A user access review is a periodic check-up. You make sure employees and contractors only have access to the systems they need to do their jobs. For Zendesk, this means checking that every paid agent license belongs to an active, contributing team member. The goal is to cut software waste and close security holes.
Your Zendesk Bill Is High, but Are You Using Every License?
You have seen the Zendesk invoice. That per-agent cost creeps up every year. If your team uses the Suite Professional plan, you pay $115 per agent per month, billed annually. How many of those licenses are actually logging in and working?
I have seen it time and again. A large part of a company's SaaS budget is spent on inactive or "ghost" agents. These are accounts that hang around long after they are needed.
Where Do Inactive Licenses Come From?
The sources of this license waste are predictable. As your company grows and people move around, these ghost accounts pile up.
It is a familiar story. The usual suspects include:
- Former employees whose accounts were never properly offboarded.
- Contractors or freelancers who finished a project weeks or months ago.
- Team members who moved to a new role and no longer need a full agent license.
- Test accounts created for a one-off task and then forgotten.
This is not just about money. It is also a security risk. Every inactive account is a potential backdoor into your systems if credentials get stolen or guessed. Failing to manage your licenses creates both a financial drain and a security liability.
A systematic user access review is the most direct way to fix this problem. If you are responsible for IT, operations, or finance, it is a financial and security necessity.
Calculating the True Cost of Inaction
The cost adds up much faster than you might think. Let’s do some quick math. Just 10 inactive agents on the Zendesk Suite Professional plan cost your company $13,800 per year. For bigger teams, that number can easily grow into tens of thousands of dollars.
That is a recurring expense for licenses that deliver zero value. It's budget you could put toward hiring, training, or tools that help the business. This is an important part of managing SaaS subscriptions effectively. By auditing who has access on a regular basis, you can turn a hidden cost into a real source of savings.
The Hidden Risks of Stale Zendesk Accounts
An unused Zendesk license is a liability, not just a line on an invoice. Every dormant account is a potential security hole. While the direct cost is obvious, the indirect risks can be far more damaging.
Think about it. Stale accounts, especially from former employees or contractors, quietly expand your company's attack surface. These forgotten credentials are low-hanging fruit for attackers. One common tactic is credential stuffing, where automated attacks use lists of leaked passwords from other data breaches to try and break into your systems. If a former employee reused a password that was later exposed, their old Zendesk account becomes an open door.
The Escalating Threat of Compromised Credentials
This is not a theoretical problem. The frequency of these attacks is alarming. For instance, phishing attacks exploded to 1.96 million incidents in one year, a 182% increase since 2021. This directly fuels the credential problem, with compromised credentials powering 22% of all breaches in 2025.
What is worse, password hygiene is often poor. Recent data shows password-based attacks saw a tenfold increase in attempts over the previous year, and only 3% of breached passwords met basic complexity standards. Outdated access is a ticking time bomb. As the World Economic Forum has pointed out, many boards overestimate their security posture, creating dangerous gaps in identity governance. You can dig into more of this data on global security threats at DataReportal.
A single compromised Zendesk account can quickly spiral into a major data breach. An attacker could get sensitive customer PII, internal support conversations, and other proprietary data. The financial and reputational fallout from that kind of event would make years of license fees look like pocket change.
Failing to conduct a regular user access review is not just a financial oversight. It is a security procedure you cannot afford to skip. For any Zendesk admin, this process is a first line of defense against a data breach.
Compliance and Audit Headaches
Beyond immediate security threats, stale accounts create headaches during compliance audits. When auditors for standards like SOC 2 or ISO 27001 arrive, one of the first things they scrutinize is your user access policy.
They want proof you can confidently answer a few key questions:
- Who has access to our customer data?
- Is their access level still appropriate for their current role?
- How quickly do you remove access for departed employees?
