docs: clarify Entra API permission types, manifest fields, role assignment requirements, and add bulk sync troubleshooting

[impoiler]

Summary

Improves the Microsoft Entra setup guide to fix common configuration mistakes that cause login failures and broken bulk user sync, particularly around API permission types and role assignment requirements.

Changes

• Clarified that openid, profile, email, and offline_access must be added as Delegated permissions, while User.Read, User.Read.All, GroupMember.Read.All, Group.Read.All, Application.Read.All, and AppRoleAssignment.ReadWrite.All must be added as Application permissions. Added a warning that adding the wrong permission type causes failures even when the permission appears granted.
• Added Application.Read.All and AppRoleAssignment.ReadWrite.All as required Application permissions for app-role-based bulk user sync, with an explanation of why each is needed.
• Added a warning that admin consent is required for Application permissions to be effective, not just listed.
• Added a warning that users must have a role selected when assigned to the Enterprise Application — assigning without a role causes Entra to omit the roles claim, resulting in login rejection.
• Clarified that groups must themselves be assigned to the application with a role selected; transitive group memberships are not walked by Entra.
• Corrected the manifest field name from requestedAccessTokenVersion to accessTokenAcceptedVersion.
• Added groupMembershipClaims: "ApplicationGroup" as a recommended manifest setting to scope the groups claim to only groups assigned to the Bifrost application.
• Added two new troubleshooting sections: one for the Claim "roles" is not present in the token login error and one for bulk user sync assigning Viewer instead of the mapped role.
• Added a note explaining that Application.Read.All and AppRoleAssignment.ReadWrite.All are only required for app-role-based bulk sync, not for login-time role mapping.

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Review the rendered documentation and validate against a live Microsoft Entra app registration:

1. Follow the updated Step 5 and confirm that Delegated and Application permissions are added under their correct categories.
2. Assign a user to the Enterprise Application with a role selected and confirm the roles claim appears in the issued ID token.
3. Assign a user without a role and confirm login is rejected with the documented error message.
4. Run a bulk user import and confirm role mappings resolve correctly when Application.Read.All and AppRoleAssignment.ReadWrite.All are granted with admin consent.
5. Confirm the manifest field accessTokenAcceptedVersion: 2 is accepted by Entra without error.

Breaking changes

• Yes
• No

Related issues

Security considerations

The guide now explicitly calls out that Application permissions require admin consent to be effective, and recommends scoping the groups claim to "ApplicationGroup" to avoid leaking unrelated tenant-wide group memberships into tokens.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[impoiler]

• fix: skip matview for non-hour-aligned time window boundaries #3248
• feat: add parent_request_id, user_ids, and aliases URL state filters to dashboard #3247
• docs: clarify Entra API permission types, manifest fields, role assignment requirements, and add bulk sync troubleshooting #3237 👈 (View in Graphite)
• feat: add RBAC permission check to MCP tool groups route #3236
• feat: add RBAC access control to routing rules view, edit, and create actions #3231
• feat: enforce RBAC for model provider create/update operations in provider forms and config views #3228
• fix: replace single Governance RBAC check with granular per-resource access checks #3225
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Expanded Microsoft Entra setup guide with frame-wrapped visuals and step-by-step images throughout configuration
  • Clarified role-mapping, assignment selection, client secrets, and token claim requirements (including groups/attributes)
  • Added detailed API permission guidance (delegated vs application) and admin-consent notes
  • Overhauled App Manifest recommendations (access token version, ID token roles/groups, group membership claims)
  • New troubleshooting for token claim issues, bulk-sync behavior, attribute mapping examples, and evaluation rules

Walkthrough

Updated Microsoft Entra (Azure AD) setup docs: added framed screenshots, made role-mapping required, expanded API-permission guidance (delegated vs application), revised manifest and token-claim instructions (accessTokenAcceptedVersion, optionalClaims, groupMembershipClaims), added client-secret/assignment warnings, and expanded troubleshooting. (≤50 words)

