blog.exe
Home / Blog / Why L1 Tickets Are Killing Your MSP (And What Actually Fixes It)
February 21, 2026 · By Amaresh Ray

Why L1 Tickets Are Killing Your MSP (And What Actually Fixes It)

Every MSP owner knows the feeling. You hire a sharp technician, train them up, and within a month they're spending half their day on password resets.

It's not a skills problem. It's a structural one.

The real cost of L1

A typical MSP handles 200-400 L1 tickets per month. Each one takes 10-15 minutes when you factor in reading the ticket, pulling context, executing the fix, notifying the client, and closing it out.

That's 50-100 hours per month of technician time. Use our MSP ROI calculator to see what that costs your shop. On tasks that require zero judgment.

Put a dollar figure on it: a tech billing at $150/hour internally costs you $7,500-$15,000/month in L1 overhead. That's a full-time salary spent on work that doesn't require a human.

And those numbers are conservative. They assume a clean 15-minute resolution. In reality, you're also paying for context switching — the tech stops working on a project, reads the ticket, switches to a different system, handles the request, switches back, and tries to remember where they left off. That drag is invisible in your PSA reports but very real in your P&L.

"Just set up SSPR"

This is the first thing people say. And they're not wrong — self-service password reset through Microsoft Entra with password writeback and two forms of MFA is a good idea. You should absolutely have it configured.

But SSPR only covers one category of L1 work. Here's what it doesn't touch:

  • MFA re-enrollments. Users get a new phone and forget to transfer their authenticator. Or they run a cleaner app that deletes it. Or — and this actually happens — they delete the authenticator because "the code kept changing." SSPR doesn't help here. Somebody still has to reset their MFA method, verify their identity, and walk them through re-enrollment.
  • Account unlocks from conditional access failures, impossible travel alerts, or risky sign-in detections.
  • Shared mailbox permissions. "Hey, can you give Sarah access to the billing inbox?"
  • Group membership changes. Add to this security group. Remove from that distribution list.
  • License assignments and swaps. Upgrade this user to E3. Swap their Visio license.
  • Onboarding and offboarding. Create the user, provision email, assign groups, tag the device.

Password resets might be 15-20% of your L1 volume. SSPR handles those. The other 80% is still sitting in the queue, waiting for a tech.

That's the gap most people don't see when they say "just set up SSPR."

What's actually worth automating (and what isn't)

Not all L1 work should be automated. This is important, and too many AI vendors gloss over it.

Printer problems? Good luck. Is it a paper jam? A driver issue? Print Nightmare? A spooler crash? A GPO not firing? A leased device managed by another vendor? Printers are a can of worms where every ticket is slightly different. The best fix for recurring printer issues is root cause work — DHCP reservations, universal print drivers deployed via your RMM, proper Group Policy. Not an AI guessing at symptoms.

"My internet is slow"? That could be 100 different things. Too many Chrome tabs. A cloud backup still running. An 8-year-old machine with a spinning disk. A broken Ethernet lug. DNS. Edge routing. A user who actually means "my computer is slow" but says "internet." You can automate basic diagnostics — run a speed test, check uptime, ping latency — but resolution still needs a human.

Identity and access work? That's the sweet spot. Password resets, account unlocks, MFA re-enrollments, mailbox permissions, group changes, license assignments, basic onboarding and offboarding. These tasks follow clear patterns, touch a known set of systems, and rarely require judgment. They are high-volume, low-ambiguity, and structured. That's the stuff that's actually worth automating.

The honest answer is that maybe 60-70% of your L1 volume falls into that identity-adjacent category. The rest still needs a person. And that's fine. The goal isn't zero techs. The goal is using your techs on work where they actually add value.

Why triage tools don't fix it

The first instinct is to speed up triage. Get tickets categorized faster, routed to the right person sooner. PSAs have had keyword parsing for years. Newer tools use AI to classify and route.

But triage isn't the bottleneck. Resolution is.

It doesn't matter if a password reset ticket reaches a tech in 30 seconds instead of 5 minutes. The tech still has to open it, log into M365 or Entra, do the reset, notify the client, and close the ticket. The 15-minute task is still a 15-minute task.

A lot of MSP AI tools live in this space — they summarize the ticket, suggest a resolution, maybe draft a response. That helps a little. But if the tech still has to execute the fix across multiple systems, the labor cost barely changes. You made the preamble prettier. The work is still sitting there.

The "human touch" argument

Some MSP owners push back on automation entirely. "Clients pay for the human touch." "L1 is where we build relationships." "You can't automate good customer service."

