Overview
The APU Staff Portal gives staff a single, secure landing page with links to documents, forms, and tools. Access is controlled by Microsoft 365 single sign-on (SSO) tied to the organisation's Azure AD tenancy, with a local master admin login for initial setup and emergency access.
This admin panel lets you manage all content and configuration without redeploying.
Notices
Notices appear prominently at the top of the staff portal. Use them for time-sensitive information workers need to see as soon as they log in.
- Urgent — red banner. Use for safety-critical alerts (e.g. site access restrictions, hazards).
- Warning — amber banner. Use for important operational changes.
- Info — blue banner. Use for general announcements.
Set a notice to Inactive to hide it without deleting it. You can reactivate it later. To edit, click Edit in the list.
Links
Links appear as cards on the staff portal, grouped by category. Each link has:
- Title — shown prominently on the card.
- Icon — an emoji displayed on the card (e.g. 📄 🔧 ⚠️).
- URL — where the card links to. Can be any URL — SharePoint, Teams, external sites, PDFs.
- Description — optional short text shown under the title.
- Category — groups cards under a heading (e.g. Safety, Forms, Procedures).
- Visible to groups — controls which staff can see this link. Leave as All users if everyone should see it, or select specific groups to restrict it.
Security Groups
Security groups control what content different staff can see. Groups are managed entirely within this portal — they are not Azure AD groups.
1Go to the Security Groups tab and create your groups (e.g. ID: operators, Name: Operators).
2Go to User Assignments and assign each staff member's email to the appropriate group(s).
3When adding or editing a link, set Visible to groups to the groups who should see it.
Staff with no group assignment can still log in and see all content marked All users. A user can belong to multiple groups.
Built-in group: all means every authenticated user. You do not need to create it.
User Assignments
Assign a staff member to a group by entering their Microsoft 365 sign-in email and selecting a group. Changes take effect the next time they load the portal.
Enter the email address exactly as it appears in Azure AD — this is what the SSO token provides and what the portal uses to identify users.
Giving Access to External Users
The portal allows anyone in the Microsoft 365 tenancy to sign in, including users across multiple company domains. For users outside the organisation (contractors, subcontractors, partners), add them as an Azure AD B2B Guest user — they do not need a full company licence.
1Go to portal.azure.com → Azure Active Directory → Users → New user → Invite external user.
2Enter their email address (any Microsoft-linked account — work or personal).
3They receive an invitation email. Once accepted, they appear in Azure AD as a Guest.
4They can now sign in to the portal with their own Microsoft account.
5Add their external email to the appropriate security groups in this admin panel.
Guest users sign in with their own email (e.g. contractor@theircompany.com). Use that address in User Assignments — not a company address.
If ALLOWED_DOMAIN is set as a server secret, guest users will be blocked. Remove it to allow guest access — the Azure AD tenancy itself is the security boundary.
Admin Access
There are two levels of admin access:
- Master admin (this account) — local username/password login. Used for initial setup and emergency access. Credentials are stored in the project password manager. Sees this full guide including all technical setup. Should be disabled once SSO admin accounts are confirmed working.
- SSO admin — any Microsoft 365 account whose email is in the
ADMINS server variable. Manages content only — does not see technical setup details. Add emails as a comma-separated list.
Disable the master admin login once SSO is working by removing the LOCAL_ADMIN_USER and LOCAL_ADMIN_PASS server variables. Keep credentials in the password manager in case emergency access is ever needed and the variables need to be re-added.
Server Variables Reference
All variables are configured in the hosting platform dashboard under the project settings.
| Variable | Purpose | Required |
|---|
SESSION_SECRET | Signs login session cookies. Any random string, 40+ characters. | Always |
AZURE_CLIENT_ID | App Registration client ID for Microsoft SSO. | For SSO |
AZURE_TENANT_ID | Organisation's Azure AD tenant ID. | For SSO |
ALLOWED_DOMAIN | Restricts SSO login to one email domain. Omit for multi-domain tenancies or if guest users need access. | Optional |
ADMINS | Comma-separated emails granted SSO admin access to this panel. | For SSO admin |
LOCAL_ADMIN_USER | Username for the master admin (local) login. | For local login |
LOCAL_ADMIN_PASS | Password for the master admin (local) login. | For local login |
AZURE_APP_SECRET | Azure App Registration client secret. Not used in the current SPA auth flow — reserved for future Graph API integration. | Future use |
After adding or changing any variable, a new deployment must be triggered for the change to take effect.
Setting Up Microsoft SSO
1Go to portal.azure.com → Azure Active Directory → App registrations → New registration. Set supported account types to Accounts in this organizational directory only (Single tenant).
2Set the platform to Single-page application (SPA) and add the portal login URL as the redirect URI (e.g. https://yoursite.pages.dev/login.html). Add any custom domain redirect URIs too.
3From the App Registration overview, copy the Application (client) ID and Directory (tenant) ID.
4Add AZURE_CLIENT_ID and AZURE_TENANT_ID as server variables, then trigger a new deployment.
5Add your own email to the ADMINS variable, redeploy, and test SSO login end-to-end. Once confirmed, disable the master admin local login by removing LOCAL_ADMIN_USER and LOCAL_ADMIN_PASS.
A client secret (AZURE_APP_SECRET) is not required for the current implementation. The portal uses the SPA auth flow with PKCE, which validates tokens against Microsoft's public keys — no client secret needed.