Changes

Entra ID Setup Guide (single cohesive update)

Layer / File(s)	Summary
Screens & Onboarding docs/enterprise/setting-up-entra.mdx	Inserted framed screenshots for app registration, app roles, enterprise app properties, client secrets, API permissions, user assignments, and attribute mappings.
Role Mapping Requirement docs/enterprise/setting-up-entra.mdx	Step 2 reworded to make role-mapping required; added App Roles image/frame and clarified role-mapping behavior.
Client Secret & Save Flow docs/enterprise/setting-up-entra.mdx	Added client-secret screenshot and warning to store secrets securely; clarified that a restart is required after saving manifest/permission changes.
API Permissions (Step 5) docs/enterprise/setting-up-entra.mdx	Expanded API permissions guidance distinguishing Delegated vs Application permissions; listed example Application permissions and noted admin consent requirements.
Token Claims & Manifest (Steps 6–8) docs/enterprise/setting-up-entra.mdx	Rewrote manifest guidance to set accessTokenAcceptedVersion/requestedAccessTokenVersion to 2, add roles/groups to optionalClaims.idToken, and configure groupMembershipClaims with JSON snippets and recommendations.
User/Group Assignment & Attribute Mapping docs/enterprise/setting-up-entra.mdx	Added warning that a role must be selected during assignments, tip for assigning roles to groups, framed attribute-mapping image, * wildcard note, and evaluation rules (highest-privilege precedence, case-insensitive matching).
Troubleshooting & Evaluation Rules docs/enterprise/setting-up-entra.mdx	Expanded troubleshooting for missing roles claim and bulk-sync assigning Viewer; documented evaluation rules, first-signer edge case, and restart requirement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through docs with screenshots bright,
Framed roles and claims in tidy sight,
Secrets kept safe, manifest set true,
Restart and sync to see roles accrue,
🥕 Hooray — mappings now guide what you do!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately summarizes the main documentation changes: clarifying Entra API permission types, manifest fields, role assignment requirements, and adding bulk sync troubleshooting.
Description check	✅ Passed	The PR description comprehensively follows the template with all required sections completed: Summary, Changes, Type of change (Documentation selected), Affected areas (Docs selected), How to test (detailed validation steps provided), Breaking changes (No selected), Security considerations, and Checklist with appropriate items marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-05-docs_setting_up_microsoft_entra_docs_updates

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Confidence Score: 3/5

Not ready to merge — prior-round issues around the overly-broad AppRoleAssignment permission and the Step 6/Step 8 group-claim conflict are still open in the file.

The AppRoleAssignment.ReadWrite.All permission grants tenant-wide write access to app role assignments when only read access is required; this was flagged as a security concern in the previous review but every occurrence in the file is still unchanged. Separately, Step 6 still offers "Security groups" as an option whose UI effect directly contradicts the "ApplicationGroup" recommendation added in Step 8 — a user following the steps in order will silently undo the Step 8 manifest guidance. Both of these are substantive correctness issues in the documentation that operators will act on.

docs/enterprise/setting-up-entra.mdx — all five AppRoleAssignment.ReadWrite.All references and the Step 6 group-type selector guidance need attention.

Important Files Changed

Filename

Overview

docs/enterprise/setting-up-entra.mdx

Documentation overhaul adding Delegated/Application permission split, admin-consent warning, role-selection requirement, accessTokenAcceptedVersion fix, groupMembershipClaims guidance, and two new troubleshooting sections; several issues flagged in prior review rounds remain unaddressed (overly-broad AppRoleAssignment.ReadWrite.All, Step 6/Step 8 groupMembershipClaims conflict, missing EOF newline).

_{Reviews (6): Last reviewed commit: "docs: Setting up Microsoft Entra docs up..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/enterprise/setting-up-entra.mdx (1)

287-325: 🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Add the required Mintlify tabs for this configuration section.

