Operator Dashboard — Microsoft SSO + Edge Gate

The dashboard holds the company’s most sensitive data, so it is protected in three independent layers, each of which alone would stop an attacker:

1. Cloudflare Access — edge gate; nothing reaches the app or its /api functions without auth.
2. Supabase “Continue with Microsoft” SSO — Entra identity, MFA enforced, no password stored.
3. Row-Level Security (default-deny) + operator allowlist — the data backstop.

The login UI (login.astro) is already built. The steps below are the console configuration (Entra + Supabase + Cloudflare) that must be done before the “Continue with Microsoft” button works.

Key fact for every step: the Supabase project is cmevvhyvrkphsfkghpix, so the OAuth callback is https://cmevvhyvrkphsfkghpix.supabase.co/auth/v1/callback.

---

A. Entra app registration (Microsoft Entra admin center → portal.azure.com)

1. Identity → Applications → App registrations → New registration.
2. Name: CyberSuite Dashboard.
3. Supported account types: “Accounts in this organizational directory only (Single tenant).” 🔒 Security-critical — this locks sign-in to the cybersuite.tech tenant; no other Microsoft account can authenticate.
4. Redirect URI: platform Web → https://cmevvhyvrkphsfkghpix.supabase.co/auth/v1/callback
5. Register. Copy the Application (client) ID and the Directory (tenant) ID.
6. Certificates & secrets → New client secret → 24-month expiry → copy the secret Value immediately (it is shown once). Store it in 1Password (CyberSuite-Infra).
7. API permissions → Microsoft Graph → Delegated: confirm openid, email, profile, User.Read. Grant admin consent.

B. Supabase provider config (Supabase → Authentication → Providers → Azure)

1. Enable the Azure provider.
2. Application (Client) ID = the client ID from A-5.
3. Secret Value = the client secret from A-6.
4. Azure Tenant URL = https://login.microsoftonline.com/<tenant-id> (the Directory/tenant ID from A-5). 🔒 Restricts the token audience to your tenant at Supabase’s end too.
5. Save.
6. Authentication → URL Configuration: confirm Site URL = https://dashboard.cybersuite.tech and add https://dashboard.cybersuite.tech/** to Redirect URLs (the OAuth return target).

C. Enforce phishing-resistant MFA (Entra → Protection → Conditional Access)

1. New policy targeting the operator accounts → Grant → Require authentication strength → Phishing-resistant MFA (passkey / FIDO2 / Windows Hello). This is what makes a stolen credential useless.
2. Each operator registers a passkey or hardware key under Security info.

D. Cloudflare Access edge gate

Highest-impact layer — a separate edge gate in front of the whole app (distinct from the app’s Supabase+Entra SSO above). Full screen-by-screen runbook: Operator Dashboard — Cloudflare Access Edge Gate Setup (all console, no API token needed). Includes the .pages.dev side-door follow-up.

E. Close the weak door (after SSO is verified end-to-end)

1. Supabase → Authentication → Providers → Email: disable email/magic-link sign-in.
2. Remove the email fallback block from login.astro.
3. Result: the only way in is Entra SSO (MFA) behind Cloudflare Access, with RLS underneath.

---

Verification

• /login → “Continue with Microsoft” → Microsoft prompt → MFA → lands signed in on the dashboard.
• A non-allowlisted tenant user is bounced to /login (guard) and reads no data (RLS).
• /api/attribution (and other functions) still gate to 401 without a valid operator JWT.
• After step E: email sign-in is gone; SSO is the sole path; Cloudflare Access challenges before the app loads.

”Done” means

• Steps A–D complete and verified
• Step E executed (email auth disabled, fallback removed)
• Client secret + IDs stored in 1Password with the secret’s expiry noted for rotation