If you cannot provide clear documentation and a history of regular access reviews, you are setting yourself up for audit findings. These can jeopardize contracts and seriously damage your company's reputation. Ineffective offboarding is a common red flag. Our guide on proper employee onboarding and offboarding can help you build a stronger process.
Operational Drag and Inefficiency
Finally, a bloated user list creates friction. When your list of active agents is cluttered with hundreds of inactive accounts, simple administrative tasks become a chore.
Trying to assign a ticket, generate a report, or manage team permissions becomes a nightmare when you have to scroll past users who have not worked at the company for months. This "privilege creep" not only slows your team down but also introduces the risk of human error, like accidentally assigning a sensitive ticket to the wrong person. A clean, accurate user list is fundamental to running an efficient support operation.
How to Conduct a Manual User Access Review in Zendesk
A manual user access review is the most direct way to get a handle on your Zendesk licensing costs. It involves some spreadsheet work and back-and-forth with team leads, but it is the fastest path to finding and eliminating unused agent seats. Think of it as a hands-on audit of your agent roster to stop paying for licenses nobody uses.
The process is direct. You will decide what "inactive" means, pull data from Zendesk, get verification from managers, and then downgrade the accounts. It has limitations, but it gets the job done.
Define Your Inactivity Criteria
Before you do anything, you need a clear definition for an inactive user. Without one, you are just guessing. Your criteria will depend on how your teams operate. A good starting point usually combines login data with actual ticket work.
Here are a few things to consider:
- Last Login: An agent who has not logged in for 60 or 90 days is a prime candidate for a review.
- Ticket Activity: I find this metric is often more telling than just logins. Look at the last time someone solved a ticket, made a comment, or was assigned one. It's common to see agents who log in but do not work in the queue.
- Role Changes: Did the agent move from support to marketing three months ago? They probably do not need a full agent license anymore.
Pick a timeframe that aligns with your business. For most organizations, 90 days of no ticket interactions is a solid, defensible benchmark for inactivity. Write down your decision before you start pulling reports.
Export Your Agent Data from Zendesk
With your criteria set, it's time to gather the raw data. You can get a complete list of your team members from the Zendesk Admin Center. This will form the backbone of your review spreadsheet.
Inside the Zendesk Admin Center, navigate to People > Team members and use the Export option to download a CSV of all your users.
This file gives you a lot of information, but you will want to focus on a few key fields. Once you open that CSV in Excel or Google Sheets, you can start filtering it.
The risk of letting stale accounts linger is real. A single forgotten login can become a major security headache.
What starts as a dormant account can escalate into a data breach if an attacker gets the credentials. It is a compelling reason to clean house regularly.
Organize Your Spreadsheet for Review
That raw CSV export is just a data dump. To make it useful, you need to turn it into an organized workspace for your audit.
I recommend creating a clean spreadsheet that will act as the single source of truth. Copy over just the columns you absolutely need:
- Name: The agent's full name.
- Email: Their unique identifier, which is important for tracking.
- Role: Their current Zendesk permission level (e.g., Agent, Admin, Light Agent).
- Groups: The support groups they are assigned to.
- Last sign-in: The date of their last login.
Now, add a few blank columns to your sheet to track the review. This documentation is your audit trail and is non-negotiable for staying organized.
- Manager: The name or email of the agent’s direct supervisor.
- Status (Inactive?): A simple Yes/No column you'll use to flag potential inactivity.
- Manager Verification: A spot to log the manager's feedback (e.g., "Confirm Inactive," "Keep Active").
- Action Taken: The final outcome (e.g., "Deactivated," "Downgraded to Light Agent").
- Date of Action: The day you completed the action.
The goal is to transform the data file into a living document that tracks every agent from initial flag to final resolution.
Communicate with Managers and Document Decisions
This is an important step. Never deactivate a license based on data alone. You might find an agent who appears inactive but was on parental leave or assigned to a special project. Always get a human confirmation from their manager.
