-
Notifications
You must be signed in to change notification settings - Fork 0
Onboarding a Lab Tenant
"Onboarding" means giving Lab Tenant Manager permission to manage a Microsoft 365 lab tenant. It requires the lab tenant's Global Admin to consent once via a URL you generate.
After onboarding, the app uses app-only client credentials (MS Graph) and a stored delegated Power Platform token (Key Vault) for all subsequent operations — no recurring access from the global admin.
-
Master Admin — sees and manages all tenants. Configured via
TENANT_MASTER_ADMIN_EMAILS. -
Tenant Admin — can access and manage only the tenants they onboarded or were explicitly granted access to. Configured via
TENANT_ADMIN_EMAILS. - Tenant ownership — the user who onboards a tenant automatically becomes its manager.
- Delegated management — a tenant admin can share management rights with other admins directly from the tenant detail page.
Environment variables:
TENANT_ADMIN_EMAILS=user1@example.com,user2@example.com
TENANT_MASTER_ADMIN_EMAILS=masteradmin@example.comIf neither variable is set, the previous behavior is preserved for backward compatibility: all authenticated users are allowed.
- Sign in to the app with your operator tenant account.
- Go to Tenants → New Tenant.
- Fill in:
-
Domain — the lab tenant's
*.onmicrosoft.comdomain (or primary custom domain) - Security group name — an Entra ID security group in the lab tenant that participants will be added to (the group must already exist)
-
Domain — the lab tenant's
- Click Save. The tenant status will be
pending_consent.
On the tenant detail page, click Generate Onboarding Link.
Copy the URL — it encodes an OAuth state token and has a 30-minute expiry.
The lab tenant's Global Admin must open the URL in a browser where they are signed into the lab tenant. They will see a Microsoft consent screen requesting:
- All Application permissions (Graph — User, Group, Directory, License, Mail.Send)
- Power Platform delegated permission (
Userscope)
Once they consent, the app stores the delegated refresh token in Key Vault and marks the tenant as active.
Before running a workshop, use Pre-flight checks on the tenant detail page to verify:
| Check | Description |
|---|---|
| ✅ Tenant reachable | App can authenticate to the lab tenant via client credentials |
| ✅ Security group exists | The configured group ID resolves in the tenant directory |
| ✅ Licenses available | Sufficient Microsoft 365 licenses for the expected participant count |
| ✅ Delegated token valid | Power Platform refresh token is present in Key Vault and can be exchanged |
If check #4 fails, use 🔄 Re-authorize Delegated Token (see below).
- Go to the Codes tab on the tenant page.
- Click New Code — set an optional expiry date and usage limit.
- Optionally set a Sender Email Address override (must be a mailbox in your operator tenant).
- Optionally add a Welcome Message included at the top of each credential email.
- Share the code with participants — they go to
https://<your-fqdn>/redeem.
- Participant opens
/redeem, enters the workshop code and their personal email address. - The app creates a
labadmin*user in the lab tenant, assigns a license via the security group, provisions a Power Platform Developer environment, sets Dataverse System Admin role, and routes the Maker Welcome experience to the personal environment. - Credentials (username, password, Power Apps URL, Copilot Studio URL) are shown on screen and sent by email.
Power Platform delegated refresh tokens can expire (typically after 90 days of inactivity) or may be missing if the global admin skipped Power Platform consent during onboarding.
- On the tenant detail page, click 🔄 Re-authorize Delegated Token.
- A new consent URL is generated. Send it to the lab tenant Global Admin.
- After they consent, the token in Key Vault is refreshed — no other tenant data is affected.
The Cleanup action on the tenant page removes all labadmin* users and their Developer environments, ready for the next workshop.
# You can also verify cleanup via CLI:
az containerapp logs show -n ca-ltm -g rg-lab-tenant-manager --followOn the Users tab of a tenant:
- See all provisioned accounts with claim status and participant email
- Edit the participant email address inline
- Click ✉️ to resend the credential email at any time