Version 1.5 — April 2026
Service Description

Alira Service Description

A descriptive overview of the Alira Software-as-a-Service platform, covering scope, capabilities, requirements, onboarding and service management. Prepared by Kocho Group Limited.

Stefan Baldey — Product Development Director
Kocho Group Limited, London
Confidentiality Notice: This document is classified as Third Party Restricted. It is provided for informational and guidance purposes only and does not create any legally binding obligations between Kocho and any third party. The contents are provided AS IS and may be subject to change without prior notice. The scope, terms, and conditions of any services shall be set out exclusively in a formal written agreement executed between Kocho and the relevant subscriber.
1

Introduction

1.1 Overview

This document sets out a descriptive overview of the Software-as-a-Service (SaaS) application, Alira, and is intended solely to provide clarity regarding the scope and objectives of the service. It does not, in itself, create any contractual rights or obligations. Specifically, this document outlines:

  • Alira description — a detailed insight into each supported module.
  • Kocho’s responsibilities — including management of the application, from onboarding through to service management and related operational activities.
  • Subscriber responsibilities — the steps and commitment required to enable setup, configuration and adoption of the SaaS application and to realise the full benefit of the services.
  • Service objectives and expectations — indicative outcomes, service levels, and other pertinent information.

1.2 Description

The Alira Portal is a cloud-native, end-user-centric resource and access management platform that streamlines visibility and control across Microsoft Entra Identity and Access Management (IAM).

Access Portal

Integrates natively with Microsoft Entra IAM, providing a centralised, intuitive interface that delivers a unified view of user entitlements — what users currently have access to, what they can request, and what they own — all in a single, cohesive workspace. Features self-service resource management, approval workflow tracking, modern responsive UI with full colour customisation, and pre-configured actionable reporting and analytics.

Licence Portal

Provides centralised visibility and governance across Microsoft 365 and third party SaaS licensing through native integration with Microsoft Entra ID. Operates as a group-orchestrated licence governance layer, delivering clear dashboards showing licence allocation, duplication, inactive and terminated users, and cost distribution — aligned to your organisational structure down to OU level.

Extended Identities

Enables organisations to securely onboard, manage, and govern guest users, internal non-HR identities, and third party accounts within Microsoft Entra ID. Guest users can be grouped into companies (or logical entities), with delegated requesters and approvers assigned to each entity. Guests are contextualised through Projects — attribute-based and mapped to any resource within the Entra-connected environment. Onboarding is delivered via a fully customised, zero-touch invitation experience.

1.3 Use Cases

Management of user access to cloud-based systems in organisations of varying sizes
Simplifying numerous and complex usage of Entra Access Packages and the Privilege Management Portal
Increasing user adoption and self-service capabilities of the Entra tech stack
Simple access to resources for a low-tech skilled user base and simpler access to complex cloud environments for engineers
Improving the New Joiner process and JML Lifecycles
Addressing high-volume 1st line administrative support tickets and delays on access and software provisioning
Terminated User risk and Non-HR Accounts management
Licence bleed-out reduction, Shadow IT control, and cost management with contextual breakdown of licence distribution

1.4 Alira Development Team

Development of the Alira SaaS Application has been undertaken with security and efficiency as the primary considerations. Kocho has applied its experience and established controls within a dedicated environment that includes:

  • Logical Security — Technical safeguards deployed in accordance with industry best practices for securing sensitive environments. Specific details are intentionally withheld for confidentiality; further details may be provided to prospective clients subject to execution of a relevant NDA.
  • Procedural Security — Documented policies and procedures implemented to ensure the secure development of the Alira SaaS Application.
  • Personnel — All Kocho personnel involved in the development and management of Alira SaaS Application are subject to a Baseline Security Check.
  • Coding Standards — Development practices follow an established coding standards framework aligned to recognised industry standards and applicable compliance frameworks including ISO 27001.
2

Requirements

2.1 Entra Licensing Requirements

Access Portal

For optimal use of Alira Access Portal features, it is recommended that subscribers maintain at least a Microsoft Entra ID P2 tenant. The following licensing SKUs are currently compatible:

  • Microsoft Entra ID P2
  • Microsoft Entra ID Governance (IG)
  • Microsoft Entra Suite
  • Enterprise Mobility + Security E5
  • Microsoft 365 E5/A5/G5
  • Microsoft 365 E5/F5/A5 Security
  • Microsoft 365 F5 Security & Compliance
Note: Use of Entra ID P1 will provide access only to the Applications (MyApps) page. More information can be found at Microsoft’s Entra Licensing Fundamentals.

