Basics
Quick start
Select one or more eligible roles in the Eligible Roles table, then click Activate. Fill in the duration and any required justification or ticket number, then confirm.
Advanced
Bulk operations
You can select multiple roles at once across Entra, Azure, and Groups. All selected roles are submitted in a single batch — each role's policy (max duration, MFA, approval) is respected individually.
Profiles
Activation profiles
Click Profiles to save your current selection. Profiles store role IDs, durations, and justifications in your browser's IndexedDB for one-click reuse.
Architecture
Zero-Backend SPA
This portal is a fully static single-page application. It talks directly to Microsoft Graph and Azure Resource Manager API endpoints using your delegated user token. No backend, no proxy, and no secrets are stored on any server.
Logic
Direct Integration
By using the MSAL library, we authenticate you directly against Entra ID. The portal then orchestrates the PIM API calls on your behalf, ensuring your credentials never leave your browser session.
Q&A
Frequently Asked Questions
Does it store my tokens? No, tokens are kept in browser memory and handled by MSAL.
Does it need admin consent? Only if your tenant requires it for delegated permissions like reading role eligibility.
Can I use it with my own app? Yes, the self-hosted version allows providing your own Client ID and Tenant ID.