![blue_logo-2.png]](https://support.princh.com/hs-fs/hubfs/blue_logo-2.png?height=40&name=blue_logo-2.png){kind=logo}
- Navigate to https://entra.microsoft.com and sign in with your Entra admin user. In the Azure portal, use the left-hand navigation menu to select “App registrations”.
![Step_1[1]-1](https://support.princh.com/hs-fs/hubfs/Step_1%5B1%5D-1.png?width=670&height=377&name=Step_1%5B1%5D-1.png)
- Click "+ New registration" at the top of the App registrations page to create the application.
- Name: Specify a name for the application. For example, you could use “Princh-staff-restrictions” or another name that clearly indicates its association with Princh staff restrictions.
- Redirect URI: Leave this field blank - no redirect URI is required for Staff Restricted role configuration.
- Once completed, click "Register" to create the application.
- Once the application has been successfully registered, go to App roles > Create app role.
![Step_3[1]](https://support.princh.com/hs-fs/hubfs/Step_3%5B1%5D.png?width=670&height=377&name=Step_3%5B1%5D.png)
- Select “Create app role” to add a new role to the registered application. Each App Role you define should correspond to a specific Princh location.
- If you want to restrict staff users access to only one location, create a single app role. To restrict access to additional locations, repeat this process and create separate app roles in Microsoft Entra for each location.
![Step_4[1]](https://support.princh.com/hs-fs/hubfs/Step_4%5B1%5D.png?width=670&height=377&name=Step_4%5B1%5D.png)
- After creating the App Role(s), go to the “Overview” tab, then click on “Managed application in local directory” to open the Enterprise Application view.
![Step_5[1]-1](https://support.princh.com/hs-fs/hubfs/Step_5%5B1%5D-1.png?width=670&height=377&name=Step_5%5B1%5D-1.png)
- In the Enterprise Application view:
- Go to Assign users and groups > Add user/group. Select users and assign the relevant App role(s). The user’s assigned App role(s) determine which locations they can access
![Step_6[1]](https://support.princh.com/hs-fs/hubfs/Step_6%5B1%5D.png?width=670&height=377&name=Step_6%5B1%5D.png)
- Log in to the Princh Admin Panel and go to the User Accounts tab. If your Microsoft Tenant is properly connected to Princh, the “+ Add New App Role” button will be visible in the the User Accounts section of the Princh Admin Panel.
![Step_5[1]](https://support.princh.com/hs-fs/hubfs/Step_5%5B1%5D.png?width=670&height=377&name=Step_5%5B1%5D.png)
- For each of the app role you created in Microsoft entra, complete the following steps:
- In the Princh Admin Panel, click “+ Add New App Role” and paste in the App Role ID. You can find the App Role IDs in the “App roles” section of the corresponding application in Microsoft Entra. Then, select the Princh location that corresponds to your App Role ID.
![Step_8[1]](https://support.princh.com/hs-fs/hubfs/Step_8%5B1%5D.png?width=670&height=377&name=Step_8%5B1%5D.png)
- Click “Create” to finalize the assignment. This links the App Role to the specific location, ensuring that users with the Staff Restricted role can only access the designated site.
![Step_9[1]](https://support.princh.com/hs-fs/hubfs/Step_9%5B1%5D.png?width=670&height=377&name=Step_9%5B1%5D.png)
- Users assigned the Restricted Staff Role will now be able to log in to the Princh Admin Panel with with restricted access.