They're not wrong, exactly. The client relationship matters. When someone calls frustrated at 8am because they can't get into their email, a calm human voice goes a long way.

But here's the thing: the human touch argument conflates two very different jobs. There's the relationship work — understanding the client, building trust, spotting patterns, identifying upsell opportunities, making the business owner feel heard. That's genuinely valuable. And then there's the execution work — opening Entra, clicking reset, copying a temporary password, updating the ticket, sending the notification. That part has zero relationship value. The client doesn't care who reset their password. They care that it happened fast.

The better model isn't "replace the human touch." It's "free up your humans to actually provide it." When your L2 techs aren't buried in MFA resets, they can do the proactive work, the QBRs, the root-cause analysis that actually builds client loyalty.

A tech doing their 200th password reset of the month isn't providing human touch. They're providing human labor on a task that doesn't need it. And they're burning out doing it.

The security question

The other big objection: "I'm not giving an AI write access to passwords."

Fair. This is a real concern, not a hypothetical one. Social engineering attacks have succeeded by tricking help desk techs into resetting passwords for the wrong person. Giving any system — AI or otherwise — the ability to change credentials requires serious guardrails.

Here's what responsible automation looks like:

  • Least-privilege service accounts. The AI only has access to the specific actions it's been scoped to perform. It can't do anything a tech wouldn't do.
  • Identity verification before action. The requester gets matched to an identity in your IdP. The AI doesn't just trust the ticket.
  • Approval routing for sensitive actions. Higher-risk changes (like mailbox access or group modifications) get routed to a manager or service lead for explicit approval before execution. That can happen right in Slack or Teams.
  • Full audit trail. Every action is logged — who requested it, what was done, when, and by what authority. Better auditability than most techs provide, frankly.
  • Scoped autonomy. You define what the AI can do autonomously and where it needs to stop and ask. Start narrow. Expand as trust builds.

The question isn't whether AI should have write access. The question is whether the guardrails are good enough. A well-scoped AI with approval gates and audit trails is often more secure than an overtired L1 tech at 11pm who resets a password without verifying the caller because the queue is backing up.

What actually fixes it

The only way to reclaim those hours is to eliminate the human from routine L1 work. Not triage it faster. Not summarize it better. Resolve it without a tech ever touching it.

That means a system that can:

  • Read the ticket and understand what's being asked
  • Verify the requester against your identity provider
  • Connect to your stack (PSA, RMM, M365, Entra, Okta, Google Workspace)
  • Execute the fix (reset the password, unlock the account, grant the permission, re-enroll MFA)
  • Route for approval when the action requires it
  • Notify the client with a clear, human-sounding response
  • Close the ticket with proper documentation and time entries

This isn't hypothetical. This is what Rallied does, every day, for MSPs running ConnectWise, Autotask, and HaloPSA.

The math after Rallied

Take those 200-400 L1 tickets. Rallied handles 70-80% of the identity-adjacent ones autonomously. That's 140-320 tickets per month that never reach a tech.

At 15 minutes each, you're reclaiming 35-80 hours per month. That's a full-time tech's worth of capacity, redirected to project work, escalations, and the client relationships that actually grow your business.

After-hours coverage changes too. L1 tickets don't stop at 5pm. An MFA reset request at 11:30pm can be resolved in 60-120 seconds instead of waiting until morning. No overnight hire. No miserable on-call rotation for routine work.

Use the MSP ROI calculator to see the specific numbers for your shop.

What about L1 as a training ground?

One concern worth addressing: if you automate L1, where do junior techs learn the fundamentals?

It's a valid question. L1 work is how a lot of techs build confidence with AD, networking basics, and client communication. Remove all of it, and you lose that on-ramp.

But most L1 automation doesn't remove the learning — it removes the repetition. A junior tech benefits from doing their first 20 password resets. They don't benefit from doing their 2,000th. Once the pattern is learned, the repetition is just labor with no development value.

The better model: let the AI handle the repeatable grind. Use the freed-up time for shadowing, project work, and exposure to L2/L3 problems where real skills get built. Your junior techs grow faster when they're not buried in a queue.

What's next

If you're running an MSP and L1 tickets are eating your team alive, book a call with us. We'll look at your ticket volume, walk through which categories are automatable, and show you what resolution looks like in practice. No pitch deck. Just your real tickets.

See Rallied in Action

Rallied resolves L1 tickets end-to-end. Password resets, account unlocks, onboarding — handled in minutes, not hours.

Request a Demo
© 2026 Rallied. All rights reserved.
Home Blog Compare Contact