Licence Portal & Extended Identities

For optimal use of these features, it is recommended that subscribers maintain at least a Microsoft Entra ID P1 tenant. The following licensing SKUs are currently compatible:

  • Microsoft Entra ID P1
  • Microsoft Entra Suite
  • Enterprise Mobility + Security E3 (EMS E3)
  • Microsoft 365 E3 / A3 / G3
  • Microsoft 365 Business Premium
Note for Extended Identities: Internal guest accounts are licensed and governed in the same way as standard member users for Entra ID capabilities. Customers must have sufficient Entra ID P1 licences to cover all internal guest accounts.

2.2 Security Requirements

For Alira SaaS Application to function as intended, either a Global Administrator or a Privileged Role Administrator within the subscriber’s Microsoft Entra tenant is required to:

  • Grant tenant-wide admin consent, and
  • Approve User consent for permissions (OAuth permissions) when logging in for the first time to Alira SaaS Application.

Certain Microsoft Entra tenants may allow any user to provide such consent, while others may have it restricted for admin approval. Details on the specific OAuth permissions are available in the Architecture Document, available on request.

2.3 Configuration Prerequisites

As a prerequisite, the following components must be present and properly configured within the subscriber’s Microsoft Entra environment to enable use of Alira SaaS Application. Subscriber clients are responsible for ensuring their Microsoft Entra environment is correctly licensed and configured.

Important: Kocho accepts no liability for misconfigurations, missing components, or changes made by Microsoft that may affect compatibility or functionality.

Access Portal

Alira FunctionEntra Requirement
ApplicationsEnterprise Applications (MyApps) — pulls all Enterprise Apps to the branded UI
RequestAccess Packages (MyAccess), Eligible and Active PIM Groups (PIM Portal and MyGroups), Eligible and Active PIM Roles (PIM Portal)
ManagePIM Groups (PIM Portal and MyGroups) Owners, Privileged Identity Management Portal, MyAccess Portal

Licence Portal

ComponentRequirement
Users & GroupsSyncing Organisation Units is recommended using Dynamic Groups (P1 Licence) to auto-populate members
User AttributesMust be pre-populated to enable accurate identification of the user’s organisation, location, and/or business unit — sole responsibility of the subscriber
LicencesThe Licence Portal retrieves licence details directly from the 365 Admin Portal. Subscriber must maintain at least 1 qualifying licensing SKU

Extended Identities

ComponentRequirement
Users & GroupsMicrosoft Entra ID Users, Groups, and Attributes. Dynamic Groups (Entra ID P1) recommended to auto-populate Companies and Projects
Applications & ResourcesAccess assignment supported only for applications and resources integrated with Microsoft Entra ID
LicensingSubscriber must maintain a Microsoft Entra ID P1 licensed tenant with sufficient coverage for all users and internal guest accounts
3

Alira Onboarding Process

3.1 Implementation Scope

The following outlines the key activities involved in onboarding the Alira SaaS Application. Kocho will use reasonable skill and care to deliver these activities efficiently while remaining flexible to accommodate the subscriber’s operational requirements.

Integration and Setup

Connecting Alira SaaS Application requires integration with the subscriber’s Entra Tenant via the configuration of Application Registrations and approving API permissions. Kocho will provide appropriate documentation to support the creation and configuration of the initial workspace and subscribed modules, and will offer one (1) onboarding call to review the setup process together with the subscriber’s team.

Subscriber Responsibilities

  • Ensure the availability of an Administrator holding Global Administrator or Privileged Role Administrator privileges to authorise the integration.
  • Maintain responsibility for the accuracy of Entra Tenant configuration, licensing allocations, and ongoing administration.

Expected Outcomes

Upon successful completion of onboarding activities:

  • A workspace will be created with the agreed licensing volumes assigned to the Alira SaaS Application.
  • An Enterprise application with Provisioning (SCIM) will be created in Microsoft Entra to enable user provisioning.
  • An application registration will be established with the appropriate API permissions configured for each subscribed module.
Note: The above describes the standard scope of implementation activities. Any additional configuration, customisation, or remediation required due to subscriber-specific environments or misconfigurations shall fall outside this scope and may be subject to additional fees, as agreed in writing.

3.2 Alira Workspace Onboarding

1

Approval of OAuth Scopes

The subscriber must approve the relevant OAuth scopes to enable its users to log into the Alira SaaS Application. Details on the specific OAuth permissions are available in the Architecture Document, available on request.

2

Workspace Creation

Establishment of the Alira workspace within the subscriber’s environment.

3

Workspace Customisation and Branding

Configuration of workspace settings to reflect the subscriber’s chosen branding.

4

Provisioning Application

Creation and connection of the provisioning application within Microsoft Entra to support user provisioning.

5

Licence Assignment

Allocation of the agreed licensing volumes to users within the workspace.

3.3 Alira Access Portal Onboarding

1

Create Application Registration

In Settings — this will automatically create the Application Registration in your Entra Tenant with the needed API permissions.

