Connect to Azure AI Search using Azure role-based access control

Azure provides a global role-based access control authorization system for all services running on the platform. In Azure AI Search, you can use Azure roles for:

• Control plane operations (service administration tasks through Azure Resource Manager).

• Data plane operations, such as creating, loading, and querying indexes.

Per-user access over search results (sometimes referred to as row-level security or document-level security) isn't supported. As a workaround, create security filters that trim results by user identity, removing documents for which the requestor shouldn't have access.

Note

A quick note about terminology. Control plane refers to operations supported in the Management REST API or equivalent client libraries. Data plane refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the Search REST API or equivalent client libraries.

Built-in roles used in Search

The following roles are built in. If these roles are insufficient, create a custom role.

Role	Plane	Description
Owner	Control & Data	Full access to the control plane of the search resource, including the ability to assign Azure roles. Only the Owner role can enable or disable authentication options or manage roles for other users. Subscription administrators are members by default. On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.
Contributor	Control & Data	Same level of control plane access as Owner, minus the ability to assign roles or change authentication options. On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.
Reader	Control & Data	Read access across the entire service, including search metrics, content metrics (storage consumed, number of objects), and the object definitions of data plane resources (indexes, indexers, and so on). However, it can't read API keys or read content within indexes.
Search Service Contributor	Control & Data	Read-write access to object definitions (indexes, aliases, synonym maps, indexers, data sources, and skillsets). This role is for developers who create objects, and for administrators who manage a search service and its objects, but without access to index content. Use this role to create, delete, and list indexes, get index definitions, get service information (statistics and quotas), test analyzers, create and manage synonym maps, indexers, data sources, and skillsets. See Microsoft.Search/searchServices/* for the permissions list.
Search Index Data Contributor	Data	Read-write access to content in indexes. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. This role doesn't support index creation or management. By default, this role is for all indexes on a search service. See Grant access to a single index to narrow the scope.
Search Index Data Reader	Data	Read-only access for querying search indexes. This role is for apps and users who run queries. This role doesn't support read access to object definitions. For example, you can't read a search index definition or get search service statistics. By default, this role is for all indexes on a search service. See Grant access to a single index to narrow the scope.

Note

If you disable Azure role-based access, built-in roles for the control plane (Owner, Contributor, Reader) continue to be available. Disabling role-based access removes just the data-related permissions associated with those roles. If data plane roles are disabled, Search Service Contributor is equivalent to control-plane Contributor.

Limitations

• Adoption of role-based access control might increase the latency of some requests. Each unique combination of service resource (index, indexer, etc.) and service principal used on a request triggers an authorization check. These authorization checks can add up to 200 milliseconds of latency to a request.

• In rare cases where requests originate from a high number of different service principals, all targeting different service resources (indexes, indexers, etc.), it's possible for the authorization checks to result in throttling. Throttling would only happen if hundreds of unique combinations of search service resource and service principal were used within a second.

Configure role-based access for data plane

Applies to: Search Index Data Contributor, Search Index Data Reader, Search Service Contributor

In this step, configure your search service to recognize an authorization header on data requests that provide an OAuth2 access token.

Azure portal

1. Sign in to the Azure portal and open the search service page.

2. Select Keys in the left navigation pane.

   

3. Choose an API access control option. We recommend Both if you want flexibility or need to migrate apps.

   Option	Description
   API Key	(default). Requires an admin or query API keys on the request header for authorization. No roles are used.
   Role-based access control	Requires membership in a role assignment to complete the task, described in the next step. It also requires an authorization header.
   Both	Requests are valid using either an API key or role-based access control.

The change is effective immediately, but wait a few seconds before testing.

All network calls for search service operations and content respect the option you select: API keys, bearer token, or either one if you select Both.

When you enable role-based access control in the portal, the failure mode is "http401WithBearerChallenge" if authorization fails.

REST API

Use the Management REST API Create or Update Service to configure your service for role-based access control.

All calls to the Management REST API are authenticated through Microsoft Entra ID, with Contributor or Owner permissions. For help with setting up authenticated requests, see Manage Azure AI Search using REST.

1. Get service settings so that you can review the current configuration.

   GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Search/searchServices?api-version=2023-11-01
   

2. Use PATCH to update service configuration. The following modifications enable both keys and role-based access. If you want a roles-only configuration, see Disable API keys.

   Under "properties", set "authOptions" to "aadOrApiKey". The "disableLocalAuth" property must be false to set "authOptions".

   Optionally, set "aadAuthFailureMode" to specify whether 401 is returned instead of 403 when authentication fails. Valid values are "http401WithBearerChallenge" or "http403".

