Frequently asked questions about the first public release.

## General

### Why a browser portal? You already have a PowerShell module.

The PowerShell module is the original tool and remains the right answer for power users, automation, and CI / CD. The portal exists for the people on your team who don't want to install PowerShell, manage modules, or troubleshoot WAM brokers — and for the moments when you're on a borrowed machine, on mobile, or just want a click-through. Both projects share the same activation model and policy handling.

### Is it really safe?

Yes, with the same caveat that applies to any browser-based tool: the portal trusts the browser session it runs in. Tokens are held in `sessionStorage` only and disappear when you close the tab. Every privileged call goes directly from your browser to Microsoft. There is no backend, no proxy, no telemetry. See [[Security and Privacy|Security-and-Privacy]] for the full breakdown including the Content Security Policy and threat model.

### Do you store my tokens?

No. There is no server-side anything. Tokens live in `sessionStorage` and are cleared when the tab closes. The portal also persists no tokens to `localStorage`, IndexedDB, or cookies.

### Do you collect telemetry or analytics?

No. The Content Security Policy enforces this — the only network destinations the portal can talk to are `login.microsoftonline.com`, `graph.microsoft.com`, `management.azure.com`, and `cdn.jsdelivr.net` (for the MSAL.js bundle).

## Using the portal

### Can I use it on mobile?

Yes — and you can install it. The portal is responsive across mobile Safari, mobile Chrome, mobile Edge, and Firefox for Android. On iOS / iPadOS, use Safari's Share sheet → **Add to Home Screen** to install it as a PWA. On Android, Chrome offers **Install app** / **Add to Home screen** from the menu. Either way it launches in its own window with its own icon and no browser chrome. Some MFA / Conditional Access flows are easier on desktop, but bulk activation works fine on a phone.

### Can I install it on desktop too?

Yes. In Chrome or Edge, click the **Install app** icon in the address bar (or browser menu → **Install PIMActivation Portal**). It launches in a standalone window with its own icon — the same portal, just without browser chrome.

### Can it run offline?

No. The portal is installable as a PWA, but it does not ship a service worker — every privileged call goes to Microsoft Graph or ARM, so a network connection is required even from the installed app.

### Can I activate roles in a tenant where I'm a guest?

Yes. Use the **tenant switcher** in the header to switch directories. Your eligibilities in that tenant — Entra roles, Azure Resource roles, and PIM Groups — appear as if you were signed in there directly.

### My organization requires admin consent. What now?

An administrator in **your** tenant can pre-consent the application using the standard `/adminconsent` endpoint. The tenant in the URL is the consenting tenant (yours), not the publisher's:

```text
https://login.microsoftonline.com/<your-tenant-id-or-domain>/adminconsent?client_id=<portal-app-id>
```

For the managed portal at `portal.pimactivation.com`, the client ID is `d3e13acf-c60d-46b4-b8e7-c077a7bf532a`. A ready-to-click URL that lets the admin pick the directory at sign-in:

<https://login.microsoftonline.com/organizations/adminconsent?client_id=d3e13acf-c60d-46b4-b8e7-c077a7bf532a>

For self-hosted deployments, use the `adminConsentUrl` output emitted by the Bicep deployment (it already contains your client ID and tenant ID).

### Why does it sometimes ask me to sign in again mid-operation?

That is the Conditional Access auth-context step-up flow. A role's policy requires you to satisfy a stronger authentication (typically MFA or a compliant device claim) before activation. The portal threads the resulting claims into every subsequent request in the operation, so you only see the prompt once per step-up requirement.

## Activation profiles

### Where are profiles stored?

In your browser's IndexedDB. They survive across sessions on the same browser profile and they don't leave the browser unless you explicitly export them. See [[Activation Profiles → Importing and exporting|Activation-Profiles#importing-and-exporting]] to move them between browsers, devices, or teammates.

### Can I share a profile with a teammate?

Yes. Open the **Profiles** modal and click **Export** in the footer to download a JSON file containing your profiles, then have your teammate click **Import** in the same modal. Tenant scoping is preserved on import. The JSON file contains only the profile metadata — names, role uids, defaults, and tenant scope. It contains no tokens or claims.

Note that role uids are tenant-specific: a teammate importing your file in a different tenant will see the profile but its roles will appear as unavailable.

### Why don't I see profiles I created in another tenant?

If you have **Tenant-scoped profiles** enabled in Settings, profiles only appear when you're signed in to the matching tenant. Disable the setting to see all profiles regardless of tenant.

## Self-hosting

### How do I run my own copy?

See [[Self-Hosted Deployment|Self-Hosted-Deployment]]. There is a one-click **Deploy to Azure** button in the [README](https://github.com/Noble-Effeciency13/PIMActivation-Portal#self-hosted-azure-deployment) and a full Bicep template you can `az deployment group create` against directly.

### Does self-hosting cost anything?

The default SKU is **Free** for Azure Static Web Apps. The other resources created (a managed identity, a small storage account for source caching) cost a few cents per month at most. Choose the **Standard** SKU if you need custom domain SSL with private endpoints, deployment-staging environments, or higher quotas.

### Can I customize the branding?

Today the portal does not expose a branding configuration surface — to change the favicon, name, or theme palette you need to edit the source. PRs welcome.

### Can I run two self-hosted deployments side by side?

Yes. Each deployment is bound to its own app registration. Just create a separate app registration for each and pass its client ID to the Bicep template.

## Limitations

### What's *not* in the first release?

- Activation history sourced from the Entra audit log surface (only in-session activity history is shown today)
- Polling for approval-required role state changes (you must refresh manually)
- Cross-device profile sync (profiles are per-browser-profile; use JSON import / export to move them)
- Localization / right-to-left layouts
- Built-in scheduling beyond a future start time

See [[Roadmap|Roadmap]] for what's planned.

### What's permanently out of scope?

- A backend, a proxy, or any server-side component
- Application permissions or any client secret in the SPA
- Persisting tokens outside `sessionStorage`
- Telemetry, analytics, or any third-party API call beyond the Microsoft endpoints listed above