Tenantry / docs / workspace onboarding access
Workspace Onboarding and Access Model
This page explains the onboarding access logic for tenant workspaces.
Short version
- The very first workspace creation in a tenant has a bootstrap exception.
- After a workspace exists, users should be assigned
TenantAdminorTenantOperatorin the Enterprise Application.
First workspace bootstrap (no app role required)
For first-time workspace creation, the API allows onboarding without TenantAdmin/TenantOperator only when:
- the workspace does not already exist, and
- the signed-in user is onboarding their own tenant (token tenant must match requested tenant).
This is intentional so the first admin can establish the workspace even before role assignments are set up.
Why admin consent is still required
The bootstrap exception is only about app-role checks. The onboarding flow still requires verified admin consent before first workspace creation can complete.
If consent cannot be verified yet, first-time create is blocked and the user must retry after consent propagation.
After first workspace exists (steady state)
Once the tenant workspace exists, onboarding and normal management are role-gated:
TenantAdminorTenantOperatoris required for workspace onboarding/management paths.- Role assignments come from Entra Enterprise Application assignments in the customer tenant.
In practice, this means additional users should be granted TenantAdmin or TenantOperator on the Enterprise Application.
Access visibility in bootstrap responses
Workspace visibility is tenant-scoped and access-checked. A user can see/access a workspace if:
- they are in the same Entra tenant, and
- they have
TenantAdmin/TenantOperator, or - they are the workspace creator, or
- their email is present in the workspace allowed-operator list.
Recommended operational model
For production operations, use Enterprise Application role assignments as the primary access model:
- Assign user/group to
TenantAdminorTenantOperator. - Keep bootstrap creator exception as initial setup convenience only.
- Treat creator/allowed-operator access as a controlled exception path.