The Account Settings area is where you can view your account's subscription information, enable or disable various features, or customize certain aspects of your KMSAT account.
To access this area after logging in to your account, click your email address on the top-right, then click Account Settings.
Here you can see your subscription level, the number of seats you have available, and how many active users are currently on your account. To make changes to your subscription details, contact your Account Manager or CSM.
Most of the information you set here will define the information that placeholders will pull from in the console. Placeholders can be used to automatically populate phishing templates, landing pages, and training notifications with company-specific information.
Company Logo URL
- Enter the URL for your company logo to use it in templates. Once added, the company logo can be used in phishing templates, landing pages, and training notifications by selecting one of the company logo placeholders. We recommend using a small logo, with 200px by 200px.
- Upload a company logo to your KnowBe4 account to personalize the experience your users have upon logging in for training. Your logo will replace the logo on the top-left of the console after logging in. View the requirements for this logo at the link below.
- See: How Do I Add My Company's Logo to the Console?
Date and Time Format
- Specify the default date and time format to indicate how the date and time should be displayed throughout the console.
- See: Modifying the Default Date and Time Format
Business Hours, Business Days, and Time Zone
- Customize your account's default business hours, business days, and time zone.
- See: How Do I Set up My Account's Time Zone, Business Days, and Hours?
If your email environment includes multiple email domains, you can click Allowed Domains to add more subdomains or root domains to your KnowBe4 account.
See the following articles for more information:
User Event API
If your organization uses KnowBe4's User Event API, you can click User Event API to visit the User Event API Management Console (a Platinum/Diamond subscription level is required).
Here you can enable or disable SAML on your account. You will need the information listed in this section to set up SAML with your single sign-on (SSO) provider. If you need to enable SAML to allow your users to log in for training using your SSO provider, please follow the instructions listed in our How to Set Up SAML/SSO for the Security Awareness Training Platform article to enable SAML in your account based on your specific SSO provider.
Enable SAML SSO
- Select the Enable SAML SSO option to enable SSO with SAML on your account. By default, this option is disabled. Use the information below to complete the process with your appropriate SSO provider.
- See: How to Set Up SAML/SSO for the Security Awareness Training Platform.
Allow SAML User Provisioning
- This setting is only available when SAML is enabled and is selected by default. When enabled, users who do not already have an account can create a new account by entering their email address from the login window. As long as the SAML authentication was successful, the new user's account is created. If you have this feature disabled, users who do not already have an account will get an error message when they enter their email address.
IdP SSO Target URL
- Enter your Identity Provider or SSO URL into the field.
IdP Cert Fingerprint
- Enter the fingerprint of your Identity Provider's SAML certificate. By default, the SHA-1 option is selected.
- When configuring the SAML connection to your IdP provider, enter the ID found in this section. Depending on your IdP provider, the Entity ID field can also be known as the SAML Audience or Identifier.
Generate Unique Entity ID
- If you are managing multiple accounts, your Identity Provider may not allow the same entity ID to be entered multiple times in the same Identity Provider account. This can make it so that your users cannot log in with SSO. Use this option to generate a unique entity ID to use for this account. However, be aware that if you do change the entity ID, SSO will not work for your users until you update the entity ID in your Identity Provider account.
Restore Default Entity ID
- If you have generated a unique entity ID, you'll see the Restore Default Entity ID button. Clicking this button will restore your entity ID back to "KnowBe4" and any existing SAML connection using that ID will stop functioning.
SSO Sign-in URL
- This field provides the Login URL or SAML Endpoint URL. This URL will redirect your users to the IdP SSO URL, found at the top of SAML dropdown menu, when they try to log in.
SSO Sign-out URL
- This field provides the Logout URL.
SSO Callback (ACS) URL
- This field provides the Assertion Customer Service URL. This URL receives the authentication response from your IdP.
- The SAML ID is a unique code that links your users back to your KnowBe4 account. Your SAML ID cannot be changed so it is important to not share this information.
- This URL contains the Service Provider metadata file and can be used to automatically configure the SAML connection on your IdP. You can only use the metadata URL where applicable.
Bypass-SSO Login URL
- If you would like to bypass SSO, this URL will bypass the SSO redirect and can be used to log into the KnowBe4 console using your email and password.
