Azure-Samples
diff --git a/‎.azdo/pipelines/azure-dev.yml‎
Lines changed: 2 additions & 0 deletions b/‎.azdo/pipelines/azure-dev.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/azure-dev.yml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/azure-dev.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎app/backend/app.py‎
Lines changed: 4 additions & 0 deletions b/‎app/backend/app.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎app/backend/core/authentication.py‎
Lines changed: 23 additions & 9 deletions b/‎app/backend/core/authentication.py‎
Lines changed: 23 additions & 9 deletions
diff --git a/‎app/frontend/src/authConfig.ts‎
Lines changed: 6 additions & 0 deletions b/‎app/frontend/src/authConfig.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎app/frontend/src/components/QuestionInput/QuestionInput.tsx‎
Lines changed: 3 additions & 3 deletions b/‎app/frontend/src/components/QuestionInput/QuestionInput.tsx‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎azure.yaml‎
Lines changed: 1 addition & 0 deletions b/‎azure.yaml‎
Lines changed: 1 addition & 0 deletions
@@ -89,6 +89,8 @@ steps:
       AZURE_KEY_VAULT_NAME: $(AZURE_KEY_VAULT_NAME)
       AZURE_USE_AUTHENTICATION: $(AZURE_USE_AUTHENTICATION)
       AZURE_ENFORCE_ACCESS_CONTROL: $(AZURE_ENFORCE_ACCESS_CONTROL)
+      AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS: $(AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS)
+      AZURE_ENABLE_UNAUTHENTICATED_ACCESS: $(AZURE_ENABLE_UNAUTHENTICATED_ACCESS)
       AZURE_TENANT_ID: $(AZURE_TENANT_ID)
       AZURE_AUTH_TENANT_ID: $(AZURE_AUTH_TENANT_ID)
       AZURE_SERVER_APP_ID: $(AZURE_SERVER_APP_ID)
 
@@ -76,6 +76,8 @@ jobs:
       AZURE_KEY_VAULT_NAME: ${{ vars.AZURE_KEY_VAULT_NAME }}
       AZURE_USE_AUTHENTICATION: ${{ vars.AZURE_USE_AUTHENTICATION }}
       AZURE_ENFORCE_ACCESS_CONTROL: ${{ vars.AZURE_ENFORCE_ACCESS_CONTROL }}
+      AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS: ${{ vars.AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS }}
+      AZURE_ENABLE_UNAUTHENTICATED_ACCESS: ${{ vars.AZURE_ENABLE_UNAUTHENTICATED_ACCESS }}
       AZURE_AUTH_TENANT_ID: ${{ vars.AZURE_AUTH_TENANT_ID }}
       AZURE_SERVER_APP_ID: ${{ vars.AZURE_SERVER_APP_ID }}
       AZURE_CLIENT_APP_ID: ${{ vars.AZURE_CLIENT_APP_ID }}
 
@@ -328,6 +328,8 @@ async def setup_clients():
     AZURE_TENANT_ID = os.getenv("AZURE_TENANT_ID")
     AZURE_USE_AUTHENTICATION = os.getenv("AZURE_USE_AUTHENTICATION", "").lower() == "true"
     AZURE_ENFORCE_ACCESS_CONTROL = os.getenv("AZURE_ENFORCE_ACCESS_CONTROL", "").lower() == "true"
+    AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS = os.getenv("AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS", "").lower() == "true"
+    AZURE_ENABLE_UNAUTHENTICATED_ACCESS = os.getenv("AZURE_ENABLE_UNAUTHENTICATED_ACCESS", "").lower() == "true"
     AZURE_SERVER_APP_ID = os.getenv("AZURE_SERVER_APP_ID")
     AZURE_SERVER_APP_SECRET = os.getenv("AZURE_SERVER_APP_SECRET")
     AZURE_CLIENT_APP_ID = os.getenv("AZURE_CLIENT_APP_ID")
@@ -390,6 +392,8 @@ async def setup_clients():
         client_app_id=AZURE_CLIENT_APP_ID,
         tenant_id=AZURE_AUTH_TENANT_ID,
         require_access_control=AZURE_ENFORCE_ACCESS_CONTROL,
+        enable_global_documents=AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS,
+        enable_unauthenticated_access=AZURE_ENABLE_UNAUTHENTICATED_ACCESS,
     )
 
     if USE_USER_UPLOAD:
 
