Invite Flow & Edge Cases
This guide covers how user invitations work across different identity providers and how DZDesk handles special scenarios.
Standard Invite Flow
Admin Invites User
sequenceDiagram
Admin->>DZDesk: Send invitation to user@example.com
DZDesk->>User: Email with invite link
User->>DZDesk: Clicks invite link
DZDesk->>IdP: Redirects to SSO (Entra/Google)
IdP->>DZDesk: Returns authenticated user
DZDesk->>DZDesk: Validates domain & assigns role
DZDesk->>User: Access granted
Invitation States
| State | Description |
|---|---|
| Pending | Invitation sent, not yet accepted |
| Accepted | User completed SSO, account active |
| Expired | 7 days passed without acceptance |
| Revoked | Admin cancelled the invitation |
Cross-Domain Invitations
Same Identity Provider
When inviting users from a different organization but same IdP:
Scenario: Acme Corp (Entra) invites consultant from Partner Inc (Entra)
- Admin sends invitation to
consultant@partner.com - User clicks invite link and authenticates via Partner Inc's Entra
- DZDesk creates a guest account in Acme Corp's organization
- User can access Acme Corp's DZDesk instance with limited permissions
Cross-Provider Invitations
Scenario: Acme Corp (Entra) invites user with Google Workspace account
- Admin invites
user@startup.com(Google Workspace) - User authenticates via Google
- DZDesk creates guest account linked to Google identity
- User's primary organization remains their Google Workspace org
Edge Cases
Public Email Addresses
Users with public email providers (@gmail.com, @outlook.com, @yahoo.com, etc.):
| Action | Result |
|---|---|
| Try to create organization | ❌ Blocked |
| Try to self-register | ❌ Blocked |
| Receive admin invitation | ✅ Allowed |
| Join via invite link | ✅ Allowed (guest role only) |
Public email users cannot be assigned Admin roles for security reasons.
Domain Mismatch
When a user's SSO domain doesn't match the invitation:
Example: Invited john@acme.com but user authenticates as john@acme-subsidiary.com
| Configuration | Behavior |
|---|---|
| Strict mode | ❌ Login rejected, domain must match exactly |
| Relaxed mode | ✅ Allowed if domains are in same verified domain group |
Duplicate Accounts
When a user already exists in another organization:
User: sarah@consultant.com
├── Primary: Consultant Corp (Admin)
└── Guest: Acme Corp (Agent)
└── Guest: Beta Inc (End User)
- Users can belong to multiple organizations as guests
- Only one organization can be their "primary" (based on their SSO domain)
- Switching between organizations available via organization picker
Invitation to Existing User
When inviting someone who already has an account:
| Scenario | Behavior |
|---|---|
| User exists in same org | Error: "User already in organization" |
| User exists in different org | Creates guest membership |
| User has pending invite | Error: "Invitation already pending" |
Special Scenarios
VIP User Invitations
When inviting users whose domain is marked as VIP:
- Invitation sent normally
- User completes SSO
- VIP flag automatically set based on domain rules
- Tickets from this user get VIP priority
Bulk Invitations
For inviting multiple users at once:
email,role,group
john@acme.com,Agent,IT Support
jane@acme.com,Agent,IT Support
bob@acme.com,End User,
- Upload CSV via Admin → Users → Bulk Invite
- Maximum 500 users per batch
- Invalid emails are skipped and reported
Invitation Expiry & Resend
| Action | Notes |
|---|---|
| Auto-expire | 7 days after sending |
| Resend | Resets expiry timer, same link |
| New invitation | Generates new link, old one invalidated |
Troubleshooting Invites
"Invitation Not Found"
- Link may have expired (7 days)
- Admin may have revoked the invitation
- User may have already accepted
"Domain Not Allowed"
- Organization has domain restrictions enabled
- Contact admin to whitelist the domain
"SSO Provider Mismatch"
- User authenticated with different IdP than expected
- Verify the correct SSO provider is configured