4.2k

All integrations
Entra ID Enrichment
Context sources

Enrich authorization with Microsoft Entra ID data

Automatically pull user profiles, security groups, directory roles, and organizational data from Microsoft Entra ID into your Cerbos policy evaluations.

Microsoft Entra ID context

Microsoft Entra ID context

Automatically enrich authorization requests with user profiles and group memberships from Microsoft Entra ID

Cached responses

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with Microsoft Entra ID

Authorization decisions are only as good as the data behind them. Microsoft Entra ID provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With Microsoft Entra ID as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

Authorization powered by your Microsoft Entra ID directory

Enterprise organizations running Microsoft Entra ID (formerly Azure AD) maintain rich user profiles, security groups, directory roles, department hierarchies, and custom extension attributes. Cerbos identity enrichment makes all of this data available in your authorization policies, closing the gap between identity management and access control.

How it works

  1. Your application sends an authorization request to Cerbos with the user's Entra ID object identifier or UPN.
  2. Cerbos queries Microsoft Graph for the user's profile, security groups, directory roles, and organizational data.
  3. Enriched data is available in your policies, write rules based on security groups, directory roles, department, manager chain, job title, or custom extension attributes.
  4. Cached with configurable TTLs for low-latency decisions with fresh data.

Transitive group resolution

Entra ID security groups can be nested. Cerbos resolves transitive memberships so your policies don't need to account for group hierarchy depth, a user who is a member of group A, which is nested inside group B, satisfies policies requiring membership in group B.

Get started

Entra ID identity enrichment is available as part of Cerbos enterprise. Talk to us to learn more about enriching your authorization decisions with Microsoft Entra ID data.

FAQ

How does Entra ID enrichment work?

Cerbos queries Microsoft Graph API to fetch user profiles, security group memberships, directory roles, and organizational data at evaluation time. This enriched context is available as principal attributes in your policies.

Can I use Entra ID security groups and directory roles in policies?

Yes. Cerbos resolves both direct and transitive group memberships, directory roles, and administrative unit assignments. You can write policies based on any combination of these, for example, requiring both a specific security group and a directory role for sensitive operations.

Does this work with hybrid Active Directory environments?

Yes. If your on-premises Active Directory is synced to Entra ID, the synced attributes, groups, and organizational units are available through the enrichment pipeline. Cerbos operates on whatever data is present in the Entra ID directory.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
AWS Cognito Enrichment
AWS CognitoPull Cognito custom attributes and groups into the PDP at decision time
Context sources
Data Source Extensions
Data Source ExtensionsReusable data connectors with built-in caching for the Cerbos authorization pipeline
Context sources
External API
External APICall external services to fetch context data for policy evaluation
Context sources
Keycloak Enrichment
KeycloakPull realm roles, client roles, and group paths from Keycloak into policies
Context sources
LDAP Enrichment
LDAPQuery any LDAPv3 directory for user attributes and group memberships
Context sourcesIdentity providers
Litestream
LitestreamRead Litestream-replicated SQLite databases as a policy data source
Context sources

Cerbos + Microsoft Entra ID

  • Authorization decisions enriched with real-time Microsoft Entra ID data
  • Context enrichment configured at the policy layer, not in application code
  • Identity attributes and business context combined in policies
  • Centrally managed authorization logic across the stack
Book a free policy workshopTry the Playground
Cerbos
/assets/footer/socials/x.svg/assets/footer/socials/github.svg/assets/footer/socials/mail.svg/assets/footer/socials/youtube.svg/assets/footer/socials/linkedin.svg/assets/footer/socials/slack.svg/assets/footer/socials/npm.svg/assets/footer/socials/rss.svg
/assets/footer/compliance/soc-2.svg/assets/footer/compliance/gdpr.svg

What is Cerbos?

Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.

Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.

© 2026 Cerbos.dev

Terms of Service

Privacy Policy

Trusted Tester Agreement

Trademark Guidelines