rn.identity connects to Microsoft Graph and Entra ID — provisioning, offboarding, license auditing and playbook automation in one CLI-first platform built for IT and security teams.
Drop a CSV or pipe an API payload and RN creates the Entra ID account, assigns licenses, configures conditional access, and fires a welcome email — all in the time it takes to make a coffee. Role templates for Engineering, Sales, Finance and custom roles are built-in and shareable across your team.
When someone leaves, RN runs a sequenced playbook — sessions revoked, account disabled, MFA cleared, mailbox converted, groups removed, license reclaimed — in the right order, every time, in under 15 seconds. Every step is auditable and every deviation is flagged.
RN audits every SKU assignment in your tenant daily. It surfaces inactive licenses, duplicate SKUs, over-provisioned accounts and licensed shared mailboxes — then reclaims them on a schedule you define. The average customer identifies recoverable spend within 48 hours of deployment.
User.ReadWrite.All, Group.ReadWrite.All. No global admin required.$ rn auth login --tenant contoso.onmicrosoft.com
Opening browser for device-code flow...
Code: HXKP4-MBZRT
URL: https://microsoft.com/devicelogin
✓ Authenticated as admin@contoso.com
✓ Scopes granted
✓ Token cached at ~/.rn/tokens/contoso.json
$ rn sync
Pulling directory from Graph API...
Users 2,847
Groups 94
Licenses 3 SKUs
✓ Sync complete in 8.1s
⚠ 31 stale accounts detected
⚠ 12 duplicate SKU assignments
$ rn playbooks list
NAME TRIGGER
──────────────────────────────
new-hire-engineer manual / webhook
new-hire-sales webhook
offboard-graceful manual
offboard-immediate manual
license-audit scheduled (Mon 08:00)
$ rn audit log --last 4
TIME ACTOR ACTION STATUS
───────────────────────────────────────────
14:22 j.park provision user OK
13:55 auto assign license OK
11:30 s.chen offboard user OK
09:14 m.webb remove group WARN
rn CLI in actionEvery dashboard action is available as a CLI command. Pipe it, script it, wire it into GitHub Actions.
# List all users with license info
$ rn users list --format table
# Search by display name or UPN
$ rn users get --upn j.smith@contoso.com
# Export stale accounts (90+ days inactive)
$ rn users list --filter stale --days 90 --output stale.csv
# Reset password and force change on next sign-in
$ rn users reset-password --upn j.smith@contoso.com --force-change
# Run graceful offboard (manager notified, mailbox converted)
$ rn offboard --upn c.ford@contoso.com --playbook offboard-graceful
# Immediate offboard (security incident — sessions revoked first)
$ rn offboard --upn c.ford@contoso.com --playbook offboard-immediate
# Dry-run to preview what will happen
$ rn offboard --upn c.ford@contoso.com --dry-run
# Bulk offboard from CSV (e.g. RIF event)
$ rn offboard --csv terminations.csv --playbook offboard-graceful
# Full audit of all SKUs
$ rn licenses audit
# Reclaim licenses — preview first
$ rn licenses reclaim --type stale,duplicate,shared-mailbox --dry-run
$ rn licenses reclaim --type stale,duplicate,shared-mailbox --confirm
# Assign specific license to user
$ rn licenses assign --upn new@contoso.com --sku M365_E3
# Export license report as HTML for stakeholders
$ rn licenses audit --format html --output report.html
# List all configured playbooks
$ rn playbooks list
# Inspect a playbook's steps
$ rn playbooks describe offboard-graceful
# Create a playbook from a YAML definition
$ rn playbooks create --file contractor-offboard.yaml
# Run a playbook manually
$ rn playbooks run license-audit --notify it@contoso.com
We offboarded 23 contractors in a single Friday afternoon. Took 4 minutes total. Used to take our team an entire day of manual PowerShell and tickets.
The audit log alone justified the purchase. Our SOC 2 auditors were impressed that every identity action had an actor, timestamp, and outcome attached to it.
Set up in 40 minutes. No PowerShell, no custom scripts, no begging the Azure team for elevated permissions. Exactly what I needed as a one-person IT department.
Free 14-day trial. No credit card. Full feature access from day one.
Identity operations should not require a PhD in PowerShell. We are fixing that.
James Thornton spent six years as an Azure Identity PM at Microsoft watching enterprise IT teams struggle with the same manual processes week after week. When he left in 2025, he called Sarah Chen — who had just wrapped up leading the MSAL SDK team — and they started building the tool they always wished existed.
rn.identity launched in January 2026. We closed our seed round in March, hired a small team of people who had all felt this pain firsthand, and shipped SOC 2 Type II in April. We are seven months old and already managing identity for 287 organizations across North America and Europe.