This setup section should be presented using Web UI / API / config.json tabs, and the config.json example should align with transports/config.schema.json.

As per coding guidelines docs/**/*.mdx: "Mintlify MDX documentation must have Web UI / API / config.json tabs; validate config.json examples against transports/config.schema.json".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 287 - 325, The Entra setup
section is missing Mintlify tabs; wrap the configuration content in Web UI / API
/ config.json tabs and add a config.json tab example that matches the schema in
transports/config.schema.json, including the documented fields (tenantId,
clientId, clientSecret, audience, attributeRoleMappings, attributeTeamMappings,
attributeBusinessUnitMappings and App ID URI where applicable). Ensure the
config.json snippet uses the same keys and types as
transports/config.schema.json, validate the example against that schema, and
keep the Web UI and API tabs showing the UI steps and API notes respectively.

🧹 Nitpick comments (1)

docs/enterprise/setting-up-entra.mdx (1)

243-247: ⚡ Quick win

Clarify manifest schema variant for token-version setting.

Line 246 uses the legacy property name "accessTokenAcceptedVersion": 2. In modern Microsoft Graph-format manifests (the current schema), this setting is represented as "api": { "requestedAccessTokenVersion": 2 } on the api node. Both forms control the same underlying setting, but they target different manifest versions. Add a note specifying which manifest format this guide targets, or include both forms to prevent confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 243 - 247, The doc uses
the legacy manifest property "accessTokenAcceptedVersion": 2 which can be
confused with the modern Graph manifest format; update the text to clarify the
manifest schema being targeted and show both variants: the legacy top-level
"accessTokenAcceptedVersion": 2 and the modern "api": {
"requestedAccessTokenVersion": 2 }, or explicitly state “this guide targets X
manifest version” before the example so readers know which form to use
(referencing accessTokenAcceptedVersion and api.requestedAccessTokenVersion).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 58-60: Fix the grammar inside the Note block that currently reads
"This step is optional. You can create custom roles if thats the preferred way.
Or you can map any attribute to role/team/business unit. Role mapping is
required step." — replace "thats" with "that's" and change "Role mapping is
required step." to "Role mapping is a required step." so the Note reads
correctly.
- Around line 164-176: Update the permission type for User.Read in the Entra
setup docs: change the two occurrences of `User.Read` currently listed under
Application permissions (in the bullet list and the Warning paragraph) to be
Delegated-only so they match Microsoft Graph's definition; ensure the bullet
list now only contains Application permissions (`User.Read.All`,
`GroupMember.Read.All`, `Group.Read.All`, `Application.Read.All`,
`AppRoleAssignment.ReadWrite.All`) and adjust the Warning text so it correctly
states that `openid`, `profile`, `email`, `offline_access`, and `User.Read` must
be Delegated while the remaining listed permissions are Application.

---

Outside diff comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 287-325: The Entra setup section is missing Mintlify tabs; wrap
the configuration content in Web UI / API / config.json tabs and add a
config.json tab example that matches the schema in
transports/config.schema.json, including the documented fields (tenantId,
clientId, clientSecret, audience, attributeRoleMappings, attributeTeamMappings,
attributeBusinessUnitMappings and App ID URI where applicable). Ensure the
config.json snippet uses the same keys and types as
transports/config.schema.json, validate the example against that schema, and
keep the Web UI and API tabs showing the UI steps and API notes respectively.

---

Nitpick comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 243-247: The doc uses the legacy manifest property
"accessTokenAcceptedVersion": 2 which can be confused with the modern Graph
manifest format; update the text to clarify the manifest schema being targeted
and show both variants: the legacy top-level "accessTokenAcceptedVersion": 2 and
the modern "api": { "requestedAccessTokenVersion": 2 }, or explicitly state
“this guide targets X manifest version” before the example so readers know which
form to use (referencing accessTokenAcceptedVersion and
api.requestedAccessTokenVersion).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a48f4498-018d-46eb-ab10-dead704441e2

📥 Commits

Reviewing files that changed from the base of the PR and between b1bee80 and b3a9b57.