   PATCH https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegroups/{{resource-group}}/providers/Microsoft.Search/searchServices/{{search-service-name}}?api-version=2023-11-01
   {
       "properties": {
           "disableLocalAuth": false,
           "authOptions": {
               "aadOrApiKey": {
                   "aadAuthFailureMode": "http401WithBearerChallenge"
               }
           }
       }
   }
   

3. Follow the instructions in the next step to assign roles for data plane operations.

Assign roles

Role assignments are cumulative and pervasive across all tools and client libraries. You can assign roles using any of the supported approaches described in Azure role-based access control documentation.

You must be an Owner or have Microsoft.Authorization/roleAssignments/write permissions to manage role assignments.

Azure portal

Role assignments in the portal are service-wide. If you want to grant permissions to a single index, use PowerShell or the Azure CLI instead.

1. Sign in to the Azure portal.

2. Navigate to your search service.

3. Select Access Control (IAM) in the left navigation pane.

4. Select + Add > Add role assignment.

   

5. Select an applicable role:

   • Owner
   • Contributor
   • Reader
   • Search Service Contributor
   • Search Index Data Contributor
   • Search Index Data Reader

6. On the Members tab, select the Microsoft Entra user or group identity.

7. On the Review + assign tab, select Review + assign to assign the role.

PowerShell

When using PowerShell to assign roles, call New-AzRoleAssignment, providing the Azure user or group name, and the scope of the assignment.

Before you start, make sure to load the Az and AzureAD modules and connect to Azure:

Import-Module -Name Az
Import-Module -Name AzureAD
Connect-AzAccount

This example creates a role assignment scoped to a search service:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Search Index Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Search/searchServices/<search-service>"

This example creates a role assignment scoped to a specific index:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Search Index Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Search/searchServices/<search-service>/indexes/<index-name>"

Recall that you can only scope access to top-level resources, such as indexes, synonym maps, indexers, data sources, and skillsets. You can't control access to search documents (index content) with Azure roles.

Test role assignments

Use a client to test role assignments. Remember that roles are cumulative and inherited roles that are scoped to the subscription or resource group can't be deleted or denied at the resource (search service) level.

Make sure that you register your client application with Microsoft Entra ID and have role assignments in place before testing access.

Azure portal

1. Sign in to the Azure portal.

2. Navigate to your search service.

3. On the Overview page, select the Indexes tab:

   • Search Service Contributors can view and create any object, but can't load documents or query an index. To verify permissions, create a search index.

   • Search Index Data Contributors can load and query documents. To verify permissions, use Search explorer to query documents. There's no load documents option in the portal outside of Import data wizard. Because the wizard also creates objects, you would need Search Service Contributor, plus Search Index Data Contributor.

   • Search Index Data Readers can query the index. To verify permissions, use Search explorer. You should be able to send queries and view results, but you shouldn't be able to view the index definition.

REST API

This approach assumes Visual Studio Code with a REST client extension.

1. Open a command shell for Azure CLI and sign in to your Azure subscription.

   az login
   

2. Get your tenant ID and subscription ID. The ID is used as a variable in a future step.

   az account show
   

3. Get an access token.

   az account get-access-token --query accessToken --output tsv
   

4. In a new text file in Visual Studio Code, paste in these variables:

   @baseUrl = PASTE-YOUR-SEARCH-SERVICE-URL-HERE
   @index-name = PASTE-YOUR-INDEX-NAME-HERE
   @token = PASTE-YOUR-TOKEN-HERE
   

5. Paste in and then send a request that uses the variables you've specified. For the "Search Index Data Reader" role, you can send a query. You can use any supported API version.

   POST https://{{baseUrl}}/indexes/{{index-name}}/docs/search?api-version=2023-11-01 HTTP/1.1
     Content-type: application/json
     Authorization: Bearer {{token}}
   
       {
            "queryType": "simple",
            "search": "motel",
            "filter": "",
            "select": "HotelName,Description,Category,Tags",
            "count": true
        }
   

For more information on how to acquire a token for a specific environment, see Manage a Azure AI Search service with REST APIs and Microsoft identity platform authentication libraries.

.NET

1. Use the Azure.Search.Documents package.

2. Use Azure.Identity for .NET for token authentication. Microsoft recommends DefaultAzureCredential() for most scenarios.

