Seat management
Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any authentication event.
The amount of seats available in your Zero Trust account depends on the amount of users you purchase. If you want to increase the number of seats available, you will have to purchase more users. Learn more about adding and removing seats from your account in the Zero Trust FAQ.
A user consumes a seat when they perform an authentication event. For Access, this is any Cloudflare Access authentication event, such as a login to the App Launcher or an application. For Gateway, this means any Cloudflare WARP authentication event, such as enrolling a device to your Zero Trust organization.
If either one of these events occurs, that user’s identity is added as an Active user to Zero Trust and consumes one seat from your plan. The user will occupy and consume a single seat regardless of the number of applications accessed or login events from their user account. Once the total amount of seats in the subscription has been consumed, additional users who attempt to log in are blocked.
A user who authenticates will hold their seat until you remove the user from your account. By default, inactive users will not be automatically removed from your account. You can remove a single user or all users at any time, and those users will immediately stop counting against the seat count defined in your subscription.
If you notice a number of accounts greater than the number of your users, you may need to configure an Access bypass policy. Alternatively, you can use Access service tokens to allow access to applications without consuming seats.
To check the number of seats consumed by active users in your organization, log in to Zero Trust ↗. Zero Trust overview will display the amount of seats consumed and the remaining amount available. For more details on your users, go to My team > Users.
When you revoke a user, this action will terminate active sessions, but will not remove the user’s consumption of an active seat.
To revoke a user from your Zero Trust organization:
- In Zero Trust ↗, go to My team > Users.
- Select the checkbox next to a user with an Active status in the Seat usage column.
- Select Action > Revoke.
- Select Revoke sessions.
Revoked users can still log in if your policies allow them.
Removing a user from your Zero Trust organization will free up the seat the user consumed. The user will still appear in your list of users.
To remove a user from your Zero Trust organization:
- In Zero Trust ↗, go to My team > Users.
- Select the checkbox next to a user with an Active status in the Seat usage column.
- Select Action > Remove users.
- Select Remove.
The user will now show as Inactive and will no longer occupy a seat. If a user is removed but authenticates later, they will consume a seat again.
To automate the removal of users who have not logged in or triggered a device enrollment in a specific amount of time, turn on seat expiration.
Cloudflare Zero Trust can automatically remove any user who does not log in to an Access application or who does not trigger a device enrollment event within a specified time period (between one month and one year). These users will no longer count against your number of seats.
To enable user seat expiration:
- In Zero Trust ↗, go to Settings > Account.
- In Seat Expiration, select Edit.
- Select an inactivity time from the dropdown menu.
- Select Save.
If a user is removed but authenticates later, they will consume a seat again.
For more information about removing a user for Access and Gateway, refer to the FAQ.