Manage Varhugi roles from Azure groups

Company administrators who already use Microsoft 365 (Entra ID) and want role assignment to live in the Azure portal rather than in Varhugi's admin UI.

• Your company has a Microsoft 365 / Entra ID tenant.
• An admin in your tenant has already approved Varhugi (via the admin-consent URL we sent).
• You have Cloud Application Administrator, Application Administrator, or Global Administrator in Azure.

In the Azure portal (entra.microsoft.com) create the groups you want to use for assigning Varhugi roles.

1. Open Microsoft Entra admin center → Groups → All groups → New group.
2. Pick "Security" as the group type. Names don't matter to Varhugi; conventions are e.g. "Varhugi Admins", "Varhugi Sales Managers", "Varhugi All Staff".
3. Add the initial members.
4. Repeat for the other two roles (Manager and Learner).

You don't have to use three groups — one is fine — but it's tidy to have at least one per role type.

This requires a single manifest snippet pasted into the Varhugi app registration in Azure. The Varhugi team does this once for every customer — you don't have to do anything here.

{
  "appRoles": [
    {
      "allowedMemberTypes": [
        "User",
        "Group"
      ],
      "description": "Full administrator rights in Varhugi",
      "displayName": "Admin",
      "id": "REPLACE-WITH-GENERATED-GUID-1",
      "isEnabled": true,
      "value": "Admin"
    },
    {
      "allowedMemberTypes": [
        "User",
        "Group"
      ],
      "description": "Manage a single department in Varhugi",
      "displayName": "Manager",
      "id": "REPLACE-WITH-GENERATED-GUID-2",
      "isEnabled": true,
      "value": "Manager"
    },
    {
      "allowedMemberTypes": [
        "User",
        "Group"
      ],
      "description": "Standard learner in Varhugi",
      "displayName": "Learner",
      "id": "REPLACE-WITH-GENERATED-GUID-3",
      "isEnabled": true,
      "value": "Learner"
    }
  ]
}

Note: as a Varhugi customer, you don't need to do anything in this step. It's shown for transparency. The Varhugi team has already published these roles on the app.

This is the part you do: link the groups you created in step 1 to "Admin", "Manager", or "Learner" in the Varhugi enterprise app.

1. In Entra admin center → Enterprise applications → Varhugi (appears automatically after admin consent).
2. Users and groups → Add user/group.
3. Pick a group (e.g. "Varhugi Admins") and assign the role "Admin". Click Assign.
4. Repeat for the other groups with their corresponding role.

Ask one member of each group to sign in to Varhugi with their Microsoft account (or sign out and back in yourself to pick up your new role). Varhugi reads the role from the token and updates automatically.

• This only works for users who sign in via Microsoft SSO. Users who sign in via magic link keep whatever role was set in Varhugi (no automatic role assignment).
• When you remove a user from an Azure group, the change takes effect on their next Varhugi sign-in, not immediately.
• If you fully remove a user from your Azure tenant, they still need to be removed manually from Varhugi (SCIM-style automatic de-provisioning is on the next milestone).