You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-document-level-access-overview.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,46 +19,46 @@ Document-level access helps restrict content visibility to authorized users, bas
19
19
20
20
Azure AI Search provides document-level access control in the following ways:
21
21
22
-
### 1. Native support for integration with Microsoft ENTRA-based POSIX-style Access Control List (ACL) systems (preview)
22
+
### 1. Native support for integration with Microsoft Entra-based POSIX-style Access Control List (ACL) systems (preview)
23
23
24
-
#### During data ingestion process
25
-
Azure AI Search enables you to push document permissions directly into the search index alongside the content, enabling consistent application of access rules at query time. This is achieved in two ways:
24
+
#### Retrieving permissions metadata during data ingestion process
25
+
Azure AI Search enables you to push document permissions directly into the search index alongside the content, enabling consistent application of access rules at query time. This capability is achieved in two ways:
26
26
27
27
**a. REST API and SDK integration**
28
-
You can use the [REST API](/rest/api/searchservice/operation-groups?view=rest-searchservice-2025-05-01-preview) or supported SDKs to [push documents and their associated permission metadata](search-index-access-control-lists-and-rbac-push-api.md)into the search index. This approach is ideal for systems with [Microsoft ENTRA](/entra/fundamentals/what-is-entra)-based [Access Control Lists (ACLs)](/azure/storage/blobs/data-lake-storage-access-control) and [Role-based access control (RBAC) roles](/azure/role-based-access-control/overview), such as [Azure Data Lake Storage (ADLS) Gen2](/azure/storage/blobs/data-lake-storage-introduction). By embedding ACLs and RBAC container metadata within the index, developers can reduce the need for custom security trimming logic during query execution.
28
+
You can use the [REST API](/rest/api/searchservice/operation-groups) or supported SDKs to [push documents and their associated permission metadata](search-index-access-control-lists-and-rbac-push-api.md)into the search index. This approach is ideal for systems with [Microsoft Entra](/Entra/fundamentals/what-is-Entra)-based [Access Control Lists (ACLs)](/azure/storage/blobs/data-lake-storage-access-control) and [Role-based access control (RBAC) roles](/azure/role-based-access-control/overview), such as [Azure Data Lake Storage (ADLS) Gen2](/azure/storage/blobs/data-lake-storage-introduction). By embedding ACLs and RBAC container metadata within the index, developers can reduce the need for custom security trimming logic during query execution.
29
29
30
30
**b. Built-in ADLS Gen2 indexers**
31
31
If you're using ADLS Gen2 as your data source, [Azure AI Search's built-in indexer](search-indexer-access-control-lists-and-role-based-access.md) simplify data ingestion. This indexer pulls ACLs and RBAC roles at container level during the data ingestion process, enabling a low/no-code workflow for managing document-level permissions.
32
32
33
-
#### At query time
34
-
With native [token-based querying](https://aka.ms/azs-query-preserving-permissions), Azure AI Search validates a user's [Microsoft ENTRA token](/entra/identity/devices/concept-tokens-microsoft-entra-id) to enforce ACLs and RBAC roles automatically. This functionality helps trim result sets to include only documents the user is authorized to access. You can achieve this by attaching the user's ENTRA token to your query request: No additional custom filter logic is required.
33
+
#### Enforcing document-level permissions at query time
34
+
With native [token-based querying](https://aka.ms/azs-query-preserving-permissions), Azure AI Search validates a user's [Microsoft Entra token](/Entra/identity/devices/concept-tokens-microsoft-Entra-id) to enforce ACLs and RBAC roles automatically. This functionality helps trim result sets to include only documents the user is authorized to access. You can achieve this by attaching the user's Microsot Entra token to your query request.
35
35
36
36
37
37
### 2. Security trimming via filters
38
38
39
-
For scenarios where native ACL and RBAC integration isn't supported, Azure AI Search enables [security trimming using query filters](search-security-trimming-for-azure-search.md). By creating a field in the index to represent user or group identities, you can use the filters to include or exclude documents from query results based on those identities. This approach is useful for systems with custom access models or non-Microsoft ENTRA-based security frameworks.
