Azure roles could not be loaded — additional permissions are required.
Active Roles
–
Type
Role
Expires
Loading…
Eligible Roles
–
Type
Role
Max
MFA
Just.
Ticket
Apprv.
Loading…
Activation Profiles
Settings
Default duration
Your preferred default when activating roles.
hours
Quick Actions
Choose which settings are available in the header.
Appearance
Choose your preferred color theme.
Show active roles in eligible list
If disabled, already-active roles are hidden from the eligible table.
Show inactive policies
Display inactive policies (e.g. MFA) as greyed-out labels.
Eligible roles on top
Show eligible roles above active roles.
Remember collapsed sections
Sections remember their collapsed/expanded state across refreshes. Turn off to always expand all sections on load.
Remember filter bar state
Remembers whether the eligible roles filter bar is expanded or collapsed across refreshes.
Per-tenant profiles
Show only profiles saved for the current tenant. Profiles saved while this is off are visible in all tenants.
Enable only what you need — consent is requested per surface.
Notifications
Switch Tenant
Loading tenants…
Activate Roles
Manual
Quick Start
Activate a role in 3 steps
1
Sign in
Authenticate via the Microsoft button.
2
Select roles
Check one or more eligible roles in the table. Entra, Azure, and Group roles can be mixed in one selection.
3
Activate
Click Activate, set duration (capped by policy), add justification if required, and confirm.
Multiple tenants?
Use the tenant selector in the header — repeat the 3 steps above for each tenant independently.
Done this before?
Open Profiles and load a saved selection — it skips step 2 entirely and pre-fills duration and justification.
All Capabilities
What this portal can do
Cross-Tenant
Manage roles across multiple tenants. Each tenant authenticates independently with its own isolated session.
Activation Profiles
Save named combinations of roles, duration, and justification for one-click reuse.
Bulk Activation
Select and activate roles across Entra, Azure, and Groups in a single batch submission.
Policy Enforcement
Duration caps, MFA step-up, and justification or ticket validation — enforced per-role automatically.
Expiry Tracking
Live countdown timers and color-coded warnings — know exactly when each active role expires.
Smart Filtering
Instant search, surface grouping, custom quick filters, and persistent filter bar state.
Quick Actions
Pin Appearance and the inactive policies toggle to the header for instant access.
Zero Backend
Static SPA — all calls go directly to Microsoft Graph and ARM. No server, no proxy, no secrets stored.
Architecture
Direct API access, no backend
A fully static single-page application. Your browser authenticates via MSAL and calls Microsoft Graph and ARM directly — no backend, no proxy. Switching tenants starts a fresh auth flow; each tenant's token and session are fully isolated.
Browser authenticates via MSAL → Entra ID
Entra ID issues an access token (held in memory only)
Portal calls Microsoft Graph / ARM APIs directly
No backend — no proxy — nothing touches a server
Token & Data Storage
What lives where
What
Where stored
Lifetime
Access tokens
In-memory (MSAL)
~1 hr, auto-refreshed
Refresh tokens
sessionStorage
Tab lifetime
Activation profiles
IndexedDB (local)
Until deleted
Settings & flags
localStorage
Persistent
Are my tokens stored anywhere?
Access tokens are in MSAL's in-memory cache only — never written to disk. Refresh tokens use sessionStorage and are cleared when the tab closes. See How it works for the full breakdown.
Is anything sent to a backend?
No. There is no backend. Every call goes directly from your browser to Microsoft's Graph and ARM endpoints — the app is static files only.
Does it need admin consent?
Delegated permissions to read PIM role eligibility may require admin consent. The portal will prompt if additional consent is needed.
Can I self-host it?
Yes. Provide your own Client ID and Tenant ID in the MSAL config. The portal is a static HTML/JS/CSS bundle — host it anywhere (Azure Static Web Apps, GitHub Pages, etc.). Go back to the home site for self-hosting option.