We believe the right answer to identity management is boring automation that works every single time.
Everyone here has been an end user of what we are building. That is not an accident.
Six years as an Azure Identity PM at Microsoft. Led the GA launch of Entra External Identities. Left in 2025 to build the tool his customers kept asking for.
Led the MSAL SDK team at Microsoft for four years. Built the token caching architecture used by millions of developers. Holds two patents on OAuth token lifecycle management.
Ten years building infrastructure at Stripe and Cloudflare before joining RN. Designed the delta-sync engine that lets us sync 50,000-user tenants in under nine minutes.
Five years as IT Director at a 4,000-person logistics company before joining RN. Has personally run offboarding for 600 plus employees using legacy tools.
OSCP certified. Previously at Microsoft MSRC researching Azure AD privilege escalation paths. Designed our minimal-permission Graph scope model and SOC 2 controls program.
Previously at Rippling managing identity product features for 18 months. Obsessed with offboarding UX and the gap between disabled in Entra and actually off all systems.
A real-feeling interactive demo. Click around — the data is fake, the UI is production.
| User | Status | License | Last Active |
|---|---|---|---|
JT James Thornton j.thornton@contoso.com | Active | M365 E3 | 2h ago |
SC Sarah Chen s.chen@contoso.com | Active | M365 E5 | 14m ago |
CF Claire Ford c.ford@contoso.com | Pending | E3 | 3d ago |
RK Ryan Kim r.kim@contoso.com | Active | M365 E3 | 1h ago |
MP Maria Park m.park@contoso.com | Inactive | M365 E3 | 97d ago |
rn CLIInstall once. Automate everything. Works anywhere a shell does.
$ brew tap rn-identity/tap
$ brew install rn
$ rn --version
rn v2.5.0$ npm install -g @rn-identity/cli
$ rn --version
rn v2.5.0PS> winget install RNIdentity.CLI
PS> rn --version
rn v2.5.0$ docker pull ghcr.io/rn-identity/cli:latest
$ docker run --rm -v ~/.rn:/root/.rn ghcr.io/rn-identity/cli:latest rn --version
rn v2.5.0# Device-code login (recommended for interactive use)
$ rn auth login --tenant contoso.onmicrosoft.com
# Service principal login (for CI/CD)
$ rn auth login --tenant contoso.onmicrosoft.com --client-id $CLIENT_ID --client-secret $CLIENT_SECRET
# Show current authentication status
$ rn auth status
# Revoke cached tokens
$ rn auth logout# List all users
$ rn users list --format table
# Get a specific user
$ rn users get --upn j.smith@contoso.com
# Provision a single user
$ rn provision --upn a.rivera@contoso.com --template engineering
# Provision from CSV
$ rn provision --csv new-hires.csv --template engineering
# List stale accounts (90+ days inactive)
$ rn users list --filter stale --days 90# Graceful offboard (manager notified, mailbox converted)
$ rn offboard --upn c.ford@contoso.com --playbook offboard-graceful
# Immediate offboard (security incident — sessions first)
$ rn offboard --upn c.ford@contoso.com --playbook offboard-immediate
# Preview what will happen without executing
$ rn offboard --upn c.ford@contoso.com --dry-run
# Bulk offboard from a CSV of UPNs
$ rn offboard --csv terminations.csv --playbook offboard-graceful# Full tenant license audit
$ rn licenses audit
# Reclaim stale and duplicate licenses (preview first)
$ rn licenses reclaim --type stale,duplicate,shared-mailbox --dry-run
$ rn licenses reclaim --type stale,duplicate,shared-mailbox --confirm
# Export license report as HTML
$ rn licenses audit --format html --output license-report.html
# Assign a license SKU to a user
$ rn licenses assign --upn new@contoso.com --sku M365_E3We ship every two weeks. Everything we change, we document.
All plans include a 14-day free trial with full feature access. No credit card required.
Everything a small IT team needs to get identity operations off spreadsheets and scripts.
For growing IT teams that need full automation, compliance exports, and priority support.
For large organizations that need SLAs, SSO, and a dedicated point of contact.
SOC 2 Type II certified. Minimal Graph scopes. No user data stored on RN servers. Report available on request.
Starter gets email support with 24h response. Pro gets priority with 4h response. Enterprise gets dedicated Slack Connect.
Monthly and annual billing available. Annual plans save 20%. Invoiced billing available on Enterprise.
Technical writing from the people building rn.identity. No vendor fluff.
Free trial questions, security reviews, or just want to talk identity. We respond fast.
Starter: 24 hours. Pro: 4 hours. Enterprise: dedicated Slack Connect. Free trial inquiries always same day.