Summary and recommendation
KnowBe4 user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
KnowBe4's KSAT console gives IT admins three fixed admin roles - Account Owner, Full Admin, and Group Admin - with no ability to customize individual permissions within a role. Group Admins can be scoped to specific user groups, which is the only delegation mechanism available.
Every app in your stack that relies on accurate user state depends on clean provisioning here; KnowBe4 is no exception, and its one-way SCIM sync means the IdP is always the source of truth.
Quick facts
| Admin console path | Top navigation → Users (or Account Settings → Admins for admin role management) |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise (varies by plan) |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Account Owner | Full access to all console features, billing, account settings, and admin management. Can create and delete admin accounts. | Cannot be demoted to a lower role without transferring ownership. | All plans | Does not consume a learner seat; admin accounts are separate from user/learner seats. | Only one Account Owner per account. Ownership transfer requires contacting KnowBe4 support. |
| Full Admin | Access to all console features including campaigns, phishing, reporting, and user management across the entire account. | Cannot manage billing or transfer account ownership. | All plans | Admin accounts do not consume learner seats. | Full Admins can see all groups and users; scope cannot be restricted to a subset of users. |
| Group Admin | Scoped access limited to assigned groups. Can manage training campaigns, phishing simulations, and reporting only for their assigned groups. | Cannot access users or data outside their assigned groups. Cannot manage account-level settings, billing, or other admins. | All plans | Admin accounts do not consume learner seats. | Group Admin scope is set at the time of admin creation and must be updated manually if group membership changes. |
| Learner (User) | Access to the KnowBe4 Learner Experience Portal (LEP) to complete assigned training and view their own progress. | Cannot access the admin console, reporting, or campaign management. | All plans | Counts against licensed seat count. Pricing ranges from ~$0.95 to ~$3.25/user/month depending on plan tier. | Archived/deactivated users may still count toward historical reporting but should not consume active seats. Verify with KnowBe4 account rep. |
Permission model
- Model type: role-based
- Description: KnowBe4 uses a fixed set of built-in admin roles (Account Owner, Full Admin, Group Admin). Permissions are not individually configurable; role selection determines the permission set. Group Admins can be scoped to specific user groups, providing a limited form of delegation.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Coarse-grained. Three fixed roles; no ability to grant or revoke individual permissions within a role. Group scoping is the only available restriction mechanism.
How to add users
- Log in to the KSAT console at training.knowbe4.com.
- Navigate to Users in the top navigation bar.
- Click the Add User button.
- Enter required fields: First Name, Last Name, and Email Address.
- Optionally assign the user to one or more Groups.
- Click Save to create the user record.
Required fields: First Name, Last Name, Email Address
Watch out for:
- Email address must be unique within the account; duplicate emails are rejected.
- Users are not automatically enrolled in training upon creation; they must be added to an active campaign.
- Users added manually will not be synced back to an IdP; SCIM is one-way (IdP → KSAT only).
- If SCIM provisioning is active, manually added users may be overwritten or cause conflicts if the same email is later provisioned via SCIM.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Users → Import Users → Download CSV Template, populate, then upload via the Import Users button. |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Available across plans (Silver, Gold, Platinum, Diamond); SCIM specifically documented as available with KSAT console. SSO is a prerequisite for SCIM. |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: KnowBe4 does not permanently delete user records from the KSAT console. Users can be Archived (deactivated), which removes them from active campaigns and prevents login to the Learner Portal, but their historical training and phishing data is retained for reporting purposes. There is no hard-delete option available to admins through the console UI.
- Navigate to Users in the top navigation bar.
- Locate the user using search or filters.
- Check the checkbox next to the user's name.
- Click the Actions dropdown.
- Select Archive User.
- Confirm the action in the dialog prompt.
| Data impact | Behavior |
|---|---|
| Owned records | Historical training completion records, phishing simulation results, and risk scores are retained and remain visible in reports after archiving. |
| Shared content | Archived users are removed from active group memberships and campaign enrollments. Content they were assigned remains associated with their archived record. |
| Integrations | If provisioned via SCIM, deprovisioning the user in the IdP will automatically archive them in KSAT. Manual archiving in KSAT does not push changes back to the IdP. |
| License freed | Archived users should not count against the active licensed seat count. Confirm with KnowBe4 account representative as billing terms vary by contract. |
Watch out for:
- Archived users can be unarchived (reactivated) at any time, restoring their historical data.
