Agent Eligibility Gateway¶
Version: v0.1.0-preview | Status: preview | Domain: Access & Identity | Tier: 3 | Zones: enterprise | Data classification: confidential
Optional runtime allow/deny gateway (Azure API Management) for owned custom-web and Direct Line agent channels — validates Entra ID tokens, required claims, and the corrected billing entitlement contract before a request reaches the agent endpoint.
Mapped Controls¶
Prerequisites¶
| Role | Requirement |
|---|---|
azure-admin |
Azure contributor on the resource group that hosts the API Management instance, to deploy the gateway, named values, and policy fragments. |
security-admin |
Microsoft Entra ID Security Administrator (or Application Administrator) to register the gateway app, configure the audience/Viewers security groups, and grant the gateway managed identity read access to the governance store. |
Dependencies¶
Verification¶
Send one authenticated request through the gateway and confirm a decision row is written to fsi_aegdecisionlog (or the configured telemetry sink); send a request from a user in no eligible cohort on a metered pathway and confirm a 403 governed-deny response.
Documentation¶
| Document |
|---|
| Apim Gateway Setup |
| Architecture |
| Dataverse Schema |
| Prerequisites |
View source on GitHub { .md-button }