Microsoft sign-in privacy gate

Auth owner action sheet

This is the owner-facing setup sheet for switching the RaveFocus worker hub from preview to protected worker/admin access.

prepared; not enforced status
4 roles
3 protected routes prepared
0 protected routes active now
7 owner actions
Launch guard: Do not apply protected auth until SharePoint Lists/forms, role assignments, and admin test accounts are ready.

Owner actions

#ActionOwnerStatusProof needed
1 confirm Microsoft Entra sign-in provider admin manual required Azure Static Web Apps authentication provider is configured for Microsoft Entra ID
2 assign owner/admin users admin / Jupiter manual required approved owner/admin accounts have admin role and can sign in
3 assign approved worker users admin manual required approved workers have authenticated or worker access only
4 test worker privacy boundary admin waiting worker can open their worker areas but cannot open /outputs/* or admin-only setup evidence
5 test signed-out privacy boundary admin waiting signed-out user is blocked from operational data after protected config is applied
6 apply protected Static Web Apps config admin waiting launch/set-static-web-app-auth-mode.ps1 -Mode apply has been run, deployed, and verified
7 run final auth verification admin waiting local, render, and live verification pass after auth changes

User access

#Account groupRole neededCan accessProof to capturePrivate data rule
1 owner/admin admin admin setup, launch evidence, restricted outputs, form verification, proof routing admin account signs in and can reach admin-only setup pages do not publish passwords, recovery codes, private records, payout settings, IDs, or billing details
2 approved worker authenticated or worker profile, quest board, assigned role tasks, forms, proof submission worker account signs in and cannot reach admin-only outputs worker sees only their own profile/task info and proof-safe task records
3 guest/not signed in anonymous preview only public preview sections only before production lock signed-out visitor cannot reach profile, forms, proof, quest data, or admin evidence after auth is applied no operational manifests or proof links exposed to signed-out visitors

Sensitive info rules