Identity Onboarding
Sign in

Help

What this site does

The Identity Onboarding site signs in to a customer Azure tenant and instantiates pre-defined central app registrations in that tenant. For each app registration, it creates a service principal and assigns the required Azure RBAC roles and Microsoft Entra directory roles to that service principal.

Required permissions in the Target Tenant

The account performing onboarding must be a Global Administrator in the Target Tenant with Azure access management enabled. This single role covers all required permissions — service principal creation, Azure RBAC role assignments (including Savings Plans and Reservations scopes), and Entra directory role assignments.

Global Administrator — required for all onboarding operations

Enabling Azure access management for Global Administrators

By default, Global Administrators do not have access to Azure resources. To grant full Azure access — including Savings Plans (/providers/Microsoft.BillingBenefits) and Reservations (/providers/Microsoft.Capacity) scopes — the "Access management for Azure resources" option must be enabled. This assigns User Access Administrator at the root scope (/), which covers all Azure scopes including those not part of the management group hierarchy.

How to enable it:

  1. Sign in to the Azure portal as a Global Administrator of the Target Tenant.
  2. Navigate to Microsoft Entra ID → Properties.
  3. Under Access management for Azure resources, set the toggle to Yes: "Can manage access to all Azure subscriptions and management groups in this tenant."
  4. Click Save.

After enabling this, sign out and sign back in to the Onboarding site so the new permissions take effect in your session.

Note: This setting elevates the account to User Access Administrator at the root scope /. It is recommended to disable it again after onboarding is complete, following the principle of least privilege.

The first time this application is used in a Target Tenant, an administrator must grant consent for the permissions it requests — specifically, Microsoft Graph and Azure Management API permissions. You will be prompted to consent during the sign-in flow.

After consent has been granted, subsequent sign-ins by users who hold the required roles do not require additional consent.

Step-by-step guide

  1. Sign in. On the Onboarding page, optionally enter the Target Tenant ID or domain name, then click Sign In and complete the Microsoft authentication flow.
  2. Review the onboarding status table. Each row shows an app registration and the current status of its service principal, Azure RBAC roles, and Entra directory roles in the Target Tenant.
  3. Onboard any app not yet instantiated. If a row shows Not Onboarded under Service Principal, click the Onboard button to create the service principal in the Target Tenant.
  4. Assign any missing roles. For any role shown as Not Assigned, click the Assign button to assign that role to the service principal.
An unhandled error has occurred. Reload 🗙