📒 Files selected for processing (1)

• docs/enterprise/setting-up-entra.mdx

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/enterprise/setting-up-entra.mdx (2)

331-337: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the leftover Okta wording and stale step references.

This Entra guide still says “Okta claims,” and it points groups to Step 5 / role to Step 4 even though those steps now cover API permissions and client secrets. The mapping intro should reference the Entra token-claim setup consistently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 331 - 337, The doc still
mentions "Okta claims" and stale step numbers; update the wording to
consistently reference Entra token claims and remove/replace Step 4/Step 5
references. Specifically, in the paragraph describing attribute mappings
(attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings)
change "Okta claims" to "Entra token claims" and replace the references to
`groups`/`role` pointing to Step 5/Step 4 with a neutral reference to the Entra
token-claim setup (e.g., "the `groups` claim or a custom `role` claim configured
in your Entra token-claim setup") so the text no longer points to outdated
steps.

---

287-325: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add the required API/config tabs here, and include appIdUri in the non-UI representation.

This section only documents the Web UI flow, and the reference table below omits the App ID URI field introduced on Line 307. That leaves API/config users without a complete way to express the same setup.

As per coding guidelines, docs/**/*.mdx: Mintlify MDX documentation must have Web UI / API / config.json tabs; validate config.json examples against transports/config.schema.json.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 287 - 325, Add the missing
API/config tabs and include the App ID URI field in the non-UI/config
representation: update the UI docs section to provide Web UI / API / config.json
tabs as required, add the `appIdUri` (key name `appIdUri`) to the Configuration
Reference table alongside `tenantId`, `clientId`, `clientSecret`, and
`audience`, and ensure any example config.json snippets in this file validate
against transports/config.schema.json (adjust example values and schema fields
to include `appIdUri` and confirm required/optional flags).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 421-422: Update the sentence that currently states "groups (which
is already in the token)" to clarify that the groups claim is not always present
and only available if the Entra/Azure AD tenant has the groups claim enabled in
the token configuration/manifest; specifically mention that switching Bifrost
mappings from using the roles attribute to the groups attribute requires
enabling the groups claim in the token configuration/manifest (see the earlier
token configuration/manifest steps) and link or reference the Attribute Mappings
section for details.

---

Outside diff comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 331-337: The doc still mentions "Okta claims" and stale step
numbers; update the wording to consistently reference Entra token claims and
remove/replace Step 4/Step 5 references. Specifically, in the paragraph
describing attribute mappings (attributeRoleMappings, attributeTeamMappings,
attributeBusinessUnitMappings) change "Okta claims" to "Entra token claims" and
replace the references to `groups`/`role` pointing to Step 5/Step 4 with a
neutral reference to the Entra token-claim setup (e.g., "the `groups` claim or a
custom `role` claim configured in your Entra token-claim setup") so the text no
longer points to outdated steps.
- Around line 287-325: Add the missing API/config tabs and include the App ID
URI field in the non-UI/config representation: update the UI docs section to
provide Web UI / API / config.json tabs as required, add the `appIdUri` (key
name `appIdUri`) to the Configuration Reference table alongside `tenantId`,
`clientId`, `clientSecret`, and `audience`, and ensure any example config.json
snippets in this file validate against transports/config.schema.json (adjust
example values and schema fields to include `appIdUri` and confirm
required/optional flags).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 011f5bbd-5ee1-4002-8c63-45ae4e6272f6

📥 Commits

Reviewing files that changed from the base of the PR and between b3a9b57 and 6ceaaa7.

📒 Files selected for processing (1)

• docs/enterprise/setting-up-entra.mdx

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/enterprise/setting-up-entra.mdx (2)

331-337: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the stale Okta reference and step drift in Attribute Mappings.

