Your First Activation
This guide walks you through requesting and using your first just‑in‑time privileged role activation in GrantFlow—from submitting the request to completing your work and revoking access. Expect this to take about 3–8 minutes for most roles.
New here? Make sure you’ve completed the short setup in Access & Roles first. It ensures you can sign in, see your tenant, and view the roles you’re eligible to activate.
Prerequisites
Before you begin, sign in to GrantFlow and verify the tenant name is correct. Open My Roles and ensure at least one role is visible and marked as Eligible or Available. Be ready with a concise justification (include ticket, change, or incident references if applicable) and decide the minimum time you actually need—you can typically extend later if policy allows.
Some roles require approval. If your request needs an approver, you’ll submit a justification and wait briefly while your approver reviews it. You can track progress on the Requests page.
Step 1: Go to My Roles
After signing in, select My Roles from the left navigation. Review your eligible roles as cards, confirm the one you need is available (and not already active), and open its details to check the description, maximum duration, and provisioning details.
Step 2: Understand the Role Card
Each role card summarizes the essentials: the role name (for example, Entra Global Admin), current availability, maximum allowed duration, and a plain‑English description of what the role grants. Use Provisioning details to see exactly which permissions and groups will be applied.
If you plan to use a scoped admin account (checked‑out identity) instead of your own user, confirm the role supports “acting as” a checked‑out account. See Account Checkout for details.
Step 3: Request Activation
Select Request on the role card to open the form. The role is pre‑filled (you can change it if necessary). Choose a duration with the slider—from 15 minutes up to the role’s maximum—favoring the shortest time that fits your task. If your organization uses scoped admin accounts, decide whether you’re acting as yourself or a checked‑out account. Add a concise justification with any ticket, change, or incident reference (for example, “Emergency password reset for user per incident INC‑98765,” “Deploy quarterly security updates to production per change CHG‑54321,” or “Investigate authentication issue for Finance team per INC‑11223”). When everything looks correct, submit the request.
Avoid duplicate requests for the same role at the same time. If you made a mistake, withdraw the pending request and submit a corrected one.
Step 4: Processing and Approval
Approval depends on your organization’s policy for this role:
If the role is auto‑approved
Activation starts immediately and you’ll see a success notification in the app. Skip to Step 6—your access is ready.
If the role requires approval
Your request routes to the designated approver(s), who may be notified by email or Teams. Track status on the Requests page. Many teams set a target response time—follow your local policy.
While waiting:
Keep an eye on the Requests page, be reachable if approvers need clarification, and withdraw the request if it’s no longer needed.
Step 5: Notifications and Outcomes
When your request is processed you’ll be notified:
Approved
You’ll receive an in‑app success notification and often an email or Teams confirmation if enabled. Access is provisioned and ready to use.
Denied
You’ll receive a clear denial reason. Adjust your request per the guidance or contact the listed team.
Step 6: Use Your Access
Once active, permissions are provisioned across connected systems.
Entra ID roles
Propagation is typically sub 5 seconds. For Azure, open a fresh tab or window and confirm the role badge in the top bar. For Microsoft 365 admin centers, reload or re‑authenticate as prompted.
Active Directory groups
An on‑prem agent applies group membership updates. Some resources require you to sign out and in to refresh your token. On Windows, verify membership in a new session with whoami /groups.
Session management
Keep GrantFlow open so the active session card shows time remaining. You’ll get a notification ahead of expiration, and if policy allows, you can request an extension before time runs out.
Step 7: Finish and Revoke Access
Finish early
If you finish early, open My Roles, find the active role, choose Deactivate, and confirm. Add completion notes if your policy requires them. Access is removed immediately.
Let it expire
If you do nothing, access ends automatically at the scheduled time. You may receive a final confirmation. Everything is captured in the audit log.
Capture evidence
After privileged work, save relevant evidence (screenshots, command outputs, configuration diffs), update your ticket with what was done and the outcome, follow local change documentation rules, and hand off to the next team if needed.
Troubleshooting
Request stuck in Pending
If a request shows Pending longer than expected, verify your justification is specific and includes a ticket or reference, check business hours or approver out‑of‑office notices, contact your approver for urgent cases, or withdraw and resubmit if you need to correct details.
Access not working after approval
For Entra ID roles, propagation typically takes sub 5 seconds. For Active Directory groups processed by on‑prem agents, allow up to 1–2 minutes. Try a fresh sign‑in or new browser tab/window. Confirm you're in the correct tenant/subscription/scope and re‑check provisioning details.
Can’t find an expected role
Confirm with your administrator that you’re eligible for the role, check if it’s temporarily disabled or under maintenance, make sure you’re in the correct tenant, and ask your GrantFlow administrator to review your assignment if needed.
Still stuck? Capture a screenshot of the role card or request details and share it with your administrator—it speeds up troubleshooting.
FAQ
Can I extend an active session? If the policy allows, you’ll see an option to request an extension before time runs out. Extensions may also require approval.
Can I activate multiple roles at once? Yes, if your policy permits. Submit a request for each role you need.
Can I activate on behalf of a scoped admin account? Yes, if your organization has enabled Account Checkout. Choose the checked‑out account in the Acting as field.
Will my actions be audited? Yes. All activation events and status changes are recorded for compliance.
Next Steps
Congratulations—you’ve completed your first activation. Continue with the Dashboard to understand the overview and key metrics, explore My Roles to master activation workflows, review the Activity Log to see your audit history, and learn more about the approval process in Requests & Approvals. For ongoing support, contact your organization’s GrantFlow administrators or refer to the user documentation.