Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This feature is currently in public preview. This preview is provided without a service-level agreement and isn't recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Starting in 2025-05-01-preview, you can now include RBAC scope alongside document ingestion in Azure AI Search and use those permissions to control access to search results.
You can use the push APIs to upload and index content and permission metadata manually see Indexing Permissions using the push REST API, or you can use an indexer to automate data ingestion. This article focuses on the indexer approach.
The indexer approach is built on this foundation:
Role-based access control (Azure RBAC). There's no support for Attribute-based access control (Azure ABAC).
An Azure AI Search indexer for Blob that retrieves and ingests data and metadata, including permission filters. To get permission filter support, you must use the 2025-05-01-preview REST API or a prerelease package of an Azure SDK that supports the feature.
An index in Azure AI Search containing the ingested documents and corresponding permissions. Permission metadata is stored as fields in the index. To set up queries that respect the permission filters, you must use the 2025-05-01-preview REST API or a prerelease package of an Azure SDK that supports the feature.
Prerequisites
Microsoft Entra ID authentication and authorization. Services and apps must be in the same tenant. Role assignments are used for each authenticated connection.
Azure AI Search, any region, but you must have a billable tier (basic and higher) see Service limits for managed identity support. The search service must be configured for role-based access and it must have a managed identity (either system or user).
Limitations
- The following indexer features don't support permission preservation capabilities but are otherwise operational for Azure Blob content-only indexing:
- One-to-many parsing modes, such as:
delimitedText,jsonArray,jsonLines, andmarkdownwith sub-modeoneToMany
- One-to-many parsing modes, such as:
Authorization
For indexer execution, your search service identity must have Storage Blob Data Reader permission see Connect to Azure Storage using a managed identity.
Configure Azure AI Search for indexing permission filters
Recall that the search service must have:
Authorization
For indexer execution, the client issuing the API call must have Search Service Contributor permission to create objects, Search Index Data Contributor permission to perform data import, and Search Index Data Reader to query an index see Connect to Azure AI Search using roles.
Indexing permission metadata
In Azure AI Search, configure an indexer, data source, and index to pull permission metadata from blobs.
Configure the data source
Data Source type must be
azureblob.Data source must have
indexerPermissionOptionswithrbacScope.For
rbacScope, configure the connection string with managed identity format.For connection strings using a user-assigned managed identity, you must also specify the
identityproperty.
JSON example with system managed identity:
{
"name" : "my-blob-datasource",
"type": "azureblob",
"indexerPermissionOptions": ["rbacScope"],
"credentials": {
"connectionString": "ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Storage/storageAccounts/<your storage account name>/;"
},
"container": {
"name": "<your container name>",
"query": "<optional-query>"
}
}
JSON schema example with a user-managed identity in the connection string:
{
"name" : "my-blob-datasource",
"type": "azureblob",
"indexerPermissionOptions": ["rbacScope"],
"credentials": {
"connectionString": "ResourceId=/subscriptions/<your subscription ID>/resourceGroups/<your resource group name>/providers/Microsoft.Storage/storageAccounts/<your storage account name>/;"
},
"container": {
"name": "<your container name>",
"query": "<optional-query>"
},
"identity": {
"@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",
"userAssignedIdentity": "/subscriptions/{subscription-ID}/resourceGroups/{resource-group-name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-assigned-managed-identity-name}"
}
}
Create permission fields in the index
In Azure AI Search, make sure your index contains field definitions for the permission metadata. Permission metadata can be indexed when indexerPermissionOptions is specified in the data source definition.
Recommended schema attributes RBAC Scope:
- RBAC scope field with
rbacScopepermissionFilter value. - Property
permissionFilterOptionto enable filtering at querying time. - Use string fields for permission metadata
- Set
filterableto true on all fields.
Notice that retrievable is false. You can set it true during development to verify permissions are present, but remember to set to back to false before deploying to a production environment.
JSON schema example:
{
...
"fields": [
...
{
"name": "RbacScope",
"type": "Edm.String",
"permissionFilter": "rbacScope",
"filterable": true,
"retrievable": false
}
],
"permissionFilterOption": "enabled"
}
Configure the indexer
Field mappings within an indexer set the data path to fields in an index. Target and destination fields that vary by name or data type require an explicit field mapping. The following metadata fields in Azure Blob might need field mappings if you vary the field name:
- metadata_rbac_scope (
Edm.String) - the container RBAC scope.
Specify fieldMappings in the indexer to route the permission metadata to target fields during indexing.
JSON schema example:
{
...
"fieldMappings": [
{ "sourceFieldName": "metadata_rbac_scope", "targetFieldName": "RbacScope" }
]
}
Deletion tracking
To effectively manage blob deletion, ensure that you have enabled deletion tracking before your indexer runs for the first time. This feature allows the system to detect deleted blobs from your source and have them deleted from the index.