Skip to content

Module 03 · I connect the systems

Advanced Enterprise Setup

Outcome

Implement RBAC, configure the Auditor Skill for PII and abuse monitoring, and set up Microsoft Entra ID OAuth for Dynamics 365 and SharePoint.

What you will learn

  • Implement Role-Based Access Control (RBAC) to enforce the principle of least privilege.
  • Configure the Auditor Skill to monitor for PII leaks and malicious behavior.
  • Set up secure, server-to-server OAuth integration for Microsoft Dynamics 365 and SharePoint.
01

Role-Based Access Control (RBAC)

Securing AI agents at scale requires a multi-level access framework. In raia, permissions are divided into organization-level roles and agent-level roles.

raia Role-Based Access Control hierarchy.

Organization Roles

Super Admin

Manages the entire raia platform across all organizations.

Org Owner / Org Admin

Manages all agents and users within a specific organization.

Agent Roles

Owner

Full control over the agent.

Admin

Configure skills, edit instructions, and train the knowledge base.

Editor

Update knowledge base content but cannot change core configurations.

Public

Read-only access or no access.

Best Practice: Always apply the Principle of Least Privilege. If a user only needs to update training documents, assign them the Editor role — not Admin.

02

The Auditor Skill

The Auditor Skill acts as an automated compliance layer, scanning every message sent and received by the agent for policy violations.

The Auditor Skill: three layers of compliance monitoring.

01

PII Auditor

Scans for Personally Identifiable Information (emails, phone numbers, SSNs). The core safeguard against data leakage — enable this first.

02

Hack Auditor

Detects system abuse, prompt injection attempts, and malicious intent.

03

Custom Auditor

Enforces organization-specific policies (e.g., flag any mention of an unreleased product).

When an auditor triggers, the alert is logged in the Alerts tab and dispatched to the configured Recipient (e.g., a webhook sent to a SIEM tool, Slack channel, or email address).

03

Enterprise OAuth: Microsoft Integration

For deep integrations with enterprise systems like Microsoft Dynamics 365 or SharePoint, raia uses the Microsoft Entra ID OAuth 2.0 client credentials flow. This allows raia to authenticate securely as a server (S2S) without requiring an interactive user login.

Enterprise OAuth: server-to-server authentication flow.

The 4-Step Setup Flow

  1. Step 01

    Register the App

    Register raia as a Single-Tenant application in Microsoft Entra ID. Record the Client ID and Tenant ID.

  2. Step 02

    Configure Credentials

    Upload a certificate (recommended) or generate a Client Secret. Store it securely in Azure Key Vault.

  3. Step 03

    Create the Application User

    For Dynamics 365: create an Application User in Dataverse with a custom security role (never System Administrator). For SharePoint: grant the Sites.Selected permission in Microsoft Graph to scope access to specific site collections.

  4. Step 04

    Authenticate

    raia requests an access token from the Microsoft identity platform. The token is valid for 60 minutes and passed as a Bearer token in all API calls.

Security Note: Never assign the System Administrator role to the Application User. Scope permissions narrowly with custom security roles in Dataverse and Sites.Selected in SharePoint to enforce least privilege at the integration layer.

04

Frequently Asked Questions

Can I restrict agent access by IP address or domain?

Yes — for private or highly restricted internal agents, configure IP whitelists and domain restrictions to ensure the agent is only accessible from authorized corporate networks.

If the PII Auditor flags a message, is the message blocked from being sent?

The Auditor Skill is primarily a monitoring and alerting tool. Depending on configuration and custom prompt rules, you can instruct the agent to refuse to answer when PII is detected, but the Auditor itself generates alerts for review.

Why use Sites.Selected for SharePoint instead of Files.ReadWrite.All?

Files.ReadWrite.All grants the agent access to every file across the entire Microsoft 365 tenant. Sites.Selected restricts access to only the specific SharePoint sites you explicitly authorize, adhering to strict security compliance.

Path complete

Congratulations — you have completed the Agent Integration path. You now have the knowledge to deploy, connect, and secure raia agents within complex enterprise environments.

Progress is saved locally in your browser.