Application Roles for Role Based Authorization

[JoepvandenHoven-Bluemine]

Hi, maybe it's possible I'm missing something but it looks like the current authorization does allow you to limit access to users within your tentant, but has no way to restrict it to specific users or user groups.

Best I can tell the way to implement this would be to add app roles to the app registration and check for those roles in the access. There are two app registrartions, but one has defined a scope 'access_as_user', so it would make sense to check roles in the same app registration.

This would mean something like the following:

• Add an AZURE_ENABLE_ROLE_BASED_AUTHENTICATION or something to the environment variables.
• Add a 'user' app role to the Server app registration in scripts/auth_init.py
• Check for existence of this role in the AuthenticationHelper

As far as I can tell this would allow adminstrators to assign this role to the relevant users, and it should deny access to everyone else.

Is this the right way to do this? Does a way to achieve the same result already exist or are there plans to add it to this repo?

[pamelafox]

We have a mechanism already to restrict document access from the RAG flow based off oids/groups, but I assume you want to restrict access to the app as a whole, correct?

We use both built-in auth on Container Apps and our own custom auth checking mechanisms. It looks like built-in auth does not have particular support for restricting access based on roles, so you would need to implement the access check using the backend AuthenticationHelper class. What you described in your proposal sounds like it should work.

You would then need to verify if the restricted user experience is what you wanted- you may want to code up a custom blocked screen, so that they wouldn't see the UI at all.

It could be a good feature to add generally to the repository, if it can be enabled via azd environment variables optionally, if you wanted to share the code changes publicly.