3. Here's an example of a client connection using DefaultAzureCredential().

   // Create a SearchIndexClient to send create/delete index commands
   SearchIndexClient adminClient = new SearchIndexClient(serviceEndpoint, new DefaultAzureCredential());
   
   // Create a SearchClient to load and query documents
   SearchClient srchclient = new SearchClient(serviceEndpoint, indexName, new DefaultAzureCredential());
   

4. Here's another example of using client secret credential:

   var tokenCredential =  new ClientSecretCredential(aadTenantId, aadClientId, aadSecret);
   SearchClient srchclient = new SearchClient(serviceEndpoint, indexName, tokenCredential);
   

Python

1. Use azure.search.documents (Azure SDK for Python).

2. Use Azure.Identity for Python for token authentication.

3. Use DefaultAzureCredential if the Python client is an application that executes server-side. Enable interactive authentication if the app runs in a browser.

4. Here's an example:

   from azure.search.documents import SearchClient
   from azure.identity import DefaultAzureCredential
   
   credential = DefaultAzureCredential()
   endpoint = "https://<mysearch>.search.windows.net"
   index_name = "myindex"
   client = SearchClient(endpoint=endpoint, index_name=index_name, credential=credential)
   

JavaScript

1. Use @azure/search-documents (Azure SDK for JavaScript), version 11.3.

2. Use Azure.Identity for JavaScript for token authentication.

3. If you're using React, use InteractiveBrowserCredential for Microsoft Entra authentication to Search. See When to use @azure/identity for details.

Java

1. Use azure-search-documents (Azure SDK for Java).

2. Use Azure.Identity for Java for token authentication.

3. Microsoft recommends DefaultAzureCredential for apps that run on Azure.

Test as current user

If you're already a Contributor or Owner of your search service, you can present a bearer token for your user identity for authentication to Azure AI Search.

1. Get a bearer token for the current user using the Azure CLI:

   az account get-access-token --scope https://search.azure.com/.default
   

   Or by using PowerShell:

   Get-AzAccessToken -ResourceUrl https://search.azure.com
   

2. In a new text file in Visual Studio Code, paste in these variables:

   @baseUrl = PASTE-YOUR-SEARCH-SERVICE-URL-HERE
   @index-name = PASTE-YOUR-INDEX-NAME-HERE
   @token = PASTE-YOUR-TOKEN-HERE
   

3. Paste in and then send a request to confirm access. Here's one that queries the hotels-quickstart index

   POST https://{{baseUrl}}/indexes/{{index-name}}/docs/search?api-version=2023-11-01 HTTP/1.1
     Content-type: application/json
     Authorization: Bearer {{token}}
   
       {
            "queryType": "simple",
            "search": "motel",
            "filter": "",
            "select": "HotelName,Description,Category,Tags",
            "count": true
        }
   

Grant access to a single index

In some scenarios, you might want to limit an application's access to a single resource, such as an index.

The portal doesn't currently support role assignments at this level of granularity, but it can be done with PowerShell or the Azure CLI.

In PowerShell, use New-AzRoleAssignment, providing the Azure user or group name, and the scope of the assignment.

1. Load the Azure and AzureAD modules and connect to your Azure account:

   Import-Module -Name Az
   Import-Module -Name AzureAD
   Connect-AzAccount
   

2. Add a role assignment scoped to an individual index:

   New-AzRoleAssignment -ObjectId <objectId> `
       -RoleDefinitionName "Search Index Data Contributor" `
       -Scope  "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Search/searchServices/<search-service>/indexes/<index-name>"
   

Create a custom role

If built-in roles don't provide the right combination of permissions, you can create a custom role to support the operations you require

This example clones Search Index Data Reader and then adds the ability to list indexes by name. Normally, listing the indexes on a search service is considered an administrative right.

Azure portal

These steps are derived from Create or update Azure custom roles using the Azure portal. Cloning from an existing role is supported in a search service page.

These steps create a custom role that augments search query rights to include listing indexes by name. Typically, listing indexes is considered an admin function.

1. In the Azure portal, navigate to your search service.

2. In the left-navigation pane, select Access Control (IAM).

3. In the action bar, select Roles.

4. Right-click Search Index Data Reader (or another role) and select Clone to open the Create a custom role wizard.

5. On the Basics tab, provide a name for the custom role, such as "Search Index Data Explorer", and then select Next.

6. On the Permissions tab, select Add permission.

7. On the Add permissions tab, search for and then select the Microsoft Search tile.

8. Set the permissions for your custom role. At the top of the page, using the default Actions selection:

   • Under Microsoft.Search/operations, select Read : List all available operations.
   • Under Microsoft.Search/searchServices/indexes, select Read : Read Index.

9. On the same page, switch to Data actions and under Microsoft.Search/searchServices/indexes/documents, select Read : Read Documents.