This paragraph still says “Okta claims,” and the next sentence points readers to groups from Step 5 and role from Step 4 even though this guide configures groups in Step 6 and app roles in Steps 2/7. The section reads like a copy/paste from another provider and is now internally inconsistent.

🛠️ Suggested doc fix

-Attribute mappings let you translate Entra claim values into Bifrost roles, teams, or business units without restructuring your Okta claims. Bifrost supports three mapping types:
+Attribute mappings let you translate Entra claim values into Bifrost roles, teams, or business units without restructuring your Entra claims. Bifrost supports three mapping types:
@@
-These mappings work with any Entra claim - the `groups` claim from Step 5, the custom `role` claim from Step 4, or any other claim your authorization server includes in the token (e.g., `department`, `organization`).
+These mappings work with any Entra claim - the `groups` claim from Step 6, the `roles` claim from app-role assignments in Steps 2 and 7, or any other claim your authorization server includes in the token (e.g., `department`, `organization`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 331 - 337, Update the
paragraph to remove the stale "Okta" reference and correct the step pointers:
change "Okta claims" to "Entra claims", and update the example claim references
so they point to where they are actually configured in this guide (the `groups`
claim configured in Step 6 and the app `role` claim configured in Steps 2/7).
Ensure the three mapping types (`attributeRoleMappings`,
`attributeTeamMappings`, `attributeBusinessUnitMappings`) remain as-is and the
sentence reads that these mappings work with any Entra claim (e.g., `groups`
from Step 6, `role` from Steps 2/7, or other claims like `department` or
`organization`).

---

287-325: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add the required Web UI / API / config.json tabs to the configuration section.

This section only documents the Web UI path plus a reference table. The MDX guideline for this repo requires configuration docs to provide Web UI / API / config.json tabs, so readers currently don't get the API or file-based setup path here.

🧭 Suggested structure

<Tabs>
  <Tab title="Web UI">
    ...current Step 9 UI flow...
  </Tab>
  <Tab title="API">
    ...equivalent API flow...
  </Tab>
  <Tab title="config.json">
    ...schema-valid config example...
  </Tab>
</Tabs>

As per coding guidelines docs/**/*.mdx: Mintlify MDX documentation must have Web UI / API / config.json tabs; validate config.json examples against transports/config.schema.json.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 287 - 325, The
configuration docs only show the Web UI; add the required three-tab structure
using the <Tabs> component with <Tab title="Web UI"> (retain the existing Step 9
UI content), <Tab title="API"> (add the equivalent API call/HTTP request and
response examples for configuring Microsoft Entra/SCIM), and <Tab
title="config.json"> (include a schema-valid JSON example matching fields like
tenantId, clientId, clientSecret, audience, attributeRoleMappings, etc. and
ensure the example validates against transports/config.schema.json). Also
mention the restart note inside the Web UI tab and keep the Configuration
Reference table available to all tabs.

♻️ Duplicate comments (1)

docs/enterprise/setting-up-entra.mdx (1)

421-422: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don’t say groups is already in the token.

This fallback still contradicts Step 6: groups is only available after enabling/configuring that claim, so readers who skipped the token-claims step will switch mappings and hit the same failure mode.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 421 - 422, The sentence
incorrectly asserts that the groups attribute is already present in the token;
update the wording in the Bifrost mappings fallback to clarify that the groups
claim must be enabled/configured (reference Step 6 / Attribute Mappings), and
instruct readers to enable/configure the groups claim in their token before
switching mappings to use groups to avoid the same failure mode.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 241-247: The doc currently references the deprecated manifest
field accessTokenAcceptedVersion; update the manifest examples and text to use
the Microsoft Graph manifest shape by replacing accessTokenAcceptedVersion with
an api object containing requestedAccessTokenVersion (i.e.
api.requestedAccessTokenVersion: 2), and ensure any sample JSON, explanatory
text, and headings mention the new api.requestedAccessTokenVersion property
instead of accessTokenAcceptedVersion.
- Around line 165-188: Update the docs to replace the incorrect permission
string "AppRoleAssignment.Read.All" with the correct application permission
"AppRoleAssignment.ReadWrite.All" wherever it appears (the bullet list entry,
the Warning block, and the Note block) and ensure the text still states this
permission must be of type Application; no other changes to surrounding
explanatory text are needed.