Allow Users to Create Accounts
- This option is unchecked by default. We recommend keeping this option unchecked except in special cases.
- Why would I want to enable the Allow Users to Create Accounts option?
- Enabling this option allows your users to sign themselves up for their own KnowBe4 account. If this option is enabled, users who do not have an account in the console already can create their own by entering their work email address into the login form located at https://training.knowbe4.com (or https://eu.knowbe4.com, depending on where your account is located). Users who sign up using this method will be added to your user list immediately.
- If you're allowing users to sign up for their own accounts, you can also set up a "self-service" training campaign, where users who sign up can be automatically enrolled in training.
- To do this, you'll set up a campaign with the below settings:
- Enroll Groups: All Users
- Enable automatic enrollment for new users: Enabled
- Once this campaign is created and the Allow Users to Create Accounts option is enabled, you can direct your users to KnowBe4 to self-enroll.
- To do this, you'll set up a campaign with the below settings:
- Why is this option unchecked by default?
- The consequence of allowing users to sign up on their own is that they may misspell their email address or sign up with an email alias (such as email@example.com instead of firstname.lastname@example.org). If this occurs, there may be duplicate user accounts in your user list.
- Duplicate accounts could also cause users to receive additional phishing tests and training notifications for each email account they've signed up with. If this issue occurs, we recommend that you merge the duplicate user accounts and retain only one account for each user.
- Why would I want to enable the Allow Users to Create Accounts option?
Use Password-less Login
- Enable this option if you'd prefer your users to log in for training without needing to use a password.
- Be sure to use training notifications tagged with "password-less" if you choose this option, or create your own training notifications using our "password-less" placeholders.
- You can also disable password-less login for administrators on your account by selecting Disable Password-less Login For Admins. Admins will need to log in with their email and password or through single sign-on, depending on your account setup.
- See: How to Enable and Use Password-less Logins
Expire Password-less Link After X Days
- If you're using password-less logins, this setting defines how long the password-less link will remain active for your users.
Admin Session Timeout
- Select the length of time that you would like KnowBe4 admin account sessions to remain active. After the specified time period of account inactivity has passed, admins will be logged out. The default setting is 48 hours.
User Session Timeout
- Select the length of time that you would like KnowBe4 user sessions to remain active. After the specified time period of account inactivity has passed, users will be logged out. The default setting is 48 hours.
Minimum Password Length
- Select the minimum required length for user passwords, between 8 and 32 characters.
Enable User Provisioning (User Syncing)
- Enabling this option will allow you to use an identity provider to manage your users. Upon enabling either ADI or SCIM and updating your Account Settings, you will see an additional tab beneath the Users tab for user provisioning.
- Test Mode is enabled by default and should be kept on until you are satisfied with the results of your ADI or SCIM behavior. You can view the details of your sync and what would have occurred if test mode was "off" under Users > Provisioning.
ADI | SCIM
- Use this toggle to select which type of user provisioning you would like to enable. After selecting an option, use the Settings window for the selected option to complete the setup.
Active Directory Integration Settings
Show Group Domain
- If your users are split between multiple domain sources, enabling this option will allow you add the root domain to each of the AD-synced group names in the KnowBe4 console so that you can better organize your users.
- See: FAQ: Show Group Domain
AD Sync Token
- This is your unique account token which you'll need during the installation process of Active Directory Integration (ADI). You may generate a new token if you would like by clicking the Regenerate token button.
Please be aware that if you regenerate the AD sync token, you will not be able to sync your active directory until you update your Active Directory Sync Tool with the new sync token. We recommend only using this feature to stop existing syncs from a tool that you don't know the location of in order to set up syncing with a new tool. For information on ADI, see this article.
Download Active Directory Sync Tool
- You'll need to download and install this to run ADI.
View Installation Guide
- This link will take you to our help desk's installation guide for ADI. Be sure to read this prior to installing the tool.
- See: Active Directory Integration (ADI)
Generate SCIM token
- This is your unique account token which you'll need when setting up SCIM with your identity provider. You must copy this token before closing the window as you will not be able to view the token again. Once your SCIM token is generated, this button will change to the Regenerate SCIM Token button.
