Role Assignment and Access Control

By default, users can sign in unless access is restricted by your tenant's Enterprise Application settings or Conditional Access policies. AZExecute uses Microsoft Authentication Library (MSAL), so sign-in follows your organization's Entra ID controls such as Conditional Access and MFA.

The first user to log into AZExecute from a given tenant is assigned the TenantAdmin role. This role provides full administrative rights within the application.

---

---

Assigning Users and Groups in Azure

Roles within AZExecute are primarily managed from within the application by users with the TenantAdmin role. Enterprise Application assignments in Entra ID are also evaluated during sign-in; the special AZExecute.Admin app role can force TenantAdmin access for eligible users, while normal User, Operator, and TenantAdmin role management is stored in AZExecute.

To assign users and groups access to AZExecute, navigate to the Azure portal and select the Enterprise Application. From there, go to the "Users and groups" section.

Provide specific users and groups with the necessary roles to access the application. This step is crucial for managing who can access and administer AZExecute.

Managing User Access within AZExecute

Once users have logged into the application, their access can be managed from the "System Access" section within AZExecute. TenantAdmins can assign roles such as User or Operator to other users.

For instance, a user can be assigned the "TenantAdmin" role to grant them full access or the "Operator" role for more restricted access.