Microsoft Entra ID randomly downgrades Agent Roles | Community
Skip to main content

Microsoft Entra ID randomly downgrades Agent Roles

  • December 5, 2025
  • 3 replies
  • 0 views
Marius13

Hello,

 

We use Microsoft Entra ID (formerly Azure AD) as a provisioning tool to manage access to Zendesk and assign roles/groups via SCIM. The sync by default runs every 40 minutes and usually works fine, but recently we've encountered a recurring issue.

 

Every once in a while, certain users get their Support role downgraded to a Light Agent. For example, an agent that previously had Specialist or even Admin role ends up as a Light Agent after a sync. This seems to happen during automated provisioning, not manual changes.

 

I've observed that the the actor in Zendesk logs is always the account owner whose API key Entra ID uses for SCIM calls (which makes sense) and the downgrades often coincide with External ID changes (can be seen in exported Zendesk audit log)

 

Has anyone else had similar case on their Zendesk setup or perhaps have any insights or ideas what might be causing this?

    3 replies

    Jay45
    • Jay45
    • December 13, 2025

    Hello Marius,
     

    I’ve created a ticket for you regarding this question. You’ll receive an email with the details as soon as an agent is assigned to assist you.

    M
    • Martin50
    • January 10, 2026

    Hello,

    This issue usually occurs because Entra ID is sending a null or default value for the role attribute during a sync, often triggered when a user's External ID is updated, causing Entra to treat the record as a "new" or "reset" provision. You should check your Attribute Mappings in Entra ID to ensure the Zendesk role is correctly mapped to a static value or a specific Entra attribute that isn't being inadvertently cleared.

    J
    • Joshua29
    • February 19, 2026

    This occasionally happens for me as well.  Was a cause/fix ever identified?

    Terms & ConditionsCookie settingsAccessibility statement