Documentation / Access Control

Access Control

Invite team members, assign organisation and per-tenant roles, configure Entra ID single sign-on, and enforce multi-factor authentication.

On this page

Cirrova has a simple access model: two organisation-level roles, plus a per-tenant role that controls what an individual member can see and do inside each connected Azure tenant. Add Entra ID SSO and enforced MFA on top and you have the controls expected of a FinOps tool handling sensitive cost data.

Organisation roles

Every member of a Cirrova organisation has one of two roles.

  • Organisation owner — full access to all organisation settings, every tenant, and every member. Owners can invite, remove, and edit other members; add and delete tenants; configure SSO; and change billing and licence settings.
  • Member — the default. Members see only the tenants they've been explicitly granted access to, and their actions inside each tenant are governed by the tenant role below.
An organisation always has at least one owner. You can't remove the owner role from the last owner — promote someone else first.

Tenant access

Non-owner members need to be granted access to each tenant individually. Four levels are available per tenant:

  • No access — the tenant is hidden from this user. Default for newly-added members.
  • Viewer — read-only across all data for the tenant. Can run reports, view dashboards, and see anomalies, but can't change anything.
  • Editor — Viewer plus the ability to manage data that lives inside the tenant: budgets, cost centre mappings, acknowledging anomalies, and so on.
  • Admin — Editor plus tenant-level configuration: anomaly sensitivity, cost-centre tag, resource expiry tag, and the tenant budget. Tenant admins can also manage tenant access for other users, and add/remove members where organisation policy permits. Alerting channels and rules are organisation-wide and managed only by an organisation owner — see Alerting → Permissions.

Organisation owners implicitly have Admin on every tenant and the per-tenant role controls are hidden for them.

A few cross-tenant actions require Admin on every tenant attached to the organisation, not just one. The current example is managing Tag Collection budgets, which by definition can pull spend from any tenant. Owners qualify automatically; non-owners need full coverage.

Inviting a user

Go to Organisation SettingsUsers and click Add user. You'll provide:

  • Email — if the address already belongs to a Cirrova user, they're simply added to this organisation. Otherwise Cirrova creates a new account.
  • Display name — how the user will appear in the members list and in alert emails.
  • SSO-only account — tick this to prevent the user ever signing in with a password. They can only sign in via Entra ID SSO.

New password-based accounts receive a secure temporary password by email. The user is required to change it on first sign-in.

Invited users appear under Pending invitations until they sign in for the first time. From there you can Resend invitation (re-sends the welcome email) or Revoke invitation (removes them from the organisation).

If email delivery isn't configured on the Cirrova deployment, the temporary password is shown in the UI when you add the user and must be communicated out-of-band.

Editing a member

Use the menu on any member row and choose Edit. The member dialog lets you:

  • Change the display name.
  • Disable the account. A disabled account cannot sign in via any method. Use this to immediately block access without losing the member's history (acknowledged anomalies, owned budgets, etc.).
  • Reset password. Generates a new temporary password. The user is required to set their own on next login. The new password is emailed to them (if email is configured) and always displayed to the admin performing the reset. Not shown for SSO-only accounts.
  • Change the role. Toggle Organisation owner to promote or demote. When an owner is demoted, they revert to the tenant access explicitly assigned below.
  • Configure tenant access. For each tenant in the organisation, pick No access, Viewer, Editor, or Admin. Owners have implicit access to everything and the per-tenant controls are disabled.

Removing a member

Use the menu on the member row and choose Remove. The user is removed from this organisation but — if they exist in other Cirrova organisations — their account is not deleted. Data they created (budgets they own, anomalies they acknowledged) remains attributed to them and is preserved.

Organisation owners can remove anyone except themselves, and never the last remaining owner. If you need to remove yourself, promote another member to owner first.

Entra ID single sign-on

Configure SSO at Organisation SettingsSingle sign-on. Cirrova is registered in Microsoft Entra as a shared multi-tenant application, so you don't create an app registration of your own — you just tell Cirrova which Entra tenant your members belong to.

Setting up SSO

  1. Find your Tenant ID (also called the Directory ID) in the Microsoft Entra admin centre under Identity → Overview, or in the Azure Portal under Microsoft Entra ID → Overview.
  2. Paste the Tenant ID into the form and click Save. Cirrova uses the value to verify that signing-in users belong to your Entra tenant — anyone presenting a token from a different Entra tenant is rejected.
  3. If your tenant restricts user consent to third-party applications, an Entra Global Administrator must pre-authorise Cirrova first. Cirrova generates an Admin consent URL from your Tenant ID — open it as a Global Administrator to grant consent in one click.
  4. Invite members under Organisation SettingsUsers using their Microsoft email addresses. They'll see a Sign in with Microsoft option on the Cirrova login page.

Account types

SSO and password-based sign-in coexist: an organisation can have a mix of regular accounts, SSO-capable accounts, and SSO-only accounts. Flip an individual member to SSO-only by ticking the option when adding them, or leave it unticked so they can use either method.

Editing or removing SSO

Use Edit configuration to change the Tenant ID, or Remove to disable Entra ID sign-in for the organisation. Removing SSO doesn't delete member accounts — it just removes the sign-in option. SSO-only accounts will need a password reset (or to be flipped back to regular) before they can sign in again.

An organisation has a single configured Entra tenant — that's the tenant Cirrova authenticates direct SSO sign-ins against. Cross-tenant members are supported, though: a user from a different Entra tenant can be invited as a member, and they'll authenticate via their own tenant's SSO and then reach this organisation through the org switcher. That's how MSP staff manage multiple client organisations from a single identity — see MSP staff: one identity across clients.

Enforcing multi-factor authentication

The Authentication policy card on the Users page has a toggle for Enforce two-factor authentication. When enabled, every local (non-SSO) member who has previously logged in must configure an authenticator app on their next sign-in.

First-time sign-ins are exempt until the user has changed their initial temporary password — this avoids a lock-out where a new invitee can't log in to set up MFA because they haven't changed the password yet. SSO-only members are also unaffected, since MFA is enforced by Entra ID rather than Cirrova for those accounts.

MFA is an organisation-owner-only setting.

Audit logging

All access-control changes — invitations, removals, role changes, tenant access grants, SSO configuration, MFA policy — are recorded in the Activity log under Organisation Settings. Each entry includes the actor, the target, the change made, and a timestamp. Use the log for security reviews and to answer "who did that?" after the fact.

Previous Multi-Organisation Next Reporting