Setting up Varhugi at your company

This guide is for the IT administrator at a company adopting Varhugi. It walks through everything you need to do, in order, with the exact clicks in the Azure portal where applicable. Expected time: 10 minutes.

Who does what

Four roles come into play during Varhugi setup. You might be in one or more of them.

Workspace admin: The person who creates the Varhugi workspace and owns the curriculum. Usually someone from security, HR, or operations. They sign up first at varhugi.is/is/nyskra.
IT admin (you): The person with administrator rights in Microsoft Entra ID at the company. You get a request to approve Varhugi in the tenant, and can optionally map Azure groups to Varhugi roles and allowlist email.
Department manager: Manages one department (sales, engineering, etc.) inside Varhugi after setup is done. Doesn't need any Azure rights.
Employee: Everyone else. They sign in with Microsoft, Google, or magic link and take the courses. Nothing for you to set up on their behalf.

1The workspace admin creates the workspace

This happens before you get involved. If nobody has created the workspace yet, someone from management or security needs to do it first.

Goes to varhugi.is/is/nyskra
Signs in with Microsoft, Google, or a magic link.
Enters the company name and ID number (kennitala). They become the first admin in the workspace.

If Microsoft sign-in fails with an "admin approval required" message, you've reached step 2 of this guide.

2Approve Varhugi in Entra (IT admin)

You'll receive (or have received) a link from the workspace admin starting with https://login.microsoftonline.com/.../adminconsent?client_id=... This is the admin-consent URL that grants Varhugi permission to handle Microsoft sign-in for your tenant. You don't need to navigate through Enterprise Applications or search for Varhugi — the link takes you straight to the right consent screen.

What you're approving

openid, profile, email — standard OpenID Connect claims
User.Read — Microsoft Graph permission to read the user's basic profile (name, email)
Nothing else
Varhugi cannot read mail, files, calendars, groups, chats, or any other content in your tenant.

How to approve

Open the admin-consent URL in a browser where you're signed in as Global Admin or Application Administrator.
A consent screen appears, listing the permissions above and the publisher (Varhugi ehf.).
Click Accept.
You'll land on varhugi.is/is/sso-samthykki with confirmation: "Thank you — consent granted."

If you get "You don't have permission to grant consent", you need the Global Admin, Privileged Role Admin, Cloud Application Admin, or Application Admin role. Others (e.g. User Administrator) can't grant tenant-wide consent.

Email back to the workspace admin (optional)

If you approved and want to let the person who asked know, here's a template you can paste into a reply.

Hi,

I've approved Varhugi in our Entra tenant. Users with @[company].com email can now sign in at varhugi.is using Microsoft SSO without any further action from me.

The permissions I approved were basic profile only (name, email) — no access to mail, files, or any other content.

Let me know if anyone has trouble signing in.

Best,
[Your name]

Copy and paste — no special permissions needed.

3Verify it works

After approving, a single test sign-in confirms everything is wired up.

Open varhugi.is/is/innskra in an incognito window.
Click "Sign in with Microsoft" and use your own company account.
You should land on /namskeid directly — no consent screen, no error.

If that worked, anyone in the company with an @[company].com email has Varhugi access now. You can move on to other things.

Optional — further configuration

These steps aren't required for basic functionality, but improve the experience in specific situations.

Manage Varhugi roles via Azure groups

Map your existing Azure groups to Varhugi roles (Admin, Manager, Learner). Instead of clicking around in Varhugi to promote a user, role assignment follows automatically when someone moves between Azure groups. Detailed guide at /leidbeiningar/azure-rolur.

Allowlist Varhugi mail

Varhugi sends sign-in mail from noreply@varhugi.is and reminders from the same address, via Resend. If you run strict spam filtering, add varhugi.is to your allowlist so the messages don't end up in junk. SPF, DKIM, and DMARC are correctly set on our side.

"Unverified publisher" warning

If the consent screen shows "This app is unverified" in yellow, it's because Varhugi hasn't completed Microsoft Publisher Verification yet (in progress). Approving is still safe, but if your tenant policy requires verified publishers only, contact info@varhugi.is before proceeding.

Troubleshooting

"You don't have permission to grant consent"

You need Global Admin, Privileged Role Admin, Cloud Application Admin, or Application Admin role in Entra. Other roles can't grant tenant-wide consent. Contact whoever has these rights in your tenant.

Consent screen says "Unverified publisher"

Varhugi is not yet a Microsoft-verified publisher. The security posture is the same — only the basic profile permissions you saw — but if your internal policy blocks unverified apps, reach out first.

User gets the wrong role after signing in

If you're using Azure App Role assignment (see the optional step above), this might be because the user is in multiple groups mapped to Varhugi. Varhugi picks the highest role: Admin > Manager > Learner. Check the membership in Entra → Enterprise applications → Varhugi → Users and groups.

Sign-in mail doesn't arrive

Check whether noreply@varhugi.is is being filtered by spam rules. Varhugi has correct SPF, DKIM, and DMARC via Resend, so legitimate mail shouldn't be caught. If it's systematic, allowlist all mail from varhugi.is.

Once this is done

The workspace admin's next step is to enrol colleagues — either via automatic enrolment (anyone signing in with Microsoft gets in automatically), a self-signup link they can post in Teams, or by inviting specific email addresses directly.

Create workspace