Skip to content
reaatech

Files · Azure AI Security Guardrails for Microsoft Entra ID SMB Access

80 (1 binary, 573.7 kB total)attempt 1

Download example (zip)Back to tutorial
README.md·3202 B·markdown
markdown
# Azure AI Security Guardrails for Microsoft Entra ID SMB Access
 
> Automated guardrail enforcement for Microsoft Entra ID access requests, combining Azure AI with PII detection and policy-based approval.
 
A reference solution demonstrating how to build production-grade AI access-control guardrails with the `@reaatech/*` package family and Microsoft Graph API.
 
## Architecture
 
1. **Webhook handler** (`POST /api/approvals`) receives Entra ID access requests
2. **PII detection** via `@presidio-dev/hai-guardrails` redacts sensitive data
3. **Guardrail chain** (`@reaatech/guardrail-chain`) runs injection detection, toxicity filtering, rate limiting
4. **Azure OpenAI** evaluates the request semantics against policy rules
5. **Confidence router** (`@reaatech/confidence-router-core`) decides: auto-approve, manual review, or escalate
6. **Microsoft Graph API** grants the requested role on approval
7. **Manual review** endpoint (`POST /api/approvals/review`) handles edge cases
 
## Prerequisites
 
- Node.js >= 22
- pnpm >= 10
 
## Setup
 
```bash
pnpm install
cp .env.example .env
# Fill in your Azure OpenAI, Microsoft Graph, and webhook secret values
pnpm dev              # Start dev server
```
 
## Environment Variables
 
| Variable | Description |
|----------|-------------|
| `AZURE_OPENAI_ENDPOINT` | Azure OpenAI endpoint URL |
| `AZURE_OPENAI_API_KEY` | Azure OpenAI API key |
| `AZURE_OPENAI_DEPLOYMENT` | Azure OpenAI deployment name |
| `MICROSOFT_GRAPH_TENANT_ID` | Entra ID tenant ID |
| `MICROSOFT_GRAPH_CLIENT_ID` | Entra ID app registration client ID |
| `MICROSOFT_GRAPH_CLIENT_SECRET` | Entra ID app registration client secret |
| `PINO_LOG_LEVEL` | Pino log level (default: `info`) |
| `ENTRA_ID_WEBHOOK_SECRET` | Shared secret for webhook authentication |
 
## API
 
### `POST /api/approvals`
 
Receives an Entra ID access request and runs the full guardrail pipeline.
 
**Request body:**
```json
{
  "id": "req-123",
  "userId": "user-abc",
  "requestedRole": "TeamLead",
  "justification": "Need to manage team permissions",
  "requesterEmail": "user@company.com",
  "timestamp": "2026-06-01T00:00:00Z"
}
```
 
**Response (200):**
```json
{
  "requestId": "req-123",
  "status": "approved",
  "confidence": 0.95,
  "reasoning": "Valid request"
}
```
 
**Headers:** `x-webhook-secret: <your-secret>`
 
### `GET /api/approvals?requestId=<id>`
 
Retrieve the result of a previously processed request.
 
### `POST /api/approvals/review`
 
Manually approve or reject a request flagged for review.
 
**Request body:**
```json
{
  "requestId": "req-123",
  "decision": "approved",
  "reviewer": "admin@company.com",
  "notes": "Looks good"
}
```
 
## Running Tests
 
```bash
pnpm test            # vitest run with coverage
pnpm typecheck       # TypeScript type checking
pnpm lint            # ESLint
```
 
## Project Layout
 
```
app/api/approvals/     Next.js API route handlers
src/services/          Business logic (PII, AI, Graph, routing, chain)
src/lib/               Observability adapters
src/config/            Configuration schemas and loaders
src/types/             TypeScript type definitions
tests/                 Vitest test suite
```
 
## License
 
MIT — see [LICENSE](./LICENSE).