   The JSON definition looks like the following example:

   {
    "properties": {
        "roleName": "search index data explorer",
        "description": "",
        "assignableScopes": [
            "/subscriptions/0000000000000000000000000000000/resourceGroups/free-search-svc/providers/Microsoft.Search/searchServices/demo-search-svc"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Search/operations/read",
                    "Microsoft.Search/searchServices/indexes/read"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Search/searchServices/indexes/documents/read"
                ],
                "notDataActions": []
            }
        ]
      }
    }
   

10. Select Review + create to create the role. You can now assign users and groups to the role.

Azure PowerShell

The PowerShell example shows the JSON syntax for creating a custom role that's a clone of Search Index Data Reader, but withe ability to list all indexes by name.

1. Review the list of atomic permissions to determine which ones you need. For this example, you'll need the following:

   "Microsoft.Search/operations/read",
   "Microsoft.Search/searchServices/read",
   "Microsoft.Search/searchServices/indexes/read"
   

2. Set up a PowerShell session to create the custom role. For detailed instructions, see Azure PowerShell

3. Provide the role definition as a JSON document. The following example shows the syntax for creating a custom role with PowerShell.

{
  "Name": "Search Index Data Explorer",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "List all indexes on the service and query them.",
  "Actions": [
      "Microsoft.Search/operations/read",
      "Microsoft.Search/searchServices/read"
  ],
  "NotActions": [],
  "DataActions": [
      "Microsoft.Search/searchServices/indexes/read"
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}"
  ]
}

Note

If the assignable scope is at the index level, the data action should be "Microsoft.Search/searchServices/indexes/documents/read".

REST API

1. Review the list of atomic permissions to determine which ones you need.

2. See Create or update Azure custom roles using the REST API for steps.

3. Clone or create a role, or use JSON to specify the custom role (see the PowerShell tab for JSON syntax).

Azure CLI

1. Review the list of atomic permissions to determine which ones you need.

2. See Create or update Azure custom roles using Azure CLI for steps.

3. Clone or create a role, or use JSON to specify the custom role (see the PowerShell tab for JSON syntax).

Disable API key authentication

Key access, or local authentication, can be disabled on your service if you're using the Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader roles and Microsoft Entra authentication. Disabling API keys causes the search service to refuse all data-related requests that pass an API key in the header.

Note

Admin API keys can only be disabled, not deleted. Query API keys can be deleted.

Owner or Contributor permissions are required to disable features.

To disable key-based authentication, use Azure portal or the Management REST API.

Portal

1. In the Azure portal, navigate to your search service.

2. In the left-navigation pane, select Keys.

3. Select Role-based access control.

The change is effective immediately, but wait a few seconds before testing. Assuming you have permission to assign roles as a member of Owner, service administrator, or co-administrator, you can use portal features to test role-based access.

REST API

To disable key-based authentication, set "disableLocalAuth" to true.

1. Get service settings so that you can review the current configuration.

   GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Search/searchServices?api-version=2023-11-01
   

2. Use PATCH to update service configuration. The following modification will set "authOptions" to null.

   PATCH https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegroups/{{resource-group}}/providers/Microsoft.Search/searchServices/{{search-service-name}}?api-version=2023-11-01
   {
       "properties": {
           "disableLocalAuth": true
       }
   }
   

Requests that include an API key only, with no bearer token, fail with an HTTP 401.

To re-enable key authentication, rerun the last request, setting "disableLocalAuth" to false. The search service resumes acceptance of API keys on the request automatically (assuming they're specified).

Conditional Access

We recommend Microsoft Entra Conditional Access if you need to enforce organizational policies, such as multifactor authentication.

To enable a Conditional Access policy for Azure AI Search, follow these steps:

1. Sign in to the Azure portal.

2. Search for Microsoft Entra Conditional Access.

3. Select Policies.

4. Select New policy.

5. In the Cloud apps or actions section of the policy, add Azure AI Search as a cloud app depending on how you want to set up your policy.

6. Update the remaining parameters of the policy. For example, specify which users and groups this policy applies to.

7. Save the policy.

Important

If your search service has a managed identity assigned to it, the specific search service will show up as a cloud app that can be included or excluded as part of the Conditional Access policy. Conditional Access policies can't be enforced on a specific search service. Instead make sure you select the general Azure AI Search cloud app.

Troubleshooting role-based access control issues

When developing applications that use role-based access control for authentication, some common issues might occur:

• If the authorization token came from a managed identity and the appropriate permissions were recently assigned, it might take several hours for these permissions assignments to take effect.
• The default configuration for a search service is key-based authentication only. If you didn't change the default key setting to Both or Role-based access control, then all requests using role-based authentication are automatically denied regardless of the underlying permissions.