Certificate Template Access
Certificate templates define how certificate requests are created, approved, automated, and delivered in AZExecute. Template access lets you give specific users or AZExecute tenant groups access to a certificate template without making them Operators or TenantAdmins.
This helps teams share certificate workflows with the people who need them, while keeping tenant-wide administration limited to trusted administrators.
When to Use Template Access
Use certificate template access when a user or team needs to work with one or more certificate templates, but should not receive broad operational access across the tenant.
Application teams can use approved templates for their own certificate needs.
They do not need access to every certificate template in the tenant.Platform teams can let business units manage their own template settings.
Editor access can be scoped to only the templates they own operationally.Auditors and reviewers can receive read-only visibility.
Viewer access is useful when a person needs insight but not the ability to change anything.How Access Is Evaluated
AZExecute combines the user's tenant role, direct template grants, and AZExecute tenant-group grants to determine the highest access level available for a certificate template.
Tenant Role
Operators and TenantAdmins keep their normal administrative access to certificate templates.
Direct User Access
A specific user can be added directly to a template with Viewer, User, Editor, or Owner access.
Tenant Group Access
AZExecute tenant groups can be added to a template so membership controls access for a team.
Access Levels
Each certificate template access entry has one access level. Choose the lowest level that supports the user's real work.
| Access | Best For | What The User Can Do |
|---|---|---|
Viewer |
Auditors, reviewers, support staff, and stakeholders who need visibility. |
Open the Certificates area, view allowed templates, and read template details. |
User |
People who need to use an approved certificate workflow. |
View the template and use it for certificate work where the template configuration allows it. |
Editor |
Template maintainers and platform delegates. |
Use the template and edit template configuration and related automation details. |
Owner |
Template owners and backup owners. |
Full template control, including access management and ownership-level actions. |
Adding Access
Owners, Operators, and TenantAdmins can add access from the certificate template's Access tab.
Add Users
1. Open Certificates and select the certificate template.
2. Open the Access tab.
3. Click Add access.
4. Choose the access level to assign.
5. On Users, search for people from Microsoft Entra ID and select the users to add.
6. Review Selected users, then add them to the template.
Add Tenant Groups
1. Open the same Add access dialog.
2. Choose the access level to assign.
3. Open Groups.
4. Search for AZExecute tenant groups and select the groups to add.
5. Review Selected groups, then add them to the template.
Reviewing and Changing Access
The template Access tab shows all direct user and tenant-group access entries for the selected certificate template.
Change access level
Update the access dropdown for the user or group, then save.Remove access
Remove the direct entry when the user or group should no longer have access through that grant.Review group membership
If a user still has access after a direct entry is removed, check whether they belong to a AZExecute tenant group that still has access.What Users See
Users with direct or tenant-group access can open the Certificates area even if their overall role is only User. The list shows certificate templates they are allowed to view or use.
• Users see only templates they are allowed to access, plus any templates available through their tenant role.
• Read-only users can review template details but cannot change configuration.
• Users with enough access can use the template for certificate work according to the template configuration.
• Editors and Owners see management actions for templates where they have those permissions.
Security and Governance Best Practices
Prefer groups for stable teams
Use AZExecute tenant groups when access should follow a team instead of an individual person.Use Viewer for review-only access
Do not grant User, Editor, or Owner unless the person needs to perform those actions.Keep at least two Owners for important templates
This reduces operational risk if one person is unavailable or changes role.Review access regularly
Include certificate template access in joiner, mover, leaver, and periodic access review processes.Separate tenant administration from template ownership
A team can own its templates without needing broad tenant or operator rights.Troubleshooting
User Cannot See Certificates
• Confirm the user has Viewer or higher access on at least one certificate template.
• If access is through a tenant group, confirm the user is a member of that AZExecute tenant group.
• Ask the user to refresh the page or sign in again after access changes.
User Can See the Template but Cannot Change It
• Viewer and User access are not editor roles.
• Grant Editor if the user should maintain template configuration.
• Grant Owner only if the user should also manage template access.
Removed User Still Has Access
• Check whether the user belongs to a AZExecute tenant group that still has access.
• Check whether the user has Operator or TenantAdmin role access.
• Remove or lower the remaining grant that provides the higher access level.