Skip to main content

Restricting access: Who may log in via Zendesk SSO in Entra ID?

Updated

When SAML SSO is set up between Microsoft Entra ID and Zendesk, by default all users in your Entra tenant have the ability to log in via SSO — unless access is actively restricted. This article describes how you control precisely which users and groups may access Zendesk via Entra ID.

It is recommended to configure this immediately after the SSO setup as part of a secure and controlled rollout.

See also Microsoft's official documentation: Restrict a Microsoft Entra app to a set of users (Microsoft Learn)

Prerequisites

  • You must be an application owner or have the Cloud Application Administrator role in Entra ID.
  • The Zendesk app must already be added as an Enterprise Application in Entra ID (see the article on Setting up SAML SSO with Microsoft Entra ID).

Step 1: Enable the requirement for user assignment

The first step is to enable that only explicitly assigned users and groups can log in via the Zendesk app.

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Entra ID > Enterprise apps > All applications.
  3. Find and select your Zendesk application.
  4. Under Manage: select Properties.
  5. Find the Assignment required? setting and set it to Yes.
  6. Click Save.

From this point on, users who are not assigned to the app will be denied at login — they will receive an error message about lack of access.

Important: Users with the Global Administrator role in Entra ID are exempt from the assignment requirement and will always have access, regardless of whether they are assigned to the app.

Step 2: Assign users and groups

Once the assignment requirement has been enabled, the relevant users and groups must be assigned explicitly.

  1. In the Zendesk application's overview: select Users and groups under Manage.
  2. Click Add user/group.
  3. Click None Selected under Users to open the selector panel.
  4. Search for and select the desired users and/or groups (e.g. "Zendesk agents" or "Zendesk administrators").
  5. Click Select and then Assign.

The assigned users and groups now appear in the list and have access to log in via Zendesk SSO.

Recommended practices

  • Use groups rather than individual users. It is far easier to manage access via security groups (e.g. "Zendesk agents" and "Zendesk administrators"), as new employees are simply added to the group and automatically gain access.
  • Test with a small group first. Start with a test group of technically proficient employees before rolling out fully to the organisation.
  • Remember a break-glass user. Make sure that at least one Zendesk administrator can log in without SSO (via yourdomain.zendesk.com/access/normal), so that there is an "emergency exit" if the Entra ID configuration fails.
  • Consider SCIM provisioning for full automation: when an employee leaves and is removed from the group in Entra ID, access to Zendesk is deactivated automatically.

Further resources

See Microsoft's official guide for technical details and advanced scenarios (e.g. restricting app-to-app access via PowerShell):
Restrict a Microsoft Entra app to a set of users — Microsoft Learn

Related articles

Powered by Zendesk