Filter your spreadsheet to show only the agents you flagged as potentially inactive and send that short list to their managers. Keep the email clear and to the point. Ask for confirmation on whether the agent still needs their full Zendesk license.
Pro-Tip: Make it easy for managers to respond. You just need a "Yes, keep" or "No, remove" next to each name. Do not send them a complex form or the entire spreadsheet. You will get a faster response this way.
As soon as you hear back, update your "Manager Verification" column. This creates a clear, documented record of who made the call, which is essential for accountability. Once a manager gives you the green light, you can take action.
Deactivate Licenses and Record Savings
With documented manager approval, you can confidently start reclaiming those licenses. In Zendesk, you do not actually delete the user. Instead, you downgrade them from a paid Agent role to an End-user role. This is a great feature because it preserves all their historical ticket data but frees up the expensive seat.
Go into the agent's profile in the Admin Center and change their role. Once you've worked through your list, update the "Action Taken" and "Date of Action" columns in your spreadsheet. With that, your manual user access review is done.
Finally, do the math. Multiply the number of licenses you deactivated by your per-agent cost. For example, reclaiming just 15 licenses on a plan like Zendesk Suite Professional ($115/month) adds up to $20,700 in annual savings. That's a powerful number to share with leadership and the finance team.
Manual vs Automated User Access Review
A manual review is effective but requires significant effort. For large organizations, the time investment can be substantial, and the risk of human error is always present. This is where automated tools perform well.
The table below contrasts the two approaches.
| Aspect | Manual Review (Spreadsheet) | Automated Review (LicenseTrim) |
|---|---|---|
| Effort | High. Requires hours of data export, spreadsheet formatting, and manual communication. | Low. 5-minute setup for continuous, automated monitoring and reporting. |
| Accuracy | Prone to human error, missed agents, and outdated data. | High. Uses real-time data and consistent, pre-defined rules to eliminate mistakes. |
| Frequency | Typically done quarterly or annually due to the high effort involved. | Continuous. Runs automatically in the background on a weekly or monthly schedule. |
| Documentation | Relies on manual updates to a spreadsheet, which can be inconsistent. | Automatic. Generates a complete, timestamped audit trail for every decision. |
| Cost Savings | Good, but savings are often delayed until the next manual review cycle. | Maximized. Finds and flags savings opportunities in near real-time. |
While a manual audit is a good place to start, automation offers a more scalable and reliable solution for long-term license management.
Automating Your Zendesk User Access Review for Continuous Savings
Manual audits feel productive, but they have a short shelf life. You spend days pulling data and verifying accounts. The minute you finish, that clean user list is already going stale.
A contractor’s project ends. A new person joins the team. Someone switches departments. Just like that, you are out of date. This is the fundamental flaw of manual reviews and why automation is a more sustainable solution.
By automating your user access review, you transform it from a quarterly fire drill into a smooth, continuous process. Instead of losing hours to spreadsheets and chasing down managers, you create a system that constantly finds savings for you.
From Outdated Spreadsheets to Real-Time Monitoring
Effective automation means ditching manual data exports. Those CSV files are a pain to work with and are guaranteed to be inaccurate because they are just a snapshot in time. A real-time connection to the Zendesk API is the only way to get a true picture of what is happening.
An automated system constantly checks agent activity against the specific rules you set. This lets you get more sophisticated than just looking at the "last login" date, which can be misleading.
You can build rules that reflect how your team works. For instance, you could flag an agent if they meet a combination of criteria:
- No public or private comments in the last 60 days
- Zero tickets solved in the last 90 days
- No logins recorded in the past 30 days
- No tickets currently assigned this quarter
This level of detail ensures your decisions are based on genuine contribution, not just whether someone occasionally logs in.
Set It, Forget It, and Get Alerts
The best part of automation is you set it up once and let it work. After connecting a tool to your Zendesk instance via OAuth, a process that usually takes less than five minutes, you can build your custom inactivity rules.
