Summary and recommendation
Sophos user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Sophos Central is a cloud-managed cybersecurity platform covering endpoint, mobile, email, and server protection.
Administrator access is managed separately from endpoint licenses - adding or removing an admin account has no effect on licensed seat consumption.
All admin management lives at central.sophos.com under My Account > Administrators.
Quick facts
| Admin console path | Sophos Central > My Account > Administrators (for admin management); Sophos Central > Global Settings > Roles (for role management) |
| Admin console URL | Official docs |
| SCIM available | No |
| SCIM tier required | Endpoint/XDR/MDR |
| SSO prerequisite | No |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Super Admin | Full access to all Sophos Central features, settings, billing, and administrator management. Can create and manage all other admin accounts and roles. | No separate seat cost; tied to Sophos Central subscription. | Only one Super Admin account is created at initial setup; additional Super Admins must be explicitly granted this role. | ||
| Admin | Full access to product configuration and policy management across all assigned groups or the entire estate, depending on scope assigned. | Cannot manage billing or create Super Admin accounts unless explicitly granted. | No separate seat cost. | ||
| Help Desk | Can perform limited remediation tasks such as scanning endpoints, clearing threats, and viewing alerts. Cannot change policies. | Cannot modify security policies, manage licenses, or add/remove administrators. | No separate seat cost. | ||
| Read Only | Can view all settings, policies, alerts, and reports but cannot make any changes. | Cannot modify any settings, policies, or user accounts. | No separate seat cost. | ||
| Custom Role | Configurable subset of permissions defined by a Super Admin or Admin with role management rights. Scope can be limited to specific device groups or sub-estates. | Cannot exceed the permissions of the role creator. | Available in Sophos Central; specific tier requirements not explicitly documented in public pricing pages. | No separate seat cost. | Custom roles are scoped to device groups; a custom role admin only sees and manages devices in their assigned groups. |
Permission model
- Model type: role-based
- Description: Sophos Central uses role-based administration. Predefined roles (Super Admin, Admin, Help Desk, Read Only) are available by default. Custom roles can be created to restrict permissions to specific product areas and device groups. Role-based delegation supports multi-tenant and sub-estate management via Sophos Central Enterprise.
- Custom roles: Yes
- Custom roles plan: Not documented
- Granularity: Roles can be scoped by product area (e.g., Endpoint, Email, Server) and by device group. Granular permission toggles are available when creating custom roles.
How to add users
- Log in to Sophos Central at central.sophos.com.
- Navigate to My Account > Administrators.
- Click Add Administrator.
- Enter the new administrator's email address.
- Select the appropriate role (Super Admin, Admin, Help Desk, Read Only, or a custom role).
- If assigning a custom or scoped role, select the applicable device groups or sub-estates.
- Click Save. An invitation email is sent to the specified address.
- The invitee must accept the invitation and set up their account (including MFA if enforced).
Required fields: Email address, Role selection
Watch out for:
- The invited email address must not already be associated with another Sophos Central account as a Super Admin.
- If multi-factor authentication (MFA) is enforced at the account level, the new admin must enroll MFA before gaining access.
- Invitation links expire; if the invitee does not accept in time, the invitation must be resent.
- Administrators are distinct from end users/devices; adding an admin does not consume an endpoint license.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Not documented |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: This app exposes delete operations in its API documentation, but the admin-console path may present removal as deactivation, archiving, or deletion depending on tenant configuration. Confirm whether the UI action is reversible before treating removal as recoverable.
- Log in to Sophos Central at central.sophos.com.
- Navigate to My Account > Administrators.
- Locate the administrator account to remove.
- Click the delete (trash) icon or select Delete from the action menu next to the account.
- Confirm the deletion when prompted.
| Data impact | Behavior |
|---|---|
| Owned records | Policies, configurations, and device assignments created by the deleted admin remain in place; they are not removed with the admin account. |
| Shared content | Shared policies and group configurations are unaffected by admin deletion. |
| Integrations | API credentials or tokens associated with the deleted admin account may be invalidated; any integrations using those credentials must be reconfigured. |
| License freed | Deleting an administrator account does not free endpoint/device licenses, as admin accounts do not consume endpoint seats. |
Watch out for:
- The Super Admin account that was created at initial account setup cannot be deleted while it is the sole Super Admin; another Super Admin must exist first.
- Deleting an admin who owns active API tokens will break any integrations using those tokens.
- There is no documented account suspension/deactivation state; removal is permanent deletion.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Sophos Endpoint Protection (Basic/Advanced/XDR) | Per-endpoint/per-user protection license covering endpoint security features at the selected tier. | Approximately $28–$79/user/year on 3-year term depending on tier (per pricing seed data; verify current pricing with Sophos). |
| Sophos Mobile | Mobile device management and security per enrolled device/user. | Approximately $29.75–$34.40/user/year volume-dependent (per pricing seed data). |
| Sophos Email | Email security per mailbox. | |
| Sophos Server Protection | Per-server protection license. |
- Where to check usage: Sophos Central > My Account > Licensing (shows current license counts, usage, and expiry dates per product)
- How to identify unused seats: In Sophos Central under Licensing, compare the number of licensed seats against active/enrolled devices. Devices that have not communicated with Sophos Central for an extended period can be identified in the Devices list by last-seen date and removed to free up managed device counts.
- Billing notes: Sophos licenses are sold through partners/resellers on annual or multi-year terms. License counts are tied to enrolled endpoints/devices, not to administrator accounts. Adding or removing administrator accounts does not affect license consumption. License renewals and changes typically require contact with a Sophos partner or the Sophos sales team.
The cost of manual management
Sophos licenses are sold per endpoint or per user on annual or multi-year terms, typically through a reseller. Endpoint tiers run from approximately $28 to $79 per user per year on a 3-year commitment depending on the tier (Basic, Advanced, or XDR). Mobile protection is priced separately at approximately $29.75–$34.40 per user per year, volume-dependent.
Pricing for Email and Server Protection tiers is not available in current context - verify directly with your Sophos partner. License counts are tied to enrolled devices, not to administrator accounts.
What IT admins are saying
Community evidence is not specific enough to quote or summarize yet for this app.
The decision
Manual administration in Sophos Central is straightforward for single-tenant environments with a small admin team. The role model covers every app management scenario from full Super Admin access down to scoped Help Desk remediation, and custom roles let you restrict visibility to specific device groups.
The workflow breaks down at scale: there is no native SCIM endpoint, so automated provisioning requires the Okta connector or a custom API integration.
If your team manages more than a handful of admins or operates a multi-tenant estate, the manual process introduces meaningful overhead and offboarding risk - particularly around API token cleanup when admins are deleted.
Bottom line
Sophos Central gives you a clean, role-based admin model that covers every app access pattern from read-only auditors to scoped device-group owners.
The manual workflow is reliable for small teams but carries real offboarding risk: deleted admin accounts silently invalidate any API tokens they owned, and there is no deactivation state - only permanent deletion.
Teams operating at scale or with compliance requirements around access reviews should plan for API-based automation from the start rather than treating it as a future upgrade.
Automate Sophos workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
