A
Identity Provider

Azure Entra ID

Sync Azure Entra ID users, groups, and departments to Gateco for Microsoft-stack RAG access control.

Azure Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity platform. Gateco integrates with Entra ID via the Microsoft Graph API, syncing users, groups, and profile attributes to power principal-based retrieval policies.

Entra ID department values are synced to Gateco principal attributes, enabling ABAC policies based on department. Department values are normalized to lowercase during sync for consistent policy matching — policy conditions must also use lowercase values.

Group membership in Entra ID (security groups, Microsoft 365 groups) is synced to Gateco's principal groups array. Policy conditions like principal.groups contains "engineering" evaluate against the synced group names.

SCIM v2 provisioning via Entra ID's enterprise application SCIM connector is available on Growth+ plans. Entra ID can push user create/update/deactivate events to the Gateco SCIM endpoint in real time.

Sample policy

{
  "name": "Entra department access",
  "effect": "allow",
  "rules": [{
    "conditions": [
      {"field": "principal.department", "operator": "in", "value": ["finance", "accounting"]},
      {"field": "resource.classification", "operator": "in", "value": ["internal", "restricted", "public"]}
    ]
  }],
  "selectors": [{}]
}

Policy conditions reference resource.* and principal.* fields. Policy reference →

Frequently asked questions

Which Microsoft Graph API permissions does Gateco require?
User.Read.All, Group.Read.All, GroupMember.Read.All, Directory.Read.All, and OrgContact.Read.All — all as application permissions. Configure them on the Entra app registration and grant admin consent.
Why must policy values use lowercase for departments?
Entra ID department values are case-inconsistent across organizations ("Finance" vs "finance" vs "FINANCE"). Gateco normalizes to lowercase during sync. Policy conditions must use lowercase values, e.g. value: "finance".
Can I pair Azure Entra ID with Azure AI Search?
Yes — this is the natural Microsoft-stack pattern. Configure Entra ID as your IDP for principal sync, and Azure AI Search as your vector DB. Policies then gate search results based on Entra group membership.

Ready to connect Azure Entra ID?

Follow the step-by-step setup guide or talk to the team for help with your specific configuration.

Setup guide →Talk to the teamAll integrations