2

Approve the APIs

Approve API permissions in the Application Registration. Details on the specific OAuth permissions are available in the Architecture Document.

3

Synchronise Resources

Sync Resources from your Entra Tenant into Alira SaaS Application.

4

Assign Resources to Collections

Allocate the synchronised resources to the appropriate collections.

3.4 Alira Licence Portal Integration

1

Create Application Registration

In Settings — this will automatically create the Application Registration in your Entra Tenant with the needed API permissions.

2

Approve the APIs

Approve API permissions in the Application Registration.

3

Synchronise Resources

Sync Resources from your Entra Tenant into Alira SaaS Application.

4

Create your OU Structure

Establish the OU structure appropriate for the client’s environment.

5

Assign to OUs

Assign members, requestors, approvers, licences, and licence limits to OUs.

4

Service Management

4.1 Management of the Alira Platform

Management of the Alira SaaS Application primarily involves ongoing maintenance and development activities designed to help ensure that the application remains operational and effective. This includes:

  • Monitoring and maintaining the availability and integrity of the Alira SaaS Application.
  • Delivering bug fixes, security updates, and feature enhancements.
  • Continuous improvement and development of new features and functionalities.
  • Providing recommendations regarding Microsoft Entra configuration to optimise use of the Alira SaaS Application.
  • Providing updates on new and improved features within the Alira SaaS Application.
  • Supporting the investigation of application-related bugs.
Note: The activities described above are provided as part of standard platform management and do not extend to subscriber client-side administration, Entra Tenant configuration, or remediation of issues arising from factors outside Kocho’s control.

4.2 Security & Compliance

Certifications and supporting evidence in the form of a Trust Pack can be made available to subscriber clients upon request, subject to appropriate confidentiality obligations and an NDA in place.

ISO 27001
Cyber Essentials Plus
GDPR Aligned
SOC Monitored
Least Privilege
JIT Privileged Access

4.3 Backup and Disaster Recovery

Kocho has established backup and disaster recovery processes designed to minimise downtime and data loss in the event of a service disruption. These include:

  • Daily, encrypted backups of all production databases with geographically redundant storage and a defined retention policy.
  • Point-in-time recovery capabilities to restore data to a specific state within the defined Recovery Point Objective (RPO).
  • Containerised infrastructure, enabling rapid, automated redeployment of services to a last known good state via CI/CD pipelines.
  • Automated failover for critical components and multi-zone redundancy to support service availability.
  • Continuous monitoring and alerting to detect anomalies and trigger incident response procedures.
  • Regular third-party audits and penetration tests to validate security and resiliency controls.

4.4 Continuous Feedback

Feedback is an important and fundamental element in the ongoing development of the Alira SaaS Application. The Kocho Product team will facilitate an annual session with the subscriber to review usage, adoption, feedback, and any suggestions for improvement. Subscriber clients may also provide feedback and suggestions at any time by email to their Account Manager or directly to Alira’s Product Director.

Note: Feedback and suggestions provided by subscriber clients are voluntary and may be used by Kocho at its discretion. Kocho is under no obligation to implement any feedback or suggestion, and no intellectual property rights shall transfer to the subscriber as a result of submitting feedback.
5

Key Capabilities

The following section sets out the key features of Alira SaaS Application together with the Entra configuration requirements and the minimum tenant subscription necessary to use those features. These requirements are the responsibility of the subscriber to configure and maintain in order to enable the relevant functionality.

5.1 Access Portal

FeatureDescriptionEntra RequirementsMin. Tenant
ApplicationsDisplays all Enterprise Apps configured on Entra that the user has access toConfigured Enterprise apps with users assigned and the app marked visibleP1
RequestDisplays all Access Packages and PIM Groups configured on Entra that the user has access to, once assigned to a Collection in AliraConfigured Access Packages and PIM groups with users eligibleP2
Manage > AccessDisplays all PIM Groups a user is an Owner ofPIM Groups with assigned ownersP2
Manage > ApprovalsAll your PIM Group, PIM Roles, and Access Packages approvals in a single placePIM Groups, PIM Roles, and Access Packages (MyAccess)P2
Manage > RequestsAll your PIM Group, PIM Roles, and Access Packages requests in a single placePIM Groups, PIM Roles, and Access Packages (MyAccess)P2

5.2 Entra Enable

FeatureDescriptionEntra RequirementsMin. Tenant
Resources > ApplicationsCreates an Enterprise Application and associated group and access package, allowing all non-integrated applications to be equally represented to the end userAccess Packages (MyAccess)P2
Settings > Leaver DetectionCreates a summary email of all leavers with tagged manual or JIT applicationsEnterprise Applications and users assigned to the applicationP1

