Onboarding a customer tenant

Before you start

You need:

• A Policytab account with role admin or higher
• Access to the customer's Entra tenant as Global Administrator or Application Administrator (to create apps and grant admin consent there)

You do not need a Policytab-wide multitenant Entra app or platform OAuth redirect. Each customer connects through a single-tenant app registration in their own Entra directory.

For a full click-by-click Entra portal walkthrough (written for non-technical operators), see Graph connection setup.

Step-by-step

1. From Customers → Add customer.
2. Enter a display name (internal label — e.g. "Contoso Ltd.") → Continue to connect.
3. On Connect, follow the in-product procedure to create the Graph access app in the customer's Entra tenant, grant admin consent, and paste Application (client) ID + client secret → Save & continue.
4. Policytab detects the customer Entra tenant id from the app credentials (optional tenant hint if auto-detect fails).
5. Complete Import & baseline → Import now. Policytab takes the first CA snapshot, seeds the co-managed baseline from live policies, runs license detection, and applies the comparison baseline you selected (imported snapshot is recommended and the default; or a workspace baseline you imported from GitHub).
6. Review the baseline-quality report — gaps between the customer's live CA and the selected comparison baseline, ranked by severity.

The tenant flips to imported and appears on the dashboard with live counts.

Navigation during setup

Until Graph is connected, the tenant nav shows Graph connection and Customer settings only (no Summary — there is no tenant data yet). Use Customer settings to delete a customer if setup was started by mistake.

What can go wrong

• graph_token_failed on Connect → Wrong secret, expired secret, or missing admin consent on the customer's Graph app. See Graph connection setup.
• graph_credentials_unavailable on import → Connect was not completed. Open Connect and save credentials.
• Import shows zero policies → The customer has no CA policies, or Policy.Read.All is missing from the Graph app registration.
• Tenant stuck pending → Connect not finished. Open the customer from the fleet list — you land on Connect.

What you DON'T need

• No platform multitenant Graph app — Policytab does not use a shared OAuth app that customers consent to across tenants.
• No platform-wide Graph secrets on Vercel — each customer stores their own app credentials in Vault via the Connect page.
• No separate Supabase user per customer — RLS scopes everything by the signed-in user's msp_id claim.

Related

• Graph connection setup - detailed Entra app registration procedure
• Entra app registration (operator)
• Credential rotation runbook