Certificate Template Access

Certificate templates define how certificate requests are created, approved, automated, and delivered in AZExecute. Template access lets you give specific users or AZExecute tenant groups access to a certificate template without making them Operators or TenantAdmins.

This helps teams share certificate workflows with the people who need them, while keeping tenant-wide administration limited to trusted administrators.


When to Use Template Access

Use certificate template access when a user or team needs to work with one or more certificate templates, but should not receive broad operational access across the tenant.

Application teams can use approved templates for their own certificate needs.

They do not need access to every certificate template in the tenant.

Platform teams can let business units manage their own template settings.

Editor access can be scoped to only the templates they own operationally.

Auditors and reviewers can receive read-only visibility.

Viewer access is useful when a person needs insight but not the ability to change anything.

Key principle: Keep tenant roles broad and template access precise. Assign Operator or TenantAdmin only when the person needs tenant-wide operational capabilities.


How Access Is Evaluated

AZExecute combines the user's tenant role, direct template grants, and AZExecute tenant-group grants to determine the highest access level available for a certificate template.

Tenant Role

Operators and TenantAdmins keep their normal administrative access to certificate templates.

Direct User Access

A specific user can be added directly to a template with Viewer, User, Editor, or Owner access.

Tenant Group Access

AZExecute tenant groups can be added to a template so membership controls access for a team.

Highest access wins: If a user has Viewer directly but belongs to a group with Editor access, they are treated as Editor for that certificate template.

Tenant boundary: Template access never crosses tenant boundaries. Users and tenant groups are evaluated only within the tenant where the certificate template exists.


Access Levels

Each certificate template access entry has one access level. Choose the lowest level that supports the user's real work.

Access Best For What The User Can Do

Viewer

Auditors, reviewers, support staff, and stakeholders who need visibility.

Open the Certificates area, view allowed templates, and read template details.

User

People who need to use an approved certificate workflow.

View the template and use it for certificate work where the template configuration allows it.

Editor

Template maintainers and platform delegates.

Use the template and edit template configuration and related automation details.

Owner

Template owners and backup owners.

Full template control, including access management and ownership-level actions.

Operational note: DNS provider and tenant integration settings remain administrative areas. Template access controls the certificate template workflow, not tenant-wide integration configuration.


Adding Access

Owners, Operators, and TenantAdmins can add access from the certificate template's Access tab.

Add Users

1. Open Certificates and select the certificate template.

2. Open the Access tab.

3. Click Add access.

4. Choose the access level to assign.

5. On Users, search for people from Microsoft Entra ID and select the users to add.

6. Review Selected users, then add them to the template.

When a searched Entra user is not already known to AZExecute, the user record is created as part of adding access.


Add Tenant Groups

1. Open the same Add access dialog.

2. Choose the access level to assign.

3. Open Groups.

4. Search for AZExecute tenant groups and select the groups to add.

5. Review Selected groups, then add them to the template.

Group source: Certificate template group access uses AZExecute tenant groups, not Microsoft Graph groups. Manage tenant group membership from the tenant group management area.


Reviewing and Changing Access

The template Access tab shows all direct user and tenant-group access entries for the selected certificate template.

Change access level

Update the access dropdown for the user or group, then save.

Remove access

Remove the direct entry when the user or group should no longer have access through that grant.

Review group membership

If a user still has access after a direct entry is removed, check whether they belong to a AZExecute tenant group that still has access.

Changes apply to the certificate template immediately after they are saved. Users may need to refresh their browser to see updated navigation.


What Users See

Users with direct or tenant-group access can open the Certificates area even if their overall role is only User. The list shows certificate templates they are allowed to view or use.

• Users see only templates they are allowed to access, plus any templates available through their tenant role.

• Read-only users can review template details but cannot change configuration.

• Users with enough access can use the template for certificate work according to the template configuration.

• Editors and Owners see management actions for templates where they have those permissions.

Good user experience: Users do not need to understand tenant roles to use a shared template. If they have access, the Certificates menu and template page become available automatically.


Security and Governance Best Practices

Prefer groups for stable teams

Use AZExecute tenant groups when access should follow a team instead of an individual person.

Use Viewer for review-only access

Do not grant User, Editor, or Owner unless the person needs to perform those actions.

Keep at least two Owners for important templates

This reduces operational risk if one person is unavailable or changes role.

Review access regularly

Include certificate template access in joiner, mover, leaver, and periodic access review processes.

Separate tenant administration from template ownership

A team can own its templates without needing broad tenant or operator rights.


Troubleshooting

User Cannot See Certificates

• Confirm the user has Viewer or higher access on at least one certificate template.

• If access is through a tenant group, confirm the user is a member of that AZExecute tenant group.

• Ask the user to refresh the page or sign in again after access changes.


User Can See the Template but Cannot Change It

• Viewer and User access are not editor roles.

• Grant Editor if the user should maintain template configuration.

• Grant Owner only if the user should also manage template access.


Removed User Still Has Access

• Check whether the user belongs to a AZExecute tenant group that still has access.

• Check whether the user has Operator or TenantAdmin role access.

• Remove or lower the remaining grant that provides the higher access level.

An unhandled error has occurred. Reload 🗙
An unhandled error has occurred. Reload 🗙