Provisioning

After federation is configured, you need to provision users in BlokSec so they can authenticate. Provisioning creates a BlokSec account for each user and sends them an invitation to set up the BlokSec authenticator app on their phone.

How provisioning works

Each user needs two things:

1. A BlokSec account linked to their Microsoft 365 email address
2. The BlokSec app installed on their phone with their account activated

When a user signs in to Microsoft 365, BlokSec looks up their account by email address. If the account exists and is active, BlokSec sends a push notification (or displays a QR code) for the user to approve. If the account doesn’t exist, the user sees an error.

Invite users

1. In the BlokSec admin console, navigate to your Microsoft 365 application
2. Go to the Users tab
3. Click Invite User
4. Enter the user’s email address (must match their Microsoft 365 email)
5. Click Send Invitation

Screenshot pending

/screenshots/admin/integrations/microsoft-365/provisioning-invite.png

Invite user form with an email address field and Send Invitation button

Invite a user by entering their Microsoft 365 email

The user will receive an invitation email with a QR code and a link. They can either:

• Tap the link on their phone to open it in the BlokSec app
• Scan the QR code with their phone’s camera if they received the email on another device

Tip

For a smoother rollout, invite a small group of pilot users first. Once they confirm everything is working, invite the rest of your organization.

Bulk provisioning

For larger organizations, you can invite multiple users at once:

1. Go to the Users tab
2. Click Bulk Invite
3. Upload a CSV file with one email address per row
4. Click Send Invitations

Screenshot pending

/screenshots/admin/integrations/microsoft-365/provisioning-bulk.png

Bulk invite interface showing a CSV upload field and a list of email addresses to be invited

Upload a CSV file to invite multiple users at once

User activation

After receiving the invitation, the user:

1. Downloads the BlokSec app (if they haven’t already)
2. Opens the invitation link or scans the QR code
3. Authenticates with their phone’s biometrics (Face ID, fingerprint, or device PIN)
4. Their account is now active and ready for passwordless sign-in

You can track which users have activated their accounts in the Users tab. Users who haven’t activated yet will show as “Invited”.

Screenshot pending

/screenshots/admin/integrations/microsoft-365/provisioning-user-list.png

User list showing a mix of active and invited users with their activation status

Track user activation status

Timing matters

Make sure users activate their BlokSec accounts before you federate the domain (or before they try to sign in after federation). If a user’s Microsoft 365 email is on a federated domain but they don’t have an active BlokSec account, they won’t be able to sign in.

Removing a user

To remove a user from BlokSec:

1. Go to the Users tab
2. Find the user and click the menu icon
3. Select Remove User

The user will no longer be able to authenticate with BlokSec. If the domain is still federated, they won’t be able to sign in to Microsoft 365 until they are re-provisioned or federation is removed.