Offboarder Admin Portal

Modules & Licensing

Active modules and license status for this installation.

Loading...

Security & Observability

Access control rules, WAF policy, and API endpoint health are managed here.

Security Controls

API Controls and WAF

WAF Policy

Azure Front Door WAF mode, custom rules, UI protection

API Health

Live status of all API endpoints, recent job failures

Logs & Evidence

Auth trail, outages, agent activity, AD evidence, operator audit, dependencies

Role Management

Provision portal users + assign App Roles.

Notifications

Enable email notifications (master switch)

Alert when an agent goes offline

Alert when an agent loses connectivity to its domain controller

Alert when Admin API endpoints are offline (detected by Health page)

Alert when a job fails or requires review (includes permission errors)

Alert when a Domain Controller LDAPS certificate is approaching expiry

Alert Thresholds

Offline threshold (minutes)

Agent considered offline after this many minutes without check-in.

Alert cooldown (minutes)

Minimum time between repeat alerts for the same agent.

Job failure alert cooldown (minutes)

Minimum time before re-alerting on the same failed job. Set to 0 to alert once only.

DC cert warn threshold (days)

First alert when DC LDAPS cert expires within this many days.

DC cert critical threshold (days)

Escalated alert when within this many days. Default 7.

DC cert alert email (optional)

If set, cert alerts go here instead of the main recipient list above.

Domains to Monitor

Domains (comma-separated, blank = all)

Recipients

Send alerts to (comma-separated)

Azure Communication Services

Sender address (verified in ACS)

Email transport

ACS connection string

Connection strings are stored securely on the server and never returned to the browser. Sender addresses must be verified in your Azure Communication Services → Email → Domains resource.

Agent Configuration

Provision a TLS certificate in Azure Key Vault for the agent host and generate a pre-configured bootstrap script. The agent VM never generates its own certificate — Key Vault is the authority. Enter the required details below before downloading.

Required

Domain / Tenant *

The configured domain this agent will process jobs for.

Agent Hostname *

The Windows COMPUTERNAME of the agent VM ($env:COMPUTERNAME).

DC Hostname (FQDN) *

Fully qualified hostname of the domain controller.

Domain Service Account — stored in Key Vault, never written to disk on the agent VM

Service Account *

Domain account the agent uses to disable AD users (e.g. EBM\offboarder_svc).

Password *

Stored in Key Vault. Never written to any file on the agent VM.

Optional

Base DN (auto-derived if blank)

LDAP Mode SOC 2 CC6.7 / ISO 27001:2022 A.8.24

LDAPS encrypts AD bind traffic. When selected, the DC cert is captured every poll and surfaces on the Domains page DC Cert column. T-30/T-7 expiry alerts auto-fire. DC enrollment helper: agent/installer/Install-LdapsForDC.ps1.

Auth Type

Agent Host

Cert Thumbprint

KV Secret

StatusCertificate provisioned. Bootstrap script downloaded.

Run as Administrator in Windows PowerShell 5.1 on the agent host:
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -File .\Install-OffboarderAgent.ps1

The script downloads all agent files from this portal and installs the agent automatically. The certificate is pulled from Key Vault — no manual cert steps or Terraform required on the agent VM.

Update Service Account Password

Use this after rotating the offboarder_svc password in Active Directory. Updates the Key Vault secret — the agent picks up the new credentials automatically on the next poll cycle.

Agent Hostname

Service Account

New Password *

System Timing Reference

Informational — these intervals are fixed in the agent and server-side timers.

Process	Interval	Notes
Agent check-in	Every 30 s	Updates `last_seen_utc` and `dc_reachable`
DC probe	Every 30 s	TCP port 389/636, 3 s timeout; runs before each check-in
Job queue poll	Every 30 s	Up to 25 messages, 300 s visibility lease
Offline / DC monitor	Every 5 min	Server-side timer; evaluates all agents across all tenants
HCM ingest scan	Every 1 min	Scans `hcm-drop` container for new CSV uploads
Health page probe	On load + manual	Triggers API health alert email if endpoints are failing
Jobs page auto-refresh	Every 30 s	Refreshes agent tiles and job list while page is open
Alert cooldown	Configurable	Minimum gap between repeat alerts (agent offline, DC, API health)

Credential Rotation Schedule SOC 2 CC6.1

Platform credentials stored in Key Vault. Email reminders are sent 30 days before expiry, then weekly until rotated. Contact your system administrator when a credential shows Action Required.

Loading…

Last checked: —

Script Signing Key ISO 27001:2022 A.8.24

Agent bootstrap scripts are signed with an EC P-256 key stored in Key Vault. The key rotates automatically each year. After a key rotation, click Re-sign Scripts to update the manifest with signatures from the new key version.

Loading…

Audit Reports Scheduled Monthly Export

Automatically email a CSV audit report each month. The report includes all offboarding jobs with evidence — identity resolution method, AD actions taken, timestamps, and agent. Delivered via the ACS connection configured in Notifications above.

Enable monthly audit report

Recipient email(s) (comma-separated)

Day of month (1–28)

Tenants to include (comma-separated, or leave blank for all)

By default, reports are sent on the 1st of each month and cover the prior month. Reports are stored at evidence/audit-reports/{year-month}/ and emailed as a 7-day download link.

Settings

Modules & Licensing

Security & Observability

Notifications

Agent Configuration

Update Service Account Password

System Timing Reference

Credential Rotation Schedule SOC 2 CC6.1

Script Signing Key ISO 27001:2022 A.8.24

Audit Reports Scheduled Monthly Export