- This is your account-specific tenant URL which you'll need when setting up SCIM with your identity provider.
- Once SCIM has been enabled, you'll see more options available for troubleshooting purposes. For more information on these options, see our SCIM Configuration Guide.
Disable Email Open Tracking
- You can check this option to remove the small tracking image that we place in each phishing email which tracks if and when your users open the email in their inbox.
- See: How Do You Track Email Opens?
Include Archived Users In Reports
- Enabling this option will allow you to include data from archived users in all phishing reports. If this option is disabled, data from archived users will not be included in phishing reports. By default, this option is disabled.
Default Landing Page
- If you would like to set a default landing page to be used across all phishing campaigns, you have the option to select a landing page from the drop-down. You will still have the option to select a different landing page when setting up a phishing campaign or editing an email template.
Default Landing Domain
- If you would like to set a default landing domain to be used across all email templates, you have the option to select a landing domain from the drop-down. You will still have the option to select a different landing domain when editing an email template.
Overwrite [[domain]] Placeholder
Enable this option to change what the [[domain]] placeholder displays in phishing templates and landing pages. After enabling this option, enter a correctly-formatted domain in the text field.
Why would I want to enable the Overwrite [[domain]] Placeholder option?
If your organization does not want you to spoof your users' domains.
If you have spoofing prevention in place that would prevent emails spoofing your domain from being delivered successfully.
- When this option is unchecked, the [[domain]] placeholder will use the recipient's email domain. For information on how the [[domain]] placeholder works by default, check out this article.
If using a lookalike domain (one that is similar to your actual domain), it is best to purchase that domain so that you own it. If someone else purchases that lookalike domain and your users reply to the email, they may be replying to someone other than you. Please be aware that using a real domain with anti-spoofing protection could affect mail deliverability.
Disable Template Attack Vectors
- Use this option to disable phishing email templates that use specific attachment attack vectors. For example, if you don't want your users to receive simulated phishing attacks that include PDF attachments, you can select PDF Attachments from this list. For more information about our phishing attack vectors, see this article.
Overwrite Sender Address with Reply-to Address For OOO Replies (Out of Office Replies)
- If you are using reply-to phishing, tracking out of office replies, and using Microsoft Exchange or Microsoft 365, you'll want to enable this feature.
- See: Reply-to Phishing: Should I track out of office replies?
Overwrite Return-path Address with Reply-to Address
- Use this option to change the return-path address to the reply-to address during a reply-to phishing campaign. You will want to use this option if your mail server settings require the return-path address and reply-to address to match.
- For more information on reply-to phishing, see our Reply-To Phishing article.
Phishing Email Headers
Overwrite Fixed Return-path Address with Sender Address
- You'll likely want to check this setting if you are using GSuite/Google Apps as your mail server. With this setting deselected, Gmail users may see "via KnowBe4" text alongside the sender email address when phishing test emails arrive in their inbox.
- See: Why Does Google Mail Show "Via KnowBe4" On The Phishing Tests?
Disable X-PHISHTEST Header
- With this setting disabled, our standard X-PHISHTEST header will not be included in phishing emails.
Enable PST Header Token
- If selected, the generated token will be included in an X-KB4TOKEN header in phishing emails. You may generate a new token if you would like by clicking the Regenerate token button.
Add Custom Header
- Select this checkbox and use the text boxes to set the custom header name and header value for phishing emails. You must enter a value in each field. If you're whitelisting our phishing emails by email header, you can enable this setting and then whitelist your custom header text for increased security.
Enable DKIM Signature
- Select this checkbox to add a DKIM signature to your phishing emails for increased security. If your organization requires DMARC/DKIM checking for incoming messages, you will want to have this checkbox selected. The signing domain is ispservices.org if you are in the US or ispservices.co.uk if you are in EU.
Direct Message Injection
- In this section, you can enable and edit your Direct Message Injection settings.
- Direct Message Injection (DMI) eliminates the need to whitelist simulated phishing emails by creating a secure link between your KnowBe4 console and your Microsoft 365 Account. See our Direct Message Injection Guide for more information.
