Onboarding your tenant in Routty

Access to Routty is securely managed through your organization’s Microsoft Entra ID (formerly Azure Active Directory). The onboarding flow uses Microsoft’s standard enterprise app model, consent, and OAuth 2.0/OpenID Connect for sign-in.

Prerequisites

• Tenant ID (Directory ID) — the GUID of your Microsoft Entra tenant.

  • Where to find it: Entra admin center → Entra ID → Overview/Properties → Tenant ID. How to find your tenant ID

• Group Object ID (optional) — the object ID of the security group that will control access to Routty.

  • Where to find it: Entra admin center → Entra ID → Groups → select your group → Object ID. How to manage groups

• Admin role to complete onboarding — a Cloud Application Administrator (or Application/Privileged Role Admin) should open the consent link and manage assignments. Assign Microsoft Entra roles

License note (if using group assignment) — group-based assignment to apps requires Microsoft Entra ID P1/P2. Use a group to manage access to SaaS apps

Onboarding steps (5–10 minutes)

1. Share your IDs with Routty
   Provide your Tenant ID and Group Object ID (see prerequisites).

2. Open the secure admin consent link
   Your admin follows the consent URL we (or your implementation partner) provide. This performs tenant-wide admin consent and provisions Routty as an Enterprise application (service principal) in your tenant.

3. Assign users or groups
   Enterprise apps → Routty → Users and groups → Add user/group → select your security group (or individual users).

4. Verify sign-in
   Users in the assigned group can now sign in to Routty using Microsoft Entra authentication (the Microsoft login page).

This is what the admin consent URL should look like. Do not trust a link in another format

https://admin-express.routty.io/api/onboarding/tenant/admin-consent-api?invitationId=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx&activeDirectoryId=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Technical details

Enterprise application (service principal)

When your admin grants consent, Microsoft creates a service principal for Routty in your tenant (visible under Enterprise applications). This is the identity object you assign users/groups to, and where you enforce “assignment required”. Apps & service principals in Microsoft Entra ID

Protocols & flows

Routty uses OAuth 2.0 and OpenID Connect (OIDC) via the Microsoft identity platform, with the Authorization Code flow. OAuth 2.0 and OpenID Connect protocols Microsoft identity platform and OAuth 2.0 authorization code flow

This authentication flow requests only the User.Read delegated permission scope from Microsoft Graph. This allows Routty to access the signed-in user’s basic profile: name, email, tenant information.

Security & privacy posture

• Least-privilege: Routty requests only the minimal scopes/claims necessary (for example, basic user profile and group membership if you enable groups). Tokens come from Microsoft; Routty never sees your password. Tokens and claims overview

• Transport security: All flows occur over HTTPS; tokens are signed and are validated by Routty before use. ID tokens in the Microsoft identity platform

• Admin control & revocation:

  • Remove a user from the assigned group or unassign the group to revoke access for those members. Manage users and groups assignment to an application

  • To block everyone, set Enabled for user sign-in? = No on the Enterprise app. Disable user sign-in for application

Applications and Admin Consent

The system uses two separate Azure AD app registrations for customer onboarding:

REX Implementation Partner API

• Purpose: For Implementation Partners

REX Tenant API

• Purpose: For Tenants (end customers)

Required Microsoft Graph Permissions

The application requests these delegated permissions:

 User.Read (Delegated)

• Read the signed-in user's basic profile

GroupMember.Read.All (Delegated)

• Read the user's group memberships

What Data Can the App Access?

From the customer's tenant, the app can access:

1. User profile information (for the signed-in user only):
   - Display name, email, object ID
   - Basic profile attributes

2. Group memberships (for the signed-in user only):
   - List of Azure AD groups the user belongs to
   - This is used to verify the user is a member of a specific group configured for that Implementation Partner or Tenant

 The app CANNOT access:

• Other users' data in the customer's tenant

• All groups in the organization (only the signed-in user's memberships)

• Mail, calendar, files, or other Microsoft 365 data

• Directory data beyond basic user profile

How It's Used

The group membership check (Me.MemberOf Graph API call) is used when Azure AD returns too many groups to include directly in the token (the "overage" scenario). This validates that users are authorized members of the organization before granting them access to the Routty Express platform.