Admin Role Setup Guide for Entra Cards

This guide explains how to assign the Admin role to users in your organization, enabling them to access License Management and Data Quality features in Entra Cards.

Overview

Entra Cards uses Entra ID App Roles to control access to administrative features. The Admin role is defined in the application registration and can be assigned by your tenant administrators.

What Can Admin Users Do?

Admin users have access to:

  • License Management - View and analyze Microsoft 365 license assignments, costs, utilization, and optimization opportunities
  • Data Quality - Monitor directory data completeness and identify users with missing profile information
Additional Permissions for Some Admin Modules

Most admin features work with standard setup, but two modules may request extra Microsoft Graph permissions:

  • Licensing (Utilization tab): Organization.Read.All
  • Guest Users (Stale Guests tab): AuditLog.Read.All

Prerequisites

  • You must be a Global Administrator, Cloud Application Administrator, or Application Administrator in your Entra ID tenant
  • Entra Cards must already be registered in your tenant (users have signed in at least once)

Step-by-Step Instructions

Step 1: Access Enterprise Applications
  1. Sign in to the Entra ID Portal
  2. Navigate to Entra ID
  3. Click Enterprise apps in the left menu
  4. Search for EntraCards and click on it
    • If you don't see it, make sure at least one user has signed in to EntraCards first
Step 2: IMPORTANT - Allow All Users to Sign In
Critical: Adding App Roles can automatically enable "User assignment required", which blocks all users from signing in unless explicitly assigned to the app.
  1. In the EntraCards enterprise application, click Properties in the left menu
  2. Find Assignment required? setting
  3. Set it to No
  4. Click Save

This allows all users in your tenant to sign in and access basic features (Directory, Search, vCard export, etc.). Only users with the Admin role can access License Management and Data Quality.

Step 3: Assign the Admin Role to Users
  1. In the EntraCards enterprise application, click Users and groups in the left menu
  2. Click + Add user/group
  3. Click Users - None Selected
  4. Search for and select the user(s) you want to grant admin access
  5. Click Select
  6. Click Select a role - None Selected
  7. Choose the Admin role
  8. Click Select
  9. Click Assign
Step 4: Verify the Assignment
  1. The user should now appear in the Users and groups list with the Admin role
  2. Ask the user to sign out and sign back in to Entra Cards
  3. The user should now see and be able to access:
    • Admin menu in the navigation bar
    • License Management page
    • Data Quality page

Assigning Roles to Groups (Recommended)

Instead of assigning roles to individual users, you can assign them to Entra ID groups for easier management:

  1. Create a security group in Entra ID (e.g., "Entra Cards Admins")
  2. Add users to the group
  3. Follow the same steps above, but select the group instead of individual users
  4. All group members will automatically get the Admin role
Note: Group-based assignment requires Entra ID Premium P1 or P2.

Troubleshooting

If users who are NOT assigned any role are getting an error about needing admin permission:

  1. Go to Entra ID Portal → Enterprise Applications → Entra Cards → Properties
  2. Set Assignment required? to No
  3. Click Save

This happened because adding App Roles automatically enabled this setting. Setting it to "No" allows all tenant users to sign in, while still requiring the Admin role for administrative features.

If a user is assigned the Admin role but still sees "Access Denied":

  1. Verify the role assignment in Entra ID Portal → Enterprise Applications → Entra Cards → Users and groups
  2. Have the user sign out completely from Entra Cards and sign back in
  3. Check the token - The Admin role should appear in the user's access token
  4. Clear browser cache and try again

  • Make sure at least one user has signed in to Entra Cards
  • The enterprise application is created automatically on first sign-in
  • If using a custom app registration, verify the Application ID is correct in appsettings.json

  • Verify you have the required administrator role (Global Admin, Cloud App Admin, or Application Admin)
  • Check that the Admin role exists in the app registration (should be created automatically)

Removing Admin Access

To remove admin access from a user:

  1. Go to Entra ID Portal → Enterprise Applications → Entra Cards → Users and groups
  2. Select the user
  3. Click Remove
  4. Have the user sign out and sign back in

Best Practices

  • Use Groups: Assign roles to groups rather than individual users for easier management
  • Principle of Least Privilege: Only assign Admin role to users who genuinely need access to these features
  • Regular Reviews: Periodically review who has admin access and remove unnecessary assignments
  • Documentation: Keep a record of who has admin access and why
Back to Home