Cerbos authorization for Microsoft Entra ID
Use Azure AD groups, app roles, and directory attributes from Microsoft Entra ID to drive fine-grained authorization decisions in Cerbos policies.
Groups and app roles
Use Entra ID security groups, directory roles, and app role assignments as first-class attributes in Cerbos policies
Beyond conditional access
Add resource-level and field-level authorization that conditional access policies cannot express
Works with your Azure stack
Fits into Azure-based architectures alongside Entra ID, MSAL, and Microsoft Graph without replacing any component
How Cerbos works with Microsoft Entra ID
Microsoft Entra ID handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
Authorization that builds on your Entra ID directory
Microsoft Entra ID provides a rich identity layer for Azure-based environments: security groups, app roles, directory attributes, and conditional access. Cerbos uses that identity data to make fine-grained authorization decisions at the resource level, something Entra ID's built-in role assignments are not designed to do.
How it works
- Users authenticate through Microsoft Entra ID, your application receives a token containing group memberships, app roles, and custom claims.
- Your application passes identity data to Cerbos as principal attributes alongside the target resource and action.
- Cerbos evaluates policies that reference Entra ID groups, app roles, directory attributes, and resource properties to produce an allow or deny decision.
- Your application enforces the result, authorization logic stays in Cerbos policies, not in application code.
When Entra ID roles are not enough
Entra ID app roles work well for coarse-grained access (admin vs. user), but many applications need finer control: restricting access to specific resources, enforcing ownership rules, or applying conditions based on resource state. Cerbos policies express these rules declaratively, using the identity data Entra ID already provides.
Get started
See our guide on building secure applications with Entra ID and Cerbos for a detailed walkthrough.
FAQ
Can Cerbos use Entra ID security groups and app roles?
Yes. When a user authenticates through Entra ID, their security group memberships and assigned app roles are included in the token claims. Your application passes these as principal attributes to Cerbos, where policies can reference them directly to make authorization decisions.
How does Cerbos handle nested Azure AD groups?
Entra ID can be configured to emit transitive group memberships in token claims, which resolves nested groups at authentication time. Cerbos receives the flattened group list as principal attributes, so your policies do not need to handle group nesting logic.
Does Cerbos work with Entra ID conditional access policies?
They operate at different layers. Entra ID conditional access controls whether a user can sign in at all (device compliance, location, risk level). Cerbos controls what an authenticated user can do within your application. The two complement each other without overlap.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Microsoft Entra ID
- Cerbos extends Microsoft Entra ID roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.