[Enhancement]: Group Permission automatic sync with Entra inconsistency

[ronniekolk]

What features would you like to see added?

Regarding to the pull Request: #7804

Hello, this is a really great feature that we've been waiting for in our company for a long time. Now everything is ready to use with the Entra user and group search.

But there might be a problem:

I've added a group permission for an agent. All users in the group have immediate access to this agent.

I then add more people to the group in Entra or use dynamic groups in Entra. Regardless of whether the user refreshes the page, re-logs, or something similar, they don't get access.

However, if I then grant permission for this group in another agent, it seems to pull all users again. From then on, the user sees all agents who have permissions with the group.

More details

So it seems that it only transfers users when I assign a new permission?

Did we miss something in the configuration, or is this the current development state?

Of course, it would be desirable for all changes in Entra to also be valid in LibreChat, so that, as with everything in One Identity, I only maintain things in Entra (adding or removing users) and this is then carried over to LibreChat.

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

This feature is not officially released yet, can you document your steps on how you setup Entra exactly? And which branch are you testing? Thanks.

[ronniekolk]

Hi,

we use the dev-temp Branch in our Test System, cause of the Implementation of the People & Group Search in Entra to not share every Agent with the whole Company and the Sharepoint File Picker eg.

I Configured the App Registration with the needed Grap API rights (just the four with the Arrows), the Rest is for Sharepoint and Basic OAuth

The Permissions MUST be delegated.

In the .env we configured the Parameters Jordi also Posted here -> #7804 (comment)

USE_ENTRA_ID_FOR_PEOPLE_SEARCH=true => Enrich local user / group search with results from entra id
OPENID_GRAPH_SCOPES=User.Read,People.Read,GroupMember.Read.All,User.ReadBasic.All (needed graph api scope to be able to execute graph api calls)
!important! Reuse openid connect auth token feature must be activated.

[ronniekolk]

Another Question. We got actually about 7500 Users and 5000 Groups.

The Problem is that there are many technical Users & Groups and also many Admins eg. All these Users shouldnt be seen oder selected by the Users. Also all these Technical Groups in the Selection.

What about the Idea to put some Additional Filter Paramters into the .env.

ADDITONAL_ENTRA_USER_SEARCH_FILTER : [Additional Filter]
ADDITONAL_ENTRA_GROUP_SEARCH_FILTER : [Additional Filter]

So these Paramters will be Added to the Rest of the Call in the Backend in the GraphApiService.js in Filter ?

// Reason: Search only for OrganizationUser (person) type, not groups
const filter = "personType/subclass eq 'OrganizationUser'";

let apiCall = graphClient
  .api('/me/people')
  .search(`"${query}"`)
  .select(
    'id,displayName,givenName,surname,userPrincipalName,jobTitle,department,companyName,scoredEmailAddresses,personType,phones',
  )
  .header('ConsistencyLevel', 'eventual')
  **.filter(filter)**
  .top(limit);

[danny-avila]

There are feature-flags for LibreChat to enable who has access to search principals and if so, which principal types (users, groups, roles).

This is not documented and subject to change, so I will not be sharing this at the moment.

[ronniekolk]

Did I understand that correctly? This addresses who can use the search. Our idea is that anyone with a good agent can share it with one, some, or all. This way, everyone should be able to search, but not all users, such as administrators, technical users, or technical groups. This is why we're talking about filter options.

[danny-avila]

Disclaimer: The reason I ask is that we have rebased the dev-temp many times over, so please try on the latest version. Note, that branch is not meant to be used at the moment, as database schemas may change. Use at your own discretion. Also it breaks existing agents that were shared before the branch's changes, did you run the migrate script at all?

That said, I do not believe that automatic sync with Entra groups is implemented or planned at the moment. This would require continual syncing of shared resources and updating principals. I think you would have to manually share the agent again to the group any time the group is updated.

I will have the people who first implemented look at this comment to confirm.