Enable AIDA Beta
- Enabling this option will add a new tab to your KnowBe4 account, AIDA. AIDA is our Artificial Intelligence Driven Agent and allows you to simulate a multi-faceted social engineering attack, which will prompt your users to click on a phishing link, tap on a link in a text message, or respond to a voicemail--any of which could compromise your network. You can participate in the beta testing of this feature by selecting this option.
- This option is only available on accounts located on https://training.knowbe4.com.
- See: AIDA
Enable Second Chance Management
- Here, you can enable Second Chance management on your KnowBe4 account, adding the Second Chance tab to the top of your screen.
- See: Second Chance Installation Guide
Days Shown on Overview Page
- This option is only available to Partner accounts. Use this field to select the number of days that you would like to include when displaying the User Actions data on the Second Chance Overview Page. The default setting is 30 days.
Enable Reporting API Access
- Here, you can enable access to our reporting APIs. (A Platinum/Diamond subscription level is required)
- See: KnowBe4 API Reference Guide
- Here, you can configure and customize aspects of the Phish Alert Button (PAB). The various settings and their functions are detailed in the Enabling and Configuring Phish Alert section of our PAB installation guide.
- See: Enabling and Configuring Phish Alert
- If you have PhishER, you can click the Go to PhishER button to open the PhishER interface.
- See: PhisheER Product Manual
Enable Content Surveys for All New Training Campaigns
- This setting automatically checks the Enable Content Survey option for all new training campaigns. You can still turn off content surveys when setting up new training campaigns.
- Content surveys help create more accurate recommendations and provide users an opportunity to share their feedback. See our How to Use Surveys article for more information.
Training Email Headers
Overwrite Fixed Return-path Address with Sender Address
- You'll want to check this setting if you are using SPF alignment checks and want to spoof your domain. Please make sure you have whitelisted KnowBe4's servers before selecting this option.
Add Custom Header
- Select this checkbox and use the text boxes to set the custom header name and header value for training notifications. If you're whitelisting your training notifications by email header, you can enable this setting and then whitelist your custom header text for increased security.
Email Exposure Check
For more information about EEC Pro, please visit our Email Exposure Check Product Manual article.
Run Scan on this Day of the Month
- This setting is used to set which day you would like to run a monthly Email Exposure Check. For example, if you would like to run an Email Exposure Check on the 17th day of each month, use the drop-down menu to select the number 17.
Last Scanned on
- This shows the date that your last Email Exposure Check scan was queued. This date can be different from the scan’s completion date.
Scan User Email Address Now
- Use this button to run your Email Exposure Check.
Learner Experience (LX)
See a short video that explains these options here.
Enable Learner Dashboard
You have the option to enable the Learner Dashboard for your users to view information about their training progress. Here users will see a summary of their training completion including the training status and due dates. Optionally, you can choose to show the user’s Phishing Test Results, Personal Risk Score, and gamification statistics. Learn more about the Learner Dashboard here.
- Set an optional color theme for your Learner Experience. We recommend matching the color to your organization's brand or logo colors. This will provide a familiar learning environment for your end-users.
Upload Branded Certificate
- Use this option to upload a branded certificate. This allows you to design and upload a custom background image for your certificates, giving them a look and feel that matches your organization. Use the templates in this article as a starting point to make sure the auto-generated text aligns correctly. For more information, see here.
Other LX Settings
Reduce Visual Effects in Learner Experience
- This setting will reduce visual effects in the learner experience. Enable this setting if you have slower workstations in your environment or are using Citrix or Flash-based browsers.
- Click this checkbox if you'd like to enable Badges. Learn more about Badges here.
Badges Available to Users
- Select the badges that you'd like to allow users to earn. Learn more about badges and how users can earn them here.
- To enable your leaderboard, click this drop-down and select Group Leaderboard. To turn off your leaderboard, select No Leaderboard.
Leaderboard Time Period
- Select the time range for rankings you'd like your leaderboard to display. Any enrollment that was active during that time period will be included in the leaderboard rankings.
- Select from: Past 30 Days, Past 90 Days, Current Quarter, Current Year, or All Time.
Groups to Include in Leaderboard
- Select between 3 and 25 groups to include in your leaderboard. Only groups selected in your Account Settings will be included in your leaderboard. Users who are not a part of the selected groups will not be able to view your leaderboard.