Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: [Self Service Portal]: Revoke Self Service portal access for a user

Hi Everyone!

I have just handled a query where the administrator wanted to revoke Self Service Portal access on a particular user.

If you are in this kind of situation, currently the ability to disable access is not present.

If you would like this feature to be added into the product, I would recommend getting a feature request lodged through your Sophos Partner or Sales representative as per this link:

In the meantime, here is what you can do:

1. Make sure that you do not have "Sophos Central Self Service Portal access" enabled. This feature needs to be disabled otherwise the user will automatically receive the Welcome email which give them instructions on how to access the Self Service Portal by setting up a password for the account.

This should be in 'Global Settings > Sophos Central Self service > User Access'.

Here is a screenshot:

2. You need to delete the user from the 'Email Security > Manage Protection > People' page and then recreate it.

If the user was created through Directory Services (via ADsync tool or AzureAD Sync) then you will have to delete the user in the People page as well but re-synchronize so that the user will be recreated.

Here is the behavior that the user will see if the above has been done by the administrator:

1. The user will not be able to authenticate through the Self Service Portal anymore and will get this error:

2. Even if they reset the password, the error will keep showing up.

3. The only way they can get access back would be if the administrator sends the Welcome Email again  via the 'People' page by selecting the user and clicking on the 'Email Setup Link' button. Here is the screenshot of the pop-up:

NOTE: If you are not able or allowed to disable the Self Service Portal access stated on step #1 please get a Support case created to see if there is any alternative way of revoking access to the affected user without affecting others.

Edited title
[edited by: Raphael Alganes at 8:49 AM (GMT -8) on 11 Jan 2024]