KnowBe4 User and Group Management
Overview
Users and groups are the foundation of KnowBe4's security awareness platform. Users represent individual employees who receive phishing simulations and training. Groups organize users for targeted campaign delivery, reporting segmentation, and risk analysis. Each user has a risk score calculated from their phishing test performance and training completion, providing a quantitative measure of human security risk.
Key Concepts
User Lifecycle
PROVISIONED ──> ACTIVE ──> ARCHIVED
│
└──> SUSPENDED
- Provisioned: User account created, not yet active in campaigns
- Active: User receiving phishing tests and training assignments
- Archived: User deactivated (left the organization)
- Suspended: Temporarily excluded from campaigns (leave, etc.)
Risk Score
The KnowBe4 risk score quantifies an individual user's susceptibility to social engineering:
| Score Range | Risk Level | Description |
|---|
| 0-20 | Low | User consistently passes phishing tests and completes training |
| 20-40 | Moderate-Low | Occasional failures but generally aware |
| 40-60 | Moderate | Average susceptibility, needs regular training |
| 60-80 | High | Frequently fails phishing tests, priority for remediation |
| 80-100 | Critical | Consistently fails tests, immediate intervention needed |
Risk Score Factors
The risk score is influenced by:
| Factor | Weight | Description |
|---|
| Phishing click rate | High | Percentage of phishing tests clicked |
| Data entry rate | Very High | Submitted credentials on landing pages |
| Training completion | Medium | Percentage of assigned training completed |
| Reporting rate | Medium (positive) | Frequency of reporting phishing via PAB |
| Time to click | Low | How quickly user clicked (impulse vs. deliberate) |
| Recency | Modifier | Recent events weighted more heavily |
Group Types
| Type | Description | Use Case |
|---|
| Department | Organizational department (IT, Sales, HR) | Department-specific campaigns |
| Location | Office location or region | Location-based targeting |
| Role-based | Job function (Executive, Manager, Staff) | Role-specific content |
| Risk-based | Grouped by risk score range | Targeted remediation |
| Custom | Manual grouping | Ad-hoc campaigns |
| Smart | Auto-populated based on criteria | Dynamic targeting |
Field Reference
User Fields
| Field | Type | Description |
|---|
id | int | Unique user identifier |
employee_number | string | HR employee number |
first_name | string | First name |
last_name | string | Last name |
email | string | Primary email address |
job_title | string | Job title |
department | string | Department name |
location | string | Office location |
division | string | Division |
manager_name | string | Manager's name |
manager_email | string | Manager's email |
employee_start_date | datetime | Hire date |
phish_prone_percentage | float | Individual phish-prone percentage |
current_risk_score | float | Current calculated risk score |
status | string | active, archived, suspended |
groups | array | Groups the user belongs to |
aliases | array | Email aliases |
joined_on | datetime | When user was added to KnowBe4 |
last_sign_in | datetime | Last platform sign-in |
custom_field_1 through custom_field_4 | string | Custom fields |
custom_date_1 | datetime | Custom date field |
organization | string | Organization name |
language | string | Preferred language |
comment | string | Admin notes |
Group Fields
| Field | Type | Description |
|---|
group_id | int | Unique group identifier |
name | string | Group name |
group_type | string | Type of group |
provisioning_managed | boolean | Managed by provisioning (AD/SCIM) |
member_count | int | Number of members |
current_risk_score | float | Group average risk score |
status | string | active, archived |
Risk Score History Fields
| Field | Type | Description |
|---|
risk_score | float | Risk score at this point in time |
date | datetime | Date of the risk score calculation |
change | float | Change from previous score |
factors | object | Breakdown of contributing factors |
MCP Tools
| Tool | Description | Key Parameters |
|---|
knowbe4_users_list | List all users | status, group_id, page, per_page |
knowbe4_users_get | Get user details | user_id |
knowbe4_users_risk_score_history | Get risk score history for a user | user_id, page, per_page |
knowbe4_users_list_events | List events for a user | user_id, event_type, page |
knowbe4_groups_list | List all groups | status, page, per_page |
knowbe4_groups_get | Get group details | group_id |
knowbe4_groups_list_members | List members of a group | group_id, page, per_page |
knowbe4_groups_risk_score_history | Get risk score history for a group | group_id, page |
Common Workflows
User Risk Assessment
- Get user details with
knowbe4_users_get for current risk score
- Pull risk score history to see trend over time
- Check user events -- phishing test results and training completions
- Compare to group average -- is the user above or below their department?
- Recommend action based on risk level and trend direction
Identify High-Risk Users
- List all users with
knowbe4_users_list
- Sort by
current_risk_score descending
- Filter to users with risk score above threshold (e.g., 60+)
- Cross-reference with group membership for department context
- Generate prioritized remediation list
Group Risk Comparison
- List all groups with
knowbe4_groups_list
- Get group risk scores for each group
- Rank departments by average risk score
- Identify outlier groups -- significantly higher or lower than average
- Recommend targeted campaigns for high-risk groups
New Employee Onboarding
- Create user or verify auto-provisioned via AD/SCIM sync
- Add to appropriate groups (department, location, "New Hires")
- Verify enrollment in onboarding training campaign
- Monitor initial phishing test results
- Adjust group membership after onboarding period
User Offboarding
- Identify departing user by employee ID or email
- Archive the user to remove from active campaigns
- Note: Historical data (phishing results, training) is preserved for reporting
- Verify user is removed from active campaign targeting
Risk Score Trend Analysis
- Pull risk score history for user or group over 6-12 months
- Plot trend -- is risk decreasing (good) or increasing (bad)?
- Correlate with events -- training completion should precede risk decrease
- Identify plateau -- if risk score stopped improving, change training approach
- Report progress to stakeholders
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid user parameters | Check email format, required fields |
| 401 | Invalid API token | Verify KNOWBE4_API_KEY |
| 403 | Insufficient permissions | API token needs User Management permissions |
| 404 | User not found | Verify user_id exists |
| 404 | Group not found | Verify group_id exists |
| 409 | Duplicate email | User with this email already exists |
| 429 | Rate limit exceeded | Implement backoff (see api-patterns) |
Data Considerations
| Issue | Cause | Resolution |
|---|
| Risk score is null | New user with no test data | Wait for first phishing test |
| User not in expected group | AD sync not configured | Check provisioning settings |
| Archived user still in reports | Historical data preserved by design | Filter by status=active |
| Group member count mismatch | Includes archived users | Filter by active status |
| Custom fields empty | Not configured in console | Set up in Account Settings |
Best Practices
- Use AD/SCIM provisioning -- Automate user lifecycle from Active Directory
- Maintain clean groups -- Regularly audit group membership
- Track risk trends -- Monthly risk score reviews are more useful than point-in-time
- Set risk thresholds -- Define organizational policy for risk score actions
- Segment campaigns by risk -- High-risk users need more frequent, targeted training
- Use manager email field -- Enables manager notification for training compliance
- Clean up departed users -- Archive promptly to keep metrics accurate
- Leverage custom fields -- Map to HR attributes for richer reporting
- Monitor group averages -- Department-level risk trends reveal systemic issues
- Correlate with incidents -- Compare risk scores to actual security incidents
Related Skills