Onboarding your tenant in Routty

Access to Routty is securely managed through your organization’s Microsoft Entra ID (formerly Azure Active Directory). The onboarding flow uses Microsoft’s standard enterprise app model, consent, and OAuth 2.0/OpenID Connect for sign-in.

Prerequisites

• Tenant ID (Directory ID) — the GUID of your Microsoft Entra tenant.

  • Where to find it: Entra admin center → Entra ID → Overview/Properties → Tenant ID. How to find your tenant ID

• Group Object ID (optional) — the object ID of the security group that will control access to Routty.

  • Where to find it: Entra admin center → Entra ID → Groups → select your group → Object ID. How to manage groups

• Admin role to complete onboarding — a Cloud Application Administrator (or Application/Privileged Role Admin) should open the consent link and manage assignments. Assign Microsoft Entra roles

License note (if using group assignment) — group-based assignment to apps requires Microsoft Entra ID P1/P2. Use a group to manage access to SaaS apps

Onboarding steps (5–10 minutes)

1. Share your IDs with Routty
   Provide your Tenant ID and Group Object ID (see prerequisites).

2. Open the secure admin consent link
   Your admin follows the consent URL we (or your implementation partner) provide. This performs tenant-wide admin consent and provisions Routty as an Enterprise application (service principal) in your tenant.

3. Assign users or groups
   Enterprise apps → Routty → Users and groups → Add user/group → select your security group (or individual users).

4. Verify sign-in
   Users in the assigned group can now sign in to Routty using Microsoft Entra authentication (the Microsoft login page).

This is what the admin consent URL should look like. Do not trust a link in another format

https://admin-express.routty.io/api/onboarding/tenant/admin-consent-api?invitationId=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx&activeDirectoryId=xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Technical details

Enterprise application (service principal)

When your admin grants consent, Microsoft creates a service principal for Routty in your tenant (visible under Enterprise applications). This is the identity object you assign users/groups to, and where you enforce “assignment required”. Apps & service principals in Microsoft Entra ID

Protocols & flows

Routty uses OAuth 2.0 and OpenID Connect (OIDC) via the Microsoft identity platform, with the Authorization Code flow. OAuth 2.0 and OpenID Connect protocols Microsoft identity platform and OAuth 2.0 authorization code flow

This authentication flow requests only the User.Read delegated permission scope from Microsoft Graph. This allows Routty to access the signed-in user’s basic profile: name, email, tenant information.

Security & privacy posture

• Least-privilege: Routty requests only the minimal scopes/claims necessary (for example, basic user profile and group membership if you enable groups). Tokens come from Microsoft; Routty never sees your password. Tokens and claims overview

• Transport security: All flows occur over HTTPS; tokens are signed and are validated by Routty before use. ID tokens in the Microsoft identity platform

• Admin control & revocation:

  • Remove a user from the assigned group or unassign the group to revoke access for those members. Manage users and groups assignment to an application

  • To block everyone, set Enabled for user sign-in? = No on the Enterprise app. Disable user sign-in for application