Your Azure MCP FastAPI Agent now includes Phase 1 enterprise features:
Users now see only agents they have permission to access based on their role.
Agents can search Azure AI Search and SharePoint with user permissions.
Already working - user context flows through all operations.
Check user roles:
curl http://localhost:8000/api/user-roles \
-H "Authorization: Bearer YOUR_TOKEN"See filtered agents:
curl http://localhost:8000/api/agents \
-H "Authorization: Bearer YOUR_TOKEN"Check RAG configuration:
curl http://localhost:8000/api/rag/configcd backend
pip install -r requirements.txtNew package: azure-search-documents==11.4.0
To enable RAG features, add to your .env:
# Azure AI Search (optional)
AZURE_AI_SEARCH_ENDPOINT=https://your-search.search.windows.net
AZURE_AI_SEARCH_KEY=your_api_key
AZURE_AI_SEARCH_INDEX=documents
# SharePoint (optional)
SHAREPOINT_ENABLED=true
SHAREPOINT_SITE_URL=https://company.sharepoint.com/sites/knowledge| Document | Description |
|---|---|
| PHASE1_SUMMARY.md | 📊 Executive summary |
| PHASE1_IMPLEMENTATION.md | 📖 Complete guide |
| PHASE1_QUICK_REFERENCE.md | ⚡ Quick reference |
Roles:
admin- See all agentsanalyst- See data/analytics agentsuser- See basic chat agentsguest- See public agents only
Automatically assigned based on:
- Email domain (e.g., admin@admin.com → admin)
- Email keywords (e.g., analyst@ → analyst)
- Azure AD groups (optional)
Customize in: backend/rbac.py
Data Sources:
- Azure AI Search - Semantic search on indexed documents
- SharePoint - Live access via Microsoft Graph API
Security:
- Uses OAuth Identity Passthrough (MCP)
- Users see only documents they can access
- Permission filtering on all searches
OAuth Consent: For SharePoint, additional permissions needed:
- Sites.Read.All
- Files.Read.All
- User.Read
GET /api/user-roles- Get current user's rolesGET /api/agents- Get filtered agents (by role)
POST /api/rag/search- Search knowledge baseGET /api/rag/config- Get RAG statusPOST /api/rag/consent- Request OAuth consent
backend/rbac.py- RBAC implementationbackend/rag_integration.py- RAG servicebackend/.env.template- Updated templatedocs/PHASE1_IMPLEMENTATION.mddocs/PHASE1_QUICK_REFERENCE.mddocs/PHASE1_SUMMARY.md
backend/main.py- Added RBAC & RAGbackend/config.py- Added RAG settingsbackend/requirements.txt- Added dependencysrc/services/api.ts- Added RAG methods
RBAC:
- Users see different agents based on role
-
/api/user-rolesshows correct roles - Admin users see all agents
RAG (if configured):
- Azure AI Search returns results
- SharePoint search works
- Permission filtering works
- OAuth consent flow works
Edit backend/rbac.py:
# Add your admin domains
admin_domains = ["admin.com", "yourdomain.com"]
# Add specific admin emails
admin_emails = ["admin@company.com"]Edit backend/rbac.py:
DEFAULT_AGENT_PERMISSIONS = {
"your-agent-name": {UserRole.ADMIN, UserRole.ANALYST},
# Add more patterns
}RBAC Issues:
- Check role assignment in
backend/rbac.py - Verify email patterns match your org
- Add logging to see assigned roles
RAG Issues:
- Verify Azure AI Search endpoint/key
- Check SharePoint permissions in Azure AD
- Use
/api/rag/consentfor SharePoint access
cd backend
python main.py- Edit RBAC rules in
backend/rbac.py - Add your admin emails/domains
- Test with different user accounts
- Set up Azure AI Search or SharePoint
- Add environment variables
- Grant Azure AD permissions
- Test search endpoints
- Update production environment variables
- Grant Azure AD permissions for SharePoint
- Test with real users
- Monitor logs for RBAC/RAG activity
Check Status:
- API Docs: http://localhost:8000/api/docs
- Health: http://localhost:8000/api/health
- MCP Config: http://localhost:8000/api/mcp-config
- RAG Config: http://localhost:8000/api/rag/config
Documentation:
- Read the implementation guide
- Check quick reference
- Review troubleshooting section
Logs:
- Look for "✓ RBAC enabled"
- Look for "✓ RAG enabled"
- Check role assignments in logs
✅ All Phase 1 Requirements Met:
- OAuth Identity Passthrough (MCP) - Already working
- RBAC + Agent Visibility - ✨ Newly implemented
- RAG Integration - ✨ Newly implemented
Next Steps:
- Test the new features
- Customize for your organization
- Configure RAG sources (optional)
- Deploy to production
Zero Breaking Changes:
- All existing features work as before
- New features are additive
- RBAC defaults to allowing access
- RAG is optional
🎉 Congratulations! Your application now has enterprise-grade RBAC and RAG capabilities!