Coming Soon

Here’s a deeper look at what’s coming to GrantFlow over the next releases. The focus is on clearer communication (notifications), safer and faster approvals, efficient directory sync, and high-confidence operations at scale. Timelines and scope may evolve as feedback is incorporated.

INFO

This roadmap highlights planned capabilities at a high level. Details may change before GA.

Teams and Outlook Approvals (Adaptive Cards)

Approve or deny just-in-time access requests without opening a browser. GrantFlow will send interactive Adaptive Cards to approvers via Microsoft Teams and Outlook — with the full request context and one-tap Approve/Deny actions, all secured by short-lived tokens.

What you'll get:

  • Adaptive Cards delivered to Teams channels or personal chats and Outlook inbox
  • Approve, deny, or request more information directly from the card
  • Full request context inline — requester, role, justification, and duration
  • Secure action tokens that expire after use

Who benefits:

  • Approvers: Act on requests instantly without switching apps
  • Security teams: Faster time-to-decision with no compromise on audit

See also: Blog post →

Unified Notifications (Email, Teams, In‑App)

Stay on top of approvals, activations, expirations, and more with a dedicated notification service and an admin UI that puts configuration in one place.

What you’ll get:

  • Channels: Email via Microsoft Graph and Microsoft Teams (channel webhook) to start
  • Templates: MJML with variables, theme alignment, and live preview
  • Policies: Per‑event recipients (users, roles, dynamic sets)
  • Actions: “One‑click” Approve/Deny links secured by short‑lived tokens

Who benefits:

  • Approvers: Faster triage with actionable alerts
  • Requesters: Clear status updates without polling the app
  • Admins: Central control with safe defaults and audit

Rollout notes:

  • Starts with high‑value events (Approval Requested, Activation Failed/Expired)
  • Teams Graph chat messages may follow the webhook approach

See also: Notifications

AI‑Assisted Approvals (Risk Scoring)

Help approvers focus where it matters most. Requests will include a risk score and rationale so queues can be sorted by likely impact.

What you’ll see:

  • Score (0–100), level badge, and a short “why this score” explanation
  • Contributing factors (e.g., role sensitivity, duration, unusual patterns)
  • Sorting and filtering by risk level

Who benefits:

  • Approvers: Prioritize high‑risk items quickly
  • Security teams: Consistent evaluation signals

Rollout notes:

  • Phased rollout: shadow mode → opt‑in beta → GA

See also: Requests & Approvals

Real‑Time Drift Enforcement (Cloud + AD)

Detect and respond when managed access changes outside of GrantFlow. If a user, group, or role diverges from policy, GrantFlow creates an incident and (per policy) notifies, requests approval, or remediates.

What it does:

  • Ingests near real‑time signals from Microsoft Entra and fast deltas from AD
  • Applies per‑role “Drift Reaction” policies: Notify / Require Approval / Remediate
  • Surfaces incidents with status, timestamps, and actions

Who benefits:

  • Admins and auditors: Clear evidence and control over out‑of‑band changes
  • Operators: Faster time to resolution when drift occurs

See also: Role Management

Already shipped — Faster Directory Sync

Delta sync for AD users, groups, and memberships is live — short, efficient cycles with per-connector schedules, jitter, and backoff observability. Automatic Entra Connect sync after AD changes also shipped. Read the announcements →

Already shipped — Role Assignment Validation

GrantFlow now validates connector availability, principal existence, and provisioning configuration at assignment time — with immediate, clear feedback on misconfigurations. Read the announcement →

Already shipped — Password Rotation Policies

Automated password rotation for privileged accounts is live — rotate on checkout, check-in, or schedule, with retry logic, validation, and full audit coverage. Read the announcement →

Already shipped — LDAPS for AD Connectors

GrantFlow AD agents now connect to domain controllers over LDAPS, using the OS certificate store on the agent host — secure by default with no extra GrantFlow portal configuration, assuming the OS trust store already trusts the domain controller CA chain. Read the announcement →

Profiles & Preferences

Per‑user profiles for preferences (theme, locale, time zone, notification preferences) and future features like passkey enrollment status.

What users gain:

  • “Settings” backed by profiles for a consistent experience
  • Room to grow into additional personal controls

See also: Profile Settings

Already shipped — Reliable Scheduling & Cancellations

Activations and checkouts now expire on time under load, and manual deactivations cleanly cancel all pending revocation tasks with no orphaned jobs. Read the announcement →

Envelope Encryption for Passwords (Customer-Managed Keys)

Every account password stored by GrantFlow will be encrypted with a tenant-specific RSA key before it is written to Azure Key Vault — with optional customer-managed keys (BYOK) for full data sovereignty.

What's included:

  • Tenant-specific RSA key wraps each credential at rest
  • BYOK support: bring your own key from Azure Key Vault or an external HSM
  • Audit trail for every key access and rotation event
  • Compliance alignment with SOC 2, ISO 27001, and BSI C5

Who benefits:

  • Security and compliance teams: Provable encryption boundaries and key ownership
  • Enterprise customers: Meet data sovereignty requirements without operational complexity

See also: Blog post →

Real‑Time Audit Streaming to Your SIEM

Every privileged access event in GrantFlow will stream to your SIEM in real time — no polling, no gaps. Connect via webhooks, server-sent events, or long-polling to fit your infrastructure.

What it covers:

  • Role activations, deactivations, approvals, and denials
  • Account checkouts, password rotations, and drift incidents
  • Delivery options: webhooks (push), SSE, and long-polling (pull)
  • Filtering by event type, connector, or severity

Who benefits:

  • Security operations: Continuous visibility without batch exports
  • Compliance teams: Evidence collection in the systems you already use

See also: Blog post →

Centralized Session Management and Instant Revocation

Gain full visibility and control over every active GrantFlow session — with configurable lifetimes and the ability to revoke any session instantly.

What admins will see:

  • Dashboard listing all active sessions with user, device, location, and age
  • Per-tenant session lifetime policies (idle timeout, absolute expiry)
  • One-click revocation for individual sessions or all sessions for a user
  • Audit events for every session start, refresh, and termination

Who benefits:

  • Admins: Immediate response to suspicious activity or compromised accounts
  • Auditors: Complete session lifecycle records

See also: Blog post →

Reliability, Observability, and Scale

GrantFlow continues to harden the platform for scale and operability.

You’ll see:

  • Retries with exponential backoff and dead‑letter handling
  • Idempotency to prevent duplicate work
  • End‑to‑end tracing and metrics for supportability

Preparing your team

If you want early access to any of the items above, contact your GrantFlow representative. We can coordinate enablement, test tenants, and feedback windows ahead of GA.

Questions or feature requests? Open a ticket in your organization’s channel or reach out to your GrantFlow contact. Your feedback helps shape the roadmap.