Feature Request: Support Query-Time ACL and RBAC enforcement in Azure AI Search

[DaveA-W]

Azure AI Search now natively supports Microsoft Entra-based document-level security, which means we should be able to avoid hand-coded security trimming or complex role management.

• https://learn.microsoft.com/en-us/azure/search/search-document-level-access-overview
• https://learn.microsoft.com/en-au/azure/search/search-query-access-control-rbac-enforcement

Would it be possible to update the accelerator to handle AI Search endpoints that support this, via APIM policy that can pass-through end-user Entra ID tokens, in addition to current APIM (service-level) auth mechanisms?

[DaveA-W]

I have found an example which might be usable as a basis to configure (or document) on-behalf-of flows in APIM - https://medium.com/microsoftazure/configure-on-behalf-of-flow-obo-flow-in-azure-api-management-01441c90c460

And this article may be useful to demonstrate a potential client scenario - https://baeke.info/2025/07/29/end-to-end-authorization-with-entra-id-and-mcp/
The content also links to a separate code sample to populate the Azure AI instance with document-level permissions.

If this accelerator can provide best practice guidance on how to put the lot together, I think it would be highly valued by a lot of enterprises!