For example, your full-time support team might need a tight 30-day activity window. You might give a part-time specialist a more lenient 90-day threshold. Good automation tools let you define these different rules without touching any code. Once an agent trips one of these rules, the system sends an alert.
Instead of you hunting for inactive licenses, the savings opportunities come to you. This "set-and-forget" approach frees up time for IT managers and Zendesk admins.
Turning Data into Savings
An alert is just the start. The goal is to make the decision to downgrade or remove a license easy. A smart system does not just tell you a user is inactive. It gives you all the context you need to act with confidence.
A good notification should include:
- The agent's name and current role
- The date of their last login
- Their last ticket interaction date
- The estimated annual cost of their license
Imagine an alert that says, "Agent John Doe on the Suite Professional plan has been inactive for 92 days, representing $1,380 in potential annual savings." That is a clear business case, making the decision to reclaim that license easy.
A tool like LicenseTrim handles this work. It connects to Zendesk, runs an initial audit, and then monitors agent activity 24/7. When it finds an inactive license, you get a notification with the precise savings amount. You always have the final say, approving any downgrades with a single click. It turns a complex manual headache into a simple, ongoing source of savings. If you're exploring your options, it's worth learning about the broader landscape of software license audit tools to see how they stack up.
Building the Business Case for Regular Access Reviews
Convincing leadership to invest time and resources into a user access review program is not always easy. They are focused on growth and revenue, not IT housekeeping. To get their buy-in, you have to speak their language.
You cannot just talk about security best practices. You need to build a business case that connects directly to the bottom line. The most effective approach is a one-two punch: show them the money you can save, then show them the risks you can avoid.
Start with the Easiest Win: Hard Cost Savings
Your finance team lives by numbers, so start there. The quickest way to get their attention is to show them exactly how much money is being wasted on unused Zendesk licenses. This is not a vague security problem. It is a budget leak you can plug right now.
Think about it. Say your organization is on the Zendesk Suite Professional plan, which costs $115 per agent, per month on an annual contract. If you run a quick audit and find just 10 agents who have not logged in for 90 days, the math is simple and powerful.
10 agents x $115/month x 12 months = $13,800 in annual savings.
Suddenly, you are not talking about an IT chore. You are talking about reclaiming nearly $14,000 that can be put toward a new hire, a marketing campaign, or another business need. Presenting this clear, immediate ROI changes the conversation.
Those savings add up quickly, especially for larger teams. A few inactive accounts might not seem like much. When you zoom out, the financial impact becomes impossible to ignore.
Estimated Annual Savings On Zendesk Suite Plans
This table shows the potential annual cost savings from deactivating unused licenses across different Zendesk pricing tiers.
| Plan | Cost Per Agent/Month (Annual) | Savings for 5 Inactive Agents | Savings for 10 Inactive Agents | Savings for 20 Inactive Agents |
|---|---|---|---|---|
| Suite Team | $55 | $3,300 | $6,600 | $13,200 |
| Suite Growth | $89 | $5,340 | $10,680 | $21,360 |
| Suite Professional | $115 | $6,900 | $13,800 | $27,600 |
| Suite Enterprise | $169+ | $10,140+ | $20,280+ | $40,560+ |
As you can see, even a small cleanup delivers significant savings. For enterprise-level companies, reclaiming 20 licenses could fund another employee's salary. This is the kind of data that gets budgets approved.
Connect Security to Business Survival
Once you have their attention with cost savings, you can talk about risk. While it is harder to put a precise dollar amount on risk reduction, it is just as important for business continuity. You have to frame this as a serious business liability, not a technical detail.
Every dormant account is a ticking time bomb. It is a forgotten key to your kingdom, waiting for an attacker to find it. An access review program is your way of methodically finding and neutralizing these threats.
It directly reduces your attack surface and delivers tangible business benefits:
- Avoid a Breach: Fewer active accounts mean fewer ways for attackers to get in and access sensitive customer data.