5.3 Licence Portal

FeatureDescriptionEntra RequirementsMin. Tenant
ApprovalsApprove allocation requestsN/AP1
LicencesAdd and allocate licences to OUs, create master licensing groupsLicences assigned and available in the Microsoft Admin portalP1
Organisation UnitsCreate an OU structure, view licence assignments, sync OU members, and add/remove requestors and approversSynced users and licences to AliraP1
RequestsRequest additional allocation of licences to OUsN/AP1
Dashboards > Global LicensingShows total monthly spend across all supported licences and renewal datesN/AP1
Organisation Unit DashboardsShows total monthly spend across all organisation unitsN/AP1
Terminated UsersShows all M365 Licensed Disabled Accounts with the ability to remove the licences on the portalN/AP1
Inactive UsersShows last logged on activity for all users on a tenant and can filter down by OUN/AP1
Event LogTracks changes and administrative actions from within the Alira Licence ManagerN/AP1
SettingsCreates the Application Registration with the correct API PermissionsAccess to Application RegistrationsP1

5.4 Core Features

FeatureDescriptionEntra Requirements
Settings > Branding / ColourAllows you to customise the Alira workspace to match your corporate identityN/A
RolesAllows you to customise roles and access to any page or feature in AliraN/A
Settings > Notifications > ResourceAllows you to create email and webhook event notifications for any PIM Group or Access PackageN/A
Settings > Notifications > UserGlobal settings to manage support notification types and module settingsN/A
6

Support

Kocho will provide Support Services to assist subscriber clients in their use of the Alira SaaS Application, including troubleshooting and resolution of specific issues resulting from the use of Alira on supported platforms. Standard support will include:

  • Provision of updates and upgrades (when available)
  • Meeting, email and phone support for integration and setup
  • Email support for general questions
  • Access to technical documentation

6.1 Hours of Operation

UK: Monday – Friday, 9:00–17:00 GMT, excluding bank and public holidays.

6.2 Incidents (P1 to P4)

LevelDescriptionResponse TimeResolution Time
P1 – Critical A down situation where core components of the Alira SaaS Application are non-operational and there is no known workaround. Up to 4 hours during Support hours Within 4 hours during Support hours
P2 – High A major component of the Alira SaaS Application is not functioning and no workaround is available, but the application still supports core functionality. Up to 6 hours during Support hours Within 1 Business Day during Support hours
P3 – Medium A minor component of the software is not functioning and any other case where a software feature is not operating as documented. Up to 24 hours during Support hours Within 3 Business Days during Support hours
P4 – Low Cosmetic issues, general questions. Within 5 Business Days during Support hours Miscellaneous

To qualify for the above response times, subscriber clients must cooperate with the Kocho Application Support team by providing sufficient information and reproducible results for errors reported. Resolution times are measured from the time an issue is first acknowledged by Kocho during business hours.

6.3 Feature Requests (P4)

LevelDescriptionInitial ResponseFormal Feedback
P4 A feature or function request to be added to the application. Within 5 Business Days during Support hours Within 30 Business Days during Support hours
Bespoke requirements: Requirements of a unique nature which require non-standard development will be accommodated where possible within the subscribed service level. However, following assessment, there may be an additional cost identified, which will be communicated and agreed with the client prior to the work being undertaken.

6.4 Uptime

Kocho will use commercially reasonable efforts to ensure that Alira SaaS Application achieves a Monthly Uptime Percentage of 99.9% as measured by Kocho on a quarterly basis of the Term of subscription. The Alira SaaS Application shall be considered “available” if the user is able to login and initiate a request.

Note: This uptime achievement is not a warranty and does not give rise to service credits, liquidated damages, or any other financial remedies, unless expressly provided for in a separate Service Level Agreement executed between Kocho and the subscriber client.

6.5 Support Boundaries & Exclusions

The following items are not supported and expressly excluded from support scope:

  • Operating systems and third-party applications
  • Alterations or revisions to the application made by the customer or third parties
  • Use of the Alira SaaS Application in a manner other than as authorised in the applicable licence agreement
  • Use of any software that has been announced as end of life
  • Continued support for issues where Kocho has provided corrections not yet implemented by the subscriber
  • Free Kocho software products and tools
  • Any migration services
  • Direct configuration on the subscriber’s Entra Tenant
  • Business to Consumer (Entra External ID) Identities
  • On-premise connectors (i.e. integrations directly from Alira SaaS Application to Active Directory)
  • Custom development work unless scoped in a separate SoW

6.6 Service Contact

Application Support Team

Alira.support@kocho.co.uk

Product Development Director

Stefan Baldey

stefan.baldey@kocho.co.uk

© 2026 Kocho Group Ltd · Registered in England & Wales