Some Agents Get Demoted to End Users

3 Comments

  • Dan Cooper
    Comment actions Permalink

    I can't speak to Azure AD sync, but I ran into a similar scenario recently with another identity provider.  We had rules established that would grant agent permissions based on employee metadata, but if that employee was promoted or changed roles - they would no longer meet those conditions and would have their access revoked and they'd fall back to our end user role.  I'm not sure what you can configure in Azure, but it might be worth checking to see if there are any rules or automated processes that might be kicking in that are disqualifying your agents from being agents and pulling their access.  If they are still in an agent group in Azure, it might be worth checking to see if they are in a second group that might be overriding that permission with an end user role as well.  We have users setup with a back up end user role, and it took a bit to make sure they didn't get set to end user over their main role.

    1
  • Elliot Mackenzie
    Comment actions Permalink

    This is exactly the issue we are seeing with some users who have multiple roles courtesy of group memberships in Azure.  By way of simple (contrived) example:

    - group_AllUsers (everyone) -> end user

    - group_ZDAdmins (select users also in 'everyone') -> team leader

    How do I specify somewhere that team leader takes precedence over end user when both are set on the user (Azure supports multiple roles, ZD doesn't)?

    0
  • Eric Henry
    Comment actions Permalink

    For the example I had when I first posted this, we had a CompanyAll group that we used to sync everyone over to Zendesk. It was set to sync those group members as End Users by default. I had also set individual permissions for Agents which I assumed would just override the permissions mentioned above. I was wrong.

    In the end, I had to create new groups specifically to separate users into their roles. One for End Users, one for Agents, and one for Admins. Thankfully, our support team is on the small-ish side, so separating these out wasn't exactly difficult. Once these groups were created and filled (and the CompanyAll group was removed), we added them to the Zendesk App in Azure, and had it run another sync.

    No issues since. I hope this helps!

    0

Please sign in to leave a comment.

Powered by Zendesk