Skip to main content

Overview

The User Management API enables you to create, modify, and manage users within your CrowdStrike Falcon environment. You can assign roles, manage permissions, perform user actions, and control access to your organization’s security resources.
All user management operations require User management: Read or User management: Write permissions.

User Operations

Create a User

Create new users in your Falcon environment. If no password is provided, users receive an email with a link to set their password.
New-FalconUser
New-FalconUser -Username '[email protected]' -FirstName 'John' -LastName 'Doe'
Username
string
required
Email address for the user account. Must be a valid email format.
FirstName
string
User’s first name
LastName
string
User’s last name
Password
string
Password for the user. Must contain at least 12 characters with uppercase, lowercase, numbers, and special characters (#?!@$ %^&*-). If omitted, user receives email to set password.
Cid
string
Customer identifier for MSSP child CID user creation. Must match pattern [a-fA-F0-9]{32}(-\w{2})?
ValidateOnly
boolean
Validate if user can be created without actually creating them
Password requirements: minimum 12 characters, at least one uppercase letter, one lowercase letter, one number, and one special character.

Get Users

Search for and retrieve user information.
Search by Filter
Get-FalconUser -Filter "last_name:'Smith'" -Detailed
By Username
Get-FalconUser -Username '[email protected]' -Include roles
By User ID
$UserId = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Get-FalconUser -Id $UserId
Id
string[]
User identifier(s) in UUID format
Filter
string
Falcon Query Language expression to filter results (e.g., last_name:'Doe', uid:*'@example.com')
Sort
string
Sort results by field and direction: first_name|asc, first_name|desc, last_name|asc, last_name|desc, name|asc, name|desc, uid|asc, uid|desc
Limit
integer
Maximum number of results per request (1-500)
Offset
integer
Position to begin retrieving results
Username
string[]
One or more email addresses to search for
Include
string[]
Include additional properties. Available: roles
Detailed
switch
Retrieve detailed user information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Modify User

Update user information such as first name or last name.
Update Name
Edit-FalconUser -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -FirstName 'Jane' -LastName 'Doe-Smith'
FirstName
string
New first name for the user
LastName
string
New last name for the user
Id
string
required
User identifier (UUID format)

Remove User

Delete a user from your Falcon environment.
Delete User
Remove-FalconUser -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Id
string
required
User identifier to remove (UUID format)
Removing a user is permanent and cannot be undone. Ensure you have proper authorization before deleting users.

Role Management

Assign Roles

Grant roles to users to control their permissions within Falcon.
Assign Role
Add-FalconRole -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Cid '1234567890abcdef1234567890abcdef' -Id 'falcon_administrator'
Assign Multiple Roles
Add-FalconRole -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Cid '1234567890abcdef1234567890abcdef' -Id @('event_viewer', 'detection_responder')
Assign with Expiration
Add-FalconRole -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Cid '1234567890abcdef1234567890abcdef' -Id 'temp_admin' -ExpiresAt '2026-12-31T23:59:59Z'
UserId
string
required
User identifier (UUID format)
Cid
string
required
Customer identifier (32-character hexadecimal, optionally with 2-character suffix)
Id
string[]
required
One or more role identifiers to assign
ExpiresAt
string
Role expiration date and time in RFC3339 format (UTC): YYYY-MM-DDTHH:mm:ssZ

Get Roles

Retrieve available roles and user role assignments.
Get All Roles
Get-FalconRole -Detailed
Get User's Roles
Get-FalconRole -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Get Specific Role
Get-FalconRole -Id 'falcon_administrator'
Id
string[]
Role identifier(s) to retrieve
UserId
string
User identifier to retrieve role assignments for
Cid
string
Customer identifier to filter results
DirectOnly
boolean
Display only direct user role grants (excludes inherited roles)
Filter
string
Falcon Query Language expression to filter results
Sort
string
Sort by: cid|asc, cid|desc, role_name|asc, role_name|desc, type|asc, type|desc
Limit
integer
Maximum results per request (1-500)
Offset
string
Position to begin retrieving results
Detailed
switch
Retrieve detailed role information
All
switch
Repeat requests until all results are retrieved
Total
switch
Display total result count

Remove Roles

Revoke roles from users.
Remove Role
Remove-FalconRole -UserId 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' -Cid '1234567890abcdef1234567890abcdef' -Id 'temp_admin'
UserId
string
required
User identifier (UUID format)
Cid
string
required
Customer identifier
Id
string[]
required
Role identifier(s) to revoke

User Actions

Perform administrative actions on user accounts.
Reset Password
Invoke-FalconUserAction -Name 'reset_password' -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Reset Two-Factor Authentication
Invoke-FalconUserAction -Name 'reset_2fa' -Id 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
Name
string
required
Action to perform: reset_password or reset_2fa
Id
string[]
required
User identifier(s) to perform action on
reset_password sends a password reset email to the user. reset_2fa clears the user’s two-factor authentication settings, requiring re-enrollment.

User Provisioning Workflow

Here’s a complete example of provisioning a new user with roles:
Complete User Provisioning
# Step 1: Create the user
$NewUser = New-FalconUser -Username '[email protected]' -FirstName 'Security' -LastName 'Analyst'

# Step 2: Assign roles
Add-FalconRole -UserId $NewUser.uuid -Cid '1234567890abcdef1234567890abcdef' -Id @('event_viewer', 'detection_responder')

# Step 3: Verify user and roles
Get-FalconUser -Id $NewUser.uuid -Include roles -Detailed
Temporary Access Grant
# Create temporary user with time-limited role
$TempUser = New-FalconUser -Username '[email protected]' -FirstName 'Temp' -LastName 'Contractor'

# Assign role with 30-day expiration
$ExpirationDate = (Get-Date).AddDays(30).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
Add-FalconRole -UserId $TempUser.uuid -Cid '1234567890abcdef1234567890abcdef' -Id 'falcon_dashboard_viewer' -ExpiresAt $ExpirationDate

Common Roles

falcon_administrator

Full administrative access to all Falcon features

detection_responder

View and respond to detections and incidents

event_viewer

Read-only access to events and detections

real_time_responder

Execute Real Time Response sessions

Best Practices

1

Use Strong Authentication

Always enforce strong passwords and enable two-factor authentication for all users.
2

Principle of Least Privilege

Assign only the minimum roles required for users to perform their job functions.
3

Regular Audits

Periodically review user accounts and role assignments using Get-FalconUser -Include roles -Detailed.
4

Temporary Access

Use the ExpiresAt parameter when granting temporary elevated privileges.
5

Offboarding Process

Remove users promptly when they leave the organization using Remove-FalconUser.

MSSP Management

Manage multi-tenant environments with Flight Control

Identity Protection

Configure identity-based threat detection rules

Build docs developers (and LLMs) love

Get started for freeTalk to us