- If SCIM is enabled, re-enabling the user in the IdP will re-provision them in KSAT automatically.
- Archiving a user does not remove them from historical phishing or training reports; this is by design for compliance record-keeping.
- Alias email addresses associated with a user are not preserved when a user is deprovisioned and re-provisioned via SCIM.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Learner Seat | Access to KnowBe4 training content, phishing simulations, and the Learner Experience Portal. Scope of content depends on plan tier (Silver, Gold, Platinum, Diamond). | Approximately $0.95–$3.25/user/month depending on plan tier; 25-user minimum; annual billing; exact pricing requires a quote. |
| Admin Account | Access to the KSAT admin console for campaign management, reporting, and user administration. Does not include a learner seat by default. | Included with account; does not consume a learner seat license. |
- Where to check usage: Account Settings → Account Info displays total licensed users and current active user count. Detailed user counts can also be viewed under Users with active/archived filters.
- How to identify unused seats: Filter the Users list by 'Last Login' or use the Risk Score report to identify users who have never logged in or have not completed any training. Archived users can be reviewed under the Archived filter in the Users list.
- Billing notes: KnowBe4 licenses are sold on an annual per-user basis with a 25-user minimum. Pricing is negotiated and varies by organization size, plan tier, and contract length. Non-profit and multi-year discounts are available. Add-on products (PhishER, Compliance Plus, SecurityCoach) are priced separately. Overage terms for exceeding licensed seat count should be confirmed in the contract.
The cost of manual management
Manual user management in KnowBe4 creates compounding risk across three areas. First, users added directly in the KSAT console are invisible to your IdP and will conflict with SCIM-provisioned records if the same email is later pushed from the IdP.
Second, Group Admin scopes are set at creation and must be updated manually whenever group membership changes - a step that is easy to miss at scale. Third, KnowBe4 does not support hard deletion; departed employees can only be archived, which creates ambiguity for GDPR right-to-erasure requests and requires manual follow-up with KnowBe4 support.
What IT admins are saying
Practitioners consistently flag three friction points in KnowBe4 user management. Nested Azure AD (Entra ID) groups are not supported by SCIM - only direct group members sync, which forces manual group restructuring before provisioning works correctly.
Alias or secondary email addresses tied to a user are silently dropped when switching from manual management to SCIM, with no warning in the console.
Admins also report that every app they onboard to KnowBe4 training requires careful group mapping upfront, because smart groups based on attributes cannot be created via SCIM and must be configured separately in the KSAT console.
Common complaints:
- SCIM sync is one-way only (IdP to KSAT); changes made in KSAT console are not reflected back in the IdP.
- Alias/secondary email addresses associated with users are lost when switching from manual management to SCIM provisioning.
- Nested Azure AD (Entra ID) groups are not supported by SCIM provisioning; only direct group members are synced.
- No granular permission customization within admin roles; admins must be Full Admin or Group Admin with no middle-ground options.
- Users cannot be permanently deleted, only archived, which can cause confusion around licensing and data privacy compliance (e.g., GDPR right-to-erasure requests).
- Manual user additions can conflict with SCIM-provisioned records if the same email is used, causing duplicate or overwrite issues.
The decision
Use SCIM provisioning if your IdP is Okta or Azure AD (Entra ID) and SSO is already configured - it is the only way to keep KnowBe4 user state synchronized at scale without manual intervention.
Stick to manual management only for small, stable teams where IdP integration is not feasible, and accept that those users will need to be reconciled manually if SCIM is enabled later. Do not mix manual and SCIM-provisioned users for the same email addresses; the conflict behavior is not predictable and can corrupt user records.
Bottom line
KnowBe4 KSAT is a capable security awareness platform with a straightforward user model, but its manual management path carries real operational debt: no hard delete, one-way sync only, no nested group support, and coarse-grained roles with no permission customization.
Teams that invest in SCIM setup upfront - with SSO as a prerequisite - will avoid the most common failure modes. Those who manage users manually at scale will find reconciliation, offboarding accuracy, and compliance documentation increasingly difficult to maintain without a dedicated process.
Automate KnowBe4 workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
