Access & Roles
GrantFlow uses Microsoft Entra ID single sign‑on with multi‑tenant support. Your access is always scoped to a specific tenant and your role assignments within that tenant.
If you’re setting up GrantFlow in a new customer tenant, complete the onboarding first:
- EntraID Tenant Setup: ../admin-guides/customer-tenant-entra-setup.md
- GrantFlow CLI: ./cli.md
Then return here for end-user access and role guidance.
Most users can complete first‑time access in under 2 minutes. If anything blocks you, capture a screenshot and share it with your administrator—it speeds up troubleshooting.
Before accessing the portal, confirm with your administrator that you’ve been invited to the correct tenant and granted base access in Entra ID. Make sure Conditional Access policies allow you to reach https://portal.grantflow.cloud from your managed device and that your MFA setup satisfies policy. Finally, check that your account has the GrantFlow roles appropriate for your responsibilities.
User Roles
GrantFlow implements role‑based access control to ensure users have appropriate permissions:
| Role | Primary Goals | Capabilities |
|---|---|---|
| User | Request and use privileged access for assigned roles | View eligible roles, request activations, check out accounts |
| Admin | Configure and manage the GrantFlow platform | Manage users, configure roles and approval policies, manage connectors, system configuration |
A single person can have multiple roles. Administrators assign the minimal set required for each person’s responsibilities (principle of least privilege).
First Sign‑In
Open the GrantFlow URL provided by your administrator and choose Sign in with Microsoft. Complete MFA if prompted. On your first sign‑in, accept the permissions prompt (basic profile and directory access), then verify the tenant name in the header is correct. To finish, open My Roles and confirm that at least one role is visible and eligible to activate.
If the tenant name is not what you expect, stop and contact your administrator before proceeding. Activations are always tenant‑scoped.
Navigation Overview
What you see depends on your role. All users have the Dashboard for recent activity and quick actions, My Roles to view and request activations, and Activity for a personal audit trail. Approvers additionally see Requests to review and decide on pending activations and may have Account Checkout to manage privileged account assignments. Administrators see an Admin area for user and assignment management, role and policy configuration, connector administration, and system‑wide audit and reporting.
Security Best Practices
Account security
Always use a managed device that meets your organization’s security requirements, never share activation links or credentials, and use multi‑factor authentication as required. When you’re finished, sign out completely—especially on shared devices.
Access requests
When requesting access, provide a clear justification (including any ticket or change number), choose the minimum duration needed, end sessions early when work is complete, and report suspicious activity to your security team immediately.
Incident response
If you encounter unexpected permission prompts, access to roles you didn’t request, unusual activity in your history, security‑related error messages, or requests for sensitive information outside normal workflows, stop immediately and contact your security team.
For security incidents or concerns, contact: security@grantflow.cloud
Keep the Activity Log in mind—it’s your personal audit trail and often the first place your security team will look when investigating.
Getting help
Explore the User Guides for deeper feature documentation. For questions about roles and policies, contact your organization’s GrantFlow administrators. For platform issues, reach support through your administrator. Report security concerns immediately to security@grantflow.cloud.
Next steps
Ready to get started? Continue to Your First Activation to learn how to request and use privileged access, see Account Checkout.