Welcome to GrantFlow
GrantFlow is an enterprise platform for just-in-time (JIT) privileged access management in Microsoft Entra ID and on-premises Active Directory environments. It eliminates standing privileges while maintaining operational efficiency through automation and approval workflows.
Quick Start
Onboarding for new tenants
If you are setting up GrantFlow in a customer tenant, start with the Entra ID Tenant Setup and the GrantFlow CLI. These guides walk you through creating tenant-scoped client apps and authenticating via device code.
Key Capabilities
Zero Standing Privileges
GrantFlow transforms your security posture by eliminating persistent privileged access. Users only receive the permissions they need, exactly when they need them — and those permissions are automatically revoked when the activation window expires.
Fast Activation
Role activations complete in under ten seconds. Once a request is submitted, GrantFlow routes it through automated approval workflows, provisions access in real time across your hybrid environment, and confirms the activation back to the user. Context-aware role recommendations help users pick the right role for the task at hand without navigating a complex catalog.
Complete Audit Trail
Every action in GrantFlow produces an immutable audit record. You can trace the full lifecycle of any access event: who requested it, what was approved or denied, when each step occurred, the justification provided, and which target resources were affected. These records feed directly into compliance reports and SIEM integrations.
Enterprise-Grade Security
All connectors operate on an outbound-only model, meaning no inbound firewall rules are required in your on-premises environment. Communication is encrypted end-to-end with TLS 1.3, and the platform follows a zero-trust architecture — every request is verified regardless of network origin.
Platform Architecture
GrantFlow integrates with your existing Microsoft infrastructure through lightweight connectors that bridge the cloud platform with your Entra ID tenants and on-premises Active Directory domains.
Core Features
| Feature | Description |
|---|---|
| Just-in-Time Access | Provision privileges only when needed, automatically revoke when done |
| Approval Workflows | Multi-level approval chains with delegation and escalation |
| Role Lifecycle Management | Automated creation, modification, and retirement of roles |
| Connector Health Monitoring | Real-time status of all connectors with automatic failover |
| Compliance Reporting | Pre-built reports for SOC 2, ISO 27001, and custom frameworks |
| API Integration | RESTful APIs for integration with ITSM and SIEM platforms |
User Experience
GrantFlow provides tailored interfaces for every user type.
For Operators
The self-service portal gives operators a mobile-responsive interface to browse the role catalog, request activations, and track active sessions. Smart search and filtering help you find the right role quickly, and automatic session extensions ensure you don't lose access mid-task.
For Reviewers
Approvers work from a unified inbox on the Requests page, where pending activations are prioritized by risk score. Bulk operations let you process multiple requests efficiently, and each request includes full context — justification, duration, and the target resources — so you can make informed decisions fast.
For Administrators
Administrators manage users, roles, and approval policies from a central console. Connector health metrics and job monitoring give you visibility into the state of every integration, while a comprehensive audit trail records every configuration change and access event across the platform.
Documentation Structure
This documentation is organized by audience so you can jump straight to the content that matters most.
User Guides
For operators requesting and using privileged access
Explore Guides →Reviewer Guides
For approvers managing access requests
Review Process →Admin Guides
For administrators configuring the platform
Admin Playbooks →Benefits
Reduce Risk
Standing privileges are one of the most common attack vectors in enterprise environments. GrantFlow removes them entirely by enforcing just-in-time access with automatic revocation. Every activation is scoped to the minimum permissions required and limited in duration, which reduces the blast radius of a compromised account and helps you meet frameworks like SOC 2 and ISO 27001 without manual evidence gathering.
Improve Efficiency
Traditional access provisioning relies on tickets and manual intervention, often taking hours or days. GrantFlow replaces that with self-service requests, automated approval routing, and sub-ten-second provisioning. The result is fewer help desk tickets, faster time-to-access for your teams, and approval workflows that scale with your organization instead of bottlenecking it.
Before You Begin
To deploy GrantFlow, you need an Entra ID Global Administrator account (or equivalent permissions) and outbound HTTPS connectivity on port 443 from your on-premises environment. You should also have a service account ready for connector authentication, and it helps to document your approval workflow design and initial role catalog before starting the setup.
Ready to start? Head to the Getting Started Guide →
Support & Resources
Get Started
Start Your Journey
Begin with your first role activation and experience GrantFlow