Admin Provisioning
Admin provisioning allows you to grant users from a parent tenant access to a child tenant. This is essential when setting up new tenants or managing cross-tenant access.
Admin provisioning is available from the Tenant Management page and requires the TenantManagement role.
Accessing Admin Provisioning
- Navigate to the Tenant Management page (system tenant context)
- Right-click the target tenant in the list
- Select Provisioning from the context menu
The provisioning page shows all cross-tenant user mappings for the selected tenant:
| Column | Description |
|---|---|
| User Name | The user's name in the source (parent) tenant |
| Source Tenant | The tenant the user originates from |
| Groups | Groups the user belongs to in the target tenant |
Toolbar Actions
| Button | Description |
|---|---|
| Provision Current User | Grant yourself full access to the target tenant |
| Back | Return to the tenant list |
Context Menu
| Action | Description |
|---|---|
| Delete | Remove the cross-tenant access mapping |
Provisioning the Current User
Click Provision Current User to grant yourself access to the target tenant. This:
- Creates an ExternalTenantUserMapping for your user in the target tenant
- Assigns all available roles in the target tenant
- Adds you to the TenantOwners group
After provisioning, log out and log back in to receive the updated allowed_tenants claim in your access token. You can then switch to the new tenant.
Provisioning During Tenant Creation
When creating a new tenant, you can enable automatic provisioning:
- Navigate to Tenant Management and click New Tenant
- Enter the Tenant ID and Database Name
- Check the Pre-provision admin access checkbox
- Click Save
This creates the tenant and immediately provisions your user with full access, so you can start working in the new tenant right away.
Always enable Pre-provision admin access when creating a new tenant. Without it, you will not have access to the tenant after creation and will need to provision yourself separately.
Removing Cross-Tenant Access
To revoke a user's cross-tenant access:
- Open the provisioning page for the target tenant
- Right-click the user mapping
- Select Delete and confirm
The user will lose access to the target tenant on their next token refresh.
How It Works
Admin provisioning creates an ExternalTenantUserMapping in the target tenant. This mapping links a user from the parent tenant to roles and groups in the child tenant. When the user authenticates, the Identity Service resolves the mapping and includes the target tenant in the allowed_tenants claim of the access token.
For more technical details, see the Cross-Tenant Authentication technology guide.