> But when I authenticate my common support agents instead of the customers themselves, I do want them to have access to everything.

> I don’t think anyone has yet managed to make this easy.

We have a few recommendations for this (I work for FusionAuth, a different auth server). From our doc[0]:

    Have users reset their password every time they need access to a different tenant.
    Use a passwordless login option like a magic link or passkey.
    Set up or use an administrative identity server, such as a second instance of FusionAuth, Google GSuite, or Azure AD/Microsoft Entra, and have these users log in using that.
    Put all admin users in one FusionAuth tenant, create an application in that tenant, and set up an OIDC Identity Provider for applications in other tenants to delegate to that application.

It's a thorny problem, for sure.

0: https://fusionauth.io/docs/get-started/core-concepts/users