- Pass Compliance Audits: Regular reviews give you a clean, documented audit trail. This is a non-negotiable for standards like SOC 2 and ISO 27001 and helps you avoid the expense of failed audits.
- Protect Your Brand: A data breach can destroy customer trust and tarnish your company's reputation overnight. Proactive security is the best brand insurance you can get.
This is not theoretical. There is a reason the entire Identity and Access Management (IAM) market is projected to grow at a CAGR of 13.7% by early 2026. Businesses are waking up to the fact that managing who has access to what is mission-critical. When you consider that some studies show credential abuse is behind major data breaches, it is clear this is no longer optional. You can discover more insights about these identity and access trends and see why this has become a C-level priority.
By combining the hard numbers of cost savings with the need for risk reduction, you give leadership a complete picture. You are no longer just an IT manager asking for resources. You are a strategic partner with a plan to make the business more profitable and more secure.
Common Questions About Zendesk User Access Reviews
Putting a user access review plan on paper is one thing. Putting it into practice is another. You will hit tricky situations and field questions from the team. Getting ahead of these common concerns is the key to making the process run smoothly.
Here are some of the most frequent hurdles Zendesk admins face and how to handle them.
What About Our Contractors and Part-Time Staff?
This one comes up every time. You will have part-time agents, seasonal contractors, or a subject matter expert who only jumps in on high-priority tickets. Their access is vital when needed, but they will not log in daily. A rigid 30-day inactivity rule will not work for them.
The solution is to create a different policy for these roles. I have seen teams successfully use a 90 or even 120-day inactivity window for specific user groups.
Key Takeaway: The goal is not to slash every license that looks quiet. It is about making sure every paid seat has a clear business justification. Be sure to document these exceptions in your access policy.
This way, you avoid accidentally locking out a valuable, if infrequent, contributor and causing a fire drill.
How Does Downgrading a License in Zendesk Work?
When you find a license that is ready to be reclaimed, you do not "delete" the user. Never delete the user. Doing that wipes out their ticket history, which creates a hole in your reporting and audit trails.
Instead, you just downgrade their role.
Inside the Zendesk Admin Center, you change the user's role from a paid one to a free one.
- Paid Roles: These are your Agents, Admins, and any custom roles with agent-level permissions.
- Unpaid Role: You will switch them to an End-user. This role cannot be assigned tickets or log into the agent workspace.
The benefit is that the user's account and all their past ticket activity stay perfectly intact. You have just freed up an expensive license that you can give to a new hire or remove from your subscription. The billing for that seat stops immediately.
Will Agents Lose Their Work if We Downgrade Them?
No. This is a huge relief for everyone. When you downgrade an agent's role to End-user, every one of their past tickets, comments, and contributions is preserved.
This is a core strength of how Zendesk’s user model is designed. All that history is tied to the user profile, so your reports on past agent performance will not change. The only thing they lose is the ability to work on new tickets. If they ever need agent access again, you just flip their role back.
How Should I Communicate This to the Team?
Do not skip this part. Communication is everything. No one likes having their access suddenly revoked. It can make people feel devalued or worried about their job. The key is to be transparent and get out ahead of it.
Before your first review cycle, send a clear announcement to all your Zendesk users.
- Explain why you are doing this: to manage costs and strengthen security, not to micromanage people.
- Clarify how it works: explain the inactivity rules and that managers will have the final say on every decision.
- Frame it as a standard business practice, much like any other software audit.
By reassuring everyone that their manager has to approve any change, you turn a potentially tense situation into a routine, understandable process. A simple, honest heads-up makes all the difference and shows you respect your team.
Ready to stop guessing and start saving? LicenseTrim connects to your Zendesk instance in minutes and shows you exactly how much you’re overspending on inactive licenses. Get your free, instant savings report and see how much you can reclaim. Learn more at licensetrim.com.