@@ -41,6 +41,8 @@ def __init__(
         client_app_id: Optional[str],
         tenant_id: Optional[str],
         require_access_control: bool = False,
+        enable_global_documents: bool = False,
+        enable_unauthenticated_access: bool = False,
     ):
         self.use_authentication = use_authentication
         self.server_app_id = server_app_id
@@ -62,18 +64,23 @@ def __init__(
             field_names = [field.name for field in search_index.fields] if search_index else []
             self.has_auth_fields = "oids" in field_names and "groups" in field_names
             self.require_access_control = require_access_control
+            self.enable_global_documents = enable_global_documents
+            self.enable_unauthenticated_access = enable_unauthenticated_access
             self.confidential_client = ConfidentialClientApplication(
                 server_app_id, authority=self.authority, client_credential=server_app_secret, token_cache=TokenCache()
             )
         else:
             self.has_auth_fields = False
             self.require_access_control = False
+            self.enable_global_documents = True
+            self.enable_unauthenticated_access = True
 
     def get_auth_setup_for_client(self) -> dict[str, Any]:
         # returns MSAL.js settings used by the client app
         return {
             "useLogin": self.use_authentication,  # Whether or not login elements are enabled on the UI
-            "requireAccessControl": self.require_access_control,  # Whether or not access control is required to use the application
+            "requireAccessControl": self.require_access_control,  # Whether or not access control is required to access documents with access control lists
+            "enableUnauthenticatedAccess": self.enable_unauthenticated_access,  # Whether or not the user can access the app without login
             "msalConfig": {
                 "auth": {
                     "clientId": self.client_app_id,  # Client app id used for login
@@ -150,17 +157,24 @@ def build_security_filters(self, overrides: dict[str, Any], auth_claims: dict[st
             else None
         )
 
-        # If only one security filter is specified, return that filter
+        # If only one security filter is specified, use that filter
         # If both security filters are specified, combine them with "or" so only 1 security filter needs to pass
         # If no security filters are specified, don't return any filter
+        security_filter = None
         if oid_security_filter and not groups_security_filter:
-            return oid_security_filter
+            security_filter = f"{oid_security_filter}"
         elif groups_security_filter and not oid_security_filter:
-            return groups_security_filter
+            security_filter = f"{groups_security_filter}"
         elif oid_security_filter and groups_security_filter:
-            return f"({oid_security_filter} or {groups_security_filter})"
-        else:
-            return None
+            security_filter = f"({oid_security_filter} or {groups_security_filter})"
+
+        # If global documents are allowed, append the public global filter
+        if self.enable_global_documents:
+            global_documents_filter = "(not oids/any() and not groups/any())"
+            if security_filter:
+                security_filter = f"({security_filter} or {global_documents_filter})"
+
+        return security_filter
 
     @staticmethod
     async def list_groups(graph_resource_access_token: dict) -> list[str]:
@@ -230,12 +244,12 @@ async def get_auth_claims_if_enabled(self, headers: dict) -> dict[str, Any]:
             return auth_claims
         except AuthError as e:
             logging.exception("Exception getting authorization information - " + json.dumps(e.error))
-            if self.require_access_control:
+            if self.require_access_control and not self.enable_unauthenticated_access:
                 raise
             return {}
         except Exception:
             logging.exception("Exception getting authorization information")
-            if self.require_access_control:
+            if self.require_access_control and not self.enable_unauthenticated_access:
                 raise
             return {}
 
 
@@ -17,6 +17,8 @@ interface AuthSetup {
     useLogin: boolean;
     // Set to true if access control is enforced by the application
     requireAccessControl: boolean;
+    // Set to true if the application allows unauthenticated access (only applies for documents without access control)
+    enableUnauthenticatedAccess: boolean;
     /**
      * Configuration object to be passed to MSAL instance on creation.
      * For a full list of MSAL.js configuration parameters, visit:
@@ -64,6 +66,10 @@ export const useLogin = authSetup.useLogin;
 
 export const requireAccessControl = authSetup.requireAccessControl;
 
+export const enableUnauthenticatedAccess = authSetup.enableUnauthenticatedAccess;
+
+export const requireLogin = requireAccessControl && !enableUnauthenticatedAccess;
+
 /**
  * Configuration object to be passed to MSAL instance on creation.
  * For a full list of MSAL.js configuration parameters, visit:
 
@@ -3,7 +3,7 @@ import { useMsal } from "@azure/msal-react";
 import { Stack, TextField } from "@fluentui/react";
 import { Button, Tooltip, Field, Textarea } from "@fluentui/react-components";
 import { Send28Filled } from "@fluentui/react-icons";
-import { isLoggedIn, requireAccessControl } from "../../authConfig";
+import { isLoggedIn, requireLogin } from "../../authConfig";
 
 import styles from "./QuestionInput.module.css";
 
@@ -50,8 +50,8 @@ export const QuestionInput = ({ onSend, disabled, placeholder, clearOnSend, init
     };
 
     const { instance } = useMsal();
-    const disableRequiredAccessControl = requireAccessControl && !isLoggedIn(instance);
-    const sendQuestionDisabled = disabled || !question.trim() || disableRequiredAccessControl;
+    const disableRequiredAccessControl = requireLogin && !isLoggedIn(instance);
+    const sendQuestionDisabled = disabled || !question.trim() || requireLogin;
 
     if (disableRequiredAccessControl) {
         placeholder = "Please login to continue...";
 
@@ -70,6 +70,7 @@ pipeline:
       - AZURE_KEY_VAULT_NAME
       - AZURE_USE_AUTHENTICATION
       - AZURE_ENFORCE_ACCESS_CONTROL
+      - AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS
       - AZURE_AUTH_TENANT_ID
       - AZURE_SERVER_APP_ID
       - AZURE_CLIENT_APP_ID