Tenant Onboarding
Operator Guide
This section is for Concerto team members onboarding new client organizations.
Onboarding Checklist
1. Create the Organization
From Admin → Client Management → Clients:
| Setting | Description |
|---|---|
| Organization Name | Client's company name |
| Primary Domain | Company's email domain |
| Timezone | Organization timezone for scheduling |
| Logo | Company logo (displayed in sidebar, reports, and Trust Center) |
| Subscription Tier | Determines module access and usage limits |
2. Configure Modules
Enable the appropriate modules based on the client's engagement:
- Select which modules are active (Framework Controls, Evidence, Risk Register, etc.)
- Configure module-specific settings and defaults
- Set up products if the client has multiple products — each product gets independent control status and evidence tracking
3. Deploy Frameworks
From the Master Framework Library:
- Deploy relevant frameworks (SOC 2, ISO 27001, ISO 42001, PCI DSS, HIPAA)
- This copies controls, evidence requests, and recurring activities to the tenant
- Choose which record types to include per framework
4. Create the Admin User
- Invite the client's primary contact as a Tenant Admin
- They receive an email to set up their Cognito account
- Verify they can log in and see their organization
- Optionally invite additional users with appropriate roles (User, Auditor, Executive)
5. Configure Integrations (Optional)
If the client wants automated data collection:
| Integration | Setup |
|---|---|
| Microsoft 365 / Entra | Guide through admin consent — Global Admin or Privileged Role Admin approves permissions |
| Google Workspace | Domain-wide delegation setup with service account and OAuth scopes |
| AWS | Provide Account ID and IAM role ARN with read permissions |
| MDM (Intune / Jamf / SimpleMDM) | Provide API credentials for device sync |
| Slack | Connect for notifications and incident submission |
6. Run Migration Wizard (Optional)
If the client is migrating from another GRC platform:
- Use the Migration Wizard to import their existing data
- Supported sources: Vanta, Drata, Secureframe, Sprinto, Airtable, CSV
- Review imported data for accuracy
- Resolve any unmatched owners or failed imports
7. Configure Employee Portal (Optional)
If the client wants an employee-facing portal:
- Enable the portal in Administration → Employee Portal
- Set allowed email domains (must match employee email domains)
- Choose which modules to expose (Vendors, Training, Policies, Incidents, Contact)
- Share the portal URL with the client for internal distribution
8. Configure Trust Center (Optional)
If the client wants a public-facing trust center:
- Enable the Trust Center in organization settings
- Configure the public URL slug
- Set up document sections and visibility
- Upload compliance documentation (SOC 2 reports, certifications, etc.)
- Configure questionnaire submission if the client accepts inbound questionnaires
9. Handoff
- Walk the client admin through the platform
- Point them to the documentation site
- Ensure they understand the autosave behavior and sidecar navigation pattern
- Set up a recurring check-in cadence
- Confirm the client can submit support tickets through the platform