Skip to content

Crayonic Credential Manager

A role-aware web console for Microsoft Entra ID that lets administrators and standard users manage passkeys and, optionally, legacy-app passwords through the Crayonic Agent.

CCM admin dashboard

What CCM Is

CCM is a three-tier system:

  • SPA (React browser UI) — all user and admin workflows
  • Backend (.NET 8 REST API) — Graph proxy, token issuer, audit, persistence
  • Agent (local Python service on https://localhost:17620) — device operations and WebAuthn ceremonies that browsers cannot initiate cross-origin

The tool is designed for organizations deploying passwordless authentication at scale. Non-technical users (e.g. HR) can provision passkeys once it is configured.

CCM is delivered as a hosted service. There is no end-user installer — administrators access it through a browser at the URL their organization has been provisioned with.

Feature Highlights

  • Multi-tenant support via MSAL Browser (PKCE)
  • Role-aware UI — Super Admin, Authentication Admin, Standard Admin, and Regular User views differ
  • Unified passkey view aligning Entra methods, wallet credentials, and CCM's local store with live Agent events
  • On-behalf (OBO) provisioning — create Entra FIDO2 methods via the Agent-backed hardware, with serial-number checks and duplicate warnings
  • Self-service with approvals — users can request, approve, finalize and delete their own passkeys; wallet-side creation allowed by policy
  • Device awareness — wallet list with status, capabilities, Agent health in header
  • Audit & reporting — filterable log with CCM/PWM categories and PDF export
  • Password Manager (preview) — shadow accounts (bulk CSV), connectors (AD/LDAP/SQL/SAP/custom with health tests), legacy-app detection rules, dashboard stats
  • Localization — EN, DE, FR, NL, PL, CS, SK

Video Tutorial

CCM Video Tutorial

The video walks through user creation, passkey management and the main administrative tasks.

Documentation

CCM ships with two screenshot-driven guides plus a security reference. Pick the one that matches your role:

  • End-User Manual — sign-in, My Passkeys, requesting and finalizing a passkey, approvals
  • Admin User Manual — dashboard, user search, on-behalf provisioning, wallet management, audit log, password-manager preview, system configuration
  • Security — credential handling, JWKS rotation, transport, audit and privacy details

Prerequisites

  • Modern browser (Chrome, Edge, Firefox, Brave, Safari) with WebAuthn support
  • Microsoft Entra ID account; admin actions additionally need an Entra directory role (see the Admin Manual for the role matrix)
  • For wallet operations: a Crayonic wallet connected to the local Crayonic Agent on the user's workstation
  • For self-service: an instance configured by your administrator

Deployment Notes

CCM is deployed centrally by your IT team — typically as a Docker Compose stack with the SPA, .NET backend, PostgreSQL, Redis and a TLS-terminating reverse proxy. End-points needed:

  • SPA — for example https://app.example.com
  • Backend — for example https://api.example.com
  • Agent — https://localhost:17620 on each user workstation (never exposed publicly)

For the full deployment walkthrough, contact Crayonic for the latest deployment package.

Legacy Desktop CCM

The earlier Windows desktop version of Credential Manager has been superseded by this web app. It remains available on the Downloads page for environments that have not migrated yet.