloPSA uses a role-based access control model where administrators create and assign named roles to agents. Each role is configured with granular permission toggles covering ticket actions, asset management, reporting, billing, configuration access, and module visibility. Roles are assigned per agent and can be scoped further by team membership.
- Custom roles: Yes
- Custom roles plan: Included in all plans; no additional tier required.
- Granularity: Per-module and per-action toggles (e.g., view, create, edit, delete) configurable per role. Additional scoping available via team assignments and department restrictions.
How to add users
- Log in as an administrator and navigate to Configuration > Teams & Agents > Agents.
- Click 'New Agent' (or the '+' button).
- Enter required fields: Name, Email Address, and assign a Role.
- Optionally assign the agent to one or more Teams.
- Set the license type (Named or Concurrent) if prompted by your instance configuration.
- Save the record. The agent receives an email invitation to set their password.
- For SSO-enabled instances, ensure the agent's email matches their Azure AD / SAML identity provider account to enable SSO login.
Required fields: Full Name, Email Address, Role (at least one role must be assigned)
Watch out for:
- The agent's email address must exactly match the identity provider UPN/email if SAML SSO is in use; mismatches prevent SSO login without error messages that clearly identify the cause.
- New agents are active and consuming a seat immediately upon saving, even before they accept the invitation email.
- There is no native SCIM provisioning; agents cannot be automatically created from an identity provider directory sync.
- Team assignment is optional at creation but affects ticket routing and queue visibility immediately.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Configuration > Teams & Agents > Agents > Import (CSV upload option within the Agents list view) |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | No | Not documented |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: HaloPSA does not support permanent deletion of agent records to preserve historical data integrity (ticket history, audit logs, time entries). Agents are deactivated, which removes their login access and frees their seat for reassignment. The agent record and all associated historical data remain in the system.
- Navigate to Configuration > Teams & Agents > Agents.
- Locate and open the agent record to be deactivated.
- Uncheck or toggle the 'Active' status field to inactive.
- Save the record. The agent's login is immediately disabled and the seat becomes available for a new agent.
| Data impact | Behavior |
|---|---|
| Owned records | All tickets, time entries, and assets previously assigned to the deactivated agent remain in the system and retain the agent's name in historical records. Open tickets assigned to the deactivated agent should be manually reassigned before deactivation to avoid orphaned queue items. |
| Shared content | Shared reports, templates, and knowledge base articles authored by the deactivated agent remain accessible to other agents. |
| Integrations | API tokens or integration credentials tied to the deactivated agent's account may stop functioning; any integrations using that agent's credentials should be reconfigured to an active agent before deactivation. |
| License freed | The seat is freed immediately upon deactivation and can be assigned to a new agent without waiting for a billing cycle. Actual billing credit depends on contract terms with HaloPSA. |
Watch out for:
- Open tickets assigned to a deactivated agent are not automatically reassigned; they remain in that agent's queue and may become invisible to active agents depending on queue filter configuration.
- If the deactivated agent was the sole member of a team, that team's routing rules may stop functioning correctly.
- Deactivated agents still appear in historical reports and ticket audit trails, which is by design but can cause confusion when filtering active agent lists.
- There is no bulk deactivation tool in the UI; each agent must be deactivated individually.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Named Agent License | One dedicated login seat per individual agent. Full access to all HaloPSA modules based on role permissions. | $90/agent/month (billed annually) |
| Concurrent Agent License | A shared pool of simultaneous login slots. Multiple named agents can be created but only the purchased number can be logged in at the same time. | $180/agent/month (billed annually) per concurrent slot |
| End User / Portal Contact | Self-service portal access for customers and end users. Does not consume an agent seat. | No additional cost; included with all plans. |
- Where to check usage: Configuration > Teams & Agents > Agents - filter by Active status to see current active agent count against licensed seats. License seat count is also visible in the HaloPSA account/billing portal.
- How to identify unused seats: Sort the Agents list by 'Last Login' date to identify agents who have not logged in recently. There is no built-in automated unused-seat report; this requires manual review of the agent list.
- Billing notes: HaloPSA pricing is per agent per month billed annually. Named and concurrent licenses are priced differently and can be mixed within the same instance. Seat count changes (additions) typically take effect immediately; reductions are subject to contract terms. All product features are included regardless of seat count - there are no feature-gated tiers.
The cost of manual management
Without automated provisioning, admins must handle every joiner, mover, and leaver event by hand inside Configuration > Teams & Agents > Agents. New agents begin consuming a licensed seat the moment the record is saved - before the invitation email is accepted.
There is no bulk deactivation tool; each offboarding requires opening and updating individual agent records one at a time. Identifying unused seats requires manually sorting the Agents list by Last Login date, as there is no built-in license utilization report.
What IT admins are saying
The absence of native SCIM is the most consistently raised friction point in community discussions. Teams using Azure AD SSO still face fully manual agent provisioning, and any email mismatch between HaloPSA and the identity provider blocks SSO login without a clear error message.
Offboarding pain surfaces in two ways: no bulk deactivation tooling, and open tickets assigned to deactivated agents that silently drop out of active queues without automatic reassignment.
Concurrent license users flag session-blocking as high-impact - when all slots are occupied, agents are locked out with no queuing mechanism. Pool sizing errors are only discovered at login time.
Common complaints:
- Users report that there is no native SCIM provisioning, requiring manual agent creation even when using Azure AD SSO, which creates overhead for larger teams.
- The lack of bulk deactivation tooling is cited as a pain point when offboarding multiple agents simultaneously.
- Some users note that open tickets assigned to deactivated agents are not automatically reassigned, leading to tickets falling out of active queues silently.
- Community members have noted that the 'Last Login' field is the only practical way to identify inactive agents, and there is no built-in license utilization report.
- The concurrent license model's session-blocking behavior (users locked out when all slots are occupied) is flagged as high-impact in shift-heavy environments without adequate pool sizing.
The decision
Every app in your stack that lacks SCIM requires hands-on admin work at each lifecycle event, and HaloPSA is firmly in that category. Teams with high agent turnover or strict offboarding SLAs should weigh the absence of SCIM and bulk deactivation tooling carefully before committing.
The all-inclusive pricing model means no features are withheld at lower seat counts, which simplifies procurement. Teams willing to invest in API-based automation can close most of the provisioning gap, but out of the box, seat management is a recurring manual commitment.
If your environment uses Azure AD for SSO, plan for exact UPN/email alignment between HaloPSA agent records and your identity provider - mismatches are silent and operationally high-impact.
Bottom line
HaloPSA delivers a full-featured PSA/ITSM platform with no feature gating, but trades provisioning automation for manual control at every lifecycle stage. Every app without SCIM adds admin overhead, and HaloPSA is firmly in that category - agents must be created, deactivated, and audited by hand.
Teams willing to invest in API-based automation can close most of that gap, but out of the box, seat management is a recurring manual commitment.
Automate HaloPSA workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