39
+
For scenarios where native ACL and RBAC integration isn't supported, Azure AI Search enables [security trimming using query filters](search-security-trimming-for-azure-search.md). By creating a field in the index to represent user or group identities, you can use the filters to include or exclude documents from query results based on those identities. This approach is useful for systems with custom access models or non-Microsoft Entra-based security frameworks.
40
40
41
41
## Benefits of document-level access control
42
42
43
43
Document-level access control is critical for safeguarding sensitive information in AI-driven applications. It helps organizations build systems that align with their access policies, reducing the risk of exposing unauthorized or confidential data. By integrating access rules directly into the search pipeline, AI systems can provide responses grounded in secure and authorized information.
44
-
45
-
By offloading permission enforcement to Azure AI Search, developers can focus on building high-quality retrieval and ranking systems without the complexity of managing nested groups, custom filter logic, or manual security trimming. This reduces development time and allows teams to prioritize user experience and application functionality.
46
-
47
-
Document-level permissions in Azure AI Search provide a structured framework for enforcing access controls that align with organizational policies. By leveraging Microsoft ENTRA-based ACLs and RBAC roles, organizations can create systems that support audit-ready compliance and promote trust among users. These built-in capabilities reduce the need for custom coding, offering a standardized approach to document-level security.
44
+
45
+
By offloading permission enforcement to Azure AI Search, developers can focus on building high-quality retrieval and ranking systems. This approach helps reducing the need to handle nested groups, write custom filters, or manually trim search results.
46
+
47
+
Document-level permissions in Azure AI Search provide a structured framework for enforcing access controls that align with organizational policies. By using Microsoft Entra-based ACLs and RBAC roles, organizations can create systems that support robust compliance and promote trust among users. These built-in capabilities reduce the need for custom coding, offering a standardized approach to document-level security.
48
48
49
49
## Reference documents
50
50
51
51
To help you dive deeper into document-level access control in Azure AI Search, here’s a table of key resources:
52
52
53
-
|Topic| Reference |
54
-
|-------|-------------|------|
53
+
|Functionality| Reference |
54
+
|-------|-------------|
55
55
|**Index permissions using REST API**| Using the REST API to push permission metadata into the search index. |[Index permissions using REST API](search-index-access-control-lists-and-rbac-push-api.md)|
56
-
|**Index ADLS Gen2 permissions metadata using built-in indexers**| Using built-in ADLS Gen2 indexer to ingest ACLs and RBAC role metadata during data crawling. |[Index permissions using ADLS Gen2 idexer](search-indexer-access-control-lists-and-role-based-access.md)|
57
-
|**Query using ENTRA token-based permissions**| Using a Microsoft ENTRA token to enforce ACL and RBAC permissions at query time. |[Query using ENTRA token-based permissions](https://aka.ms/azs-query-preserving-permissions)|
56
+
|**Index ADLS Gen2 permissions metadata using built-in indexers**| Using built-in ADLS Gen2 indexer to ingest ACLs and RBAC role metadata during data crawling. |[Index permissions using ADLS Gen2 indexer](search-indexer-access-control-lists-and-role-based-access.md)|
57
+
|**Query using Microsoft Entra token-based permissions**| Using a Microsoft Entra token to enforce ACL and RBAC permissions at query time. |[Query using Microsoft Entra token-based permissions](https://aka.ms/azs-query-preserving-permissions)|
58
58
|**Security trimming via filters**| Trim search results based on user or group identity. |[Security trimming via filters](search-security-trimming-for-azure-search.md)|
59
59
60
60
61
61
62
62
## Next steps
63
63
64
-
-[Tutorial: Index ADLS Gen2 permissions metadata](https://learn.microsoft.com/en-us/azure/search/search-security-trimming-for-azure-search)
64
+
-[Tutorial: Index ADLS Gen2 permissions metadata](search-security-trimming-for-azure-search.md)
0 commit comments