---

Outside diff comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 331-337: Update the paragraph to remove the stale "Okta" reference
and correct the step pointers: change "Okta claims" to "Entra claims", and
update the example claim references so they point to where they are actually
configured in this guide (the `groups` claim configured in Step 6 and the app
`role` claim configured in Steps 2/7). Ensure the three mapping types
(`attributeRoleMappings`, `attributeTeamMappings`,
`attributeBusinessUnitMappings`) remain as-is and the sentence reads that these
mappings work with any Entra claim (e.g., `groups` from Step 6, `role` from
Steps 2/7, or other claims like `department` or `organization`).
- Around line 287-325: The configuration docs only show the Web UI; add the
required three-tab structure using the <Tabs> component with <Tab title="Web
UI"> (retain the existing Step 9 UI content), <Tab title="API"> (add the
equivalent API call/HTTP request and response examples for configuring Microsoft
Entra/SCIM), and <Tab title="config.json"> (include a schema-valid JSON example
matching fields like tenantId, clientId, clientSecret, audience,
attributeRoleMappings, etc. and ensure the example validates against
transports/config.schema.json). Also mention the restart note inside the Web UI
tab and keep the Configuration Reference table available to all tabs.

---

Duplicate comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 421-422: The sentence incorrectly asserts that the groups
attribute is already present in the token; update the wording in the Bifrost
mappings fallback to clarify that the groups claim must be enabled/configured
(reference Step 6 / Attribute Mappings), and instruct readers to
enable/configure the groups claim in their token before switching mappings to
use groups to avoid the same failure mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a164d1d-7d3f-4484-9813-6c35acdd2dbb

📥 Commits

Reviewing files that changed from the base of the PR and between 6ceaaa7 and 328686d.

📒 Files selected for processing (1)

• docs/enterprise/setting-up-entra.mdx

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/enterprise/setting-up-entra.mdx (3)

333-339: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clean up the stale Okta copy and broken step references here.

Line 333 still says “Okta claims”, and Line 339 points readers to Step 4 / Step 5 even though those sections are now client-secret and API-permission setup. That makes the mapping guidance actively misleading in the Entra guide.

✏️ Suggested wording

-Attribute mappings let you translate Entra claim values into Bifrost roles, teams, or business units without restructuring your Okta claims. Bifrost supports three mapping types:
+Attribute mappings let you translate Entra claim values into Bifrost roles, teams, or business units without restructuring your token claims. Bifrost supports three mapping types:
@@
-These mappings work with any Entra claim - the `groups` claim from Step 5, the custom `role` claim from Step 4, or any other claim your authorization server includes in the token (e.g., `department`, `organization`).
+These mappings work with any Entra claim — for example the `roles` claim from your Entra app-role assignments, the `groups` claim enabled in the token-claims / manifest steps above, or any other claim included in the token (for example `department` or `organization`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 333 - 339, The paragraph
currently refers to "Okta claims" and points to Step 4 / Step 5 which are no
longer the claim-setup steps; update the wording to reference Entra instead of
Okta and remove broken step links: in the sentence mentioning claims, replace
"Okta claims" with "Entra claims" and change the Step 4 / Step 5 pointer to a
neutral reference like "the groups claim configured earlier" or "the custom role
claim you added in the Entra application" so readers are directed to the correct
claim-configuration context; ensure the three mapping types
(attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings)
remain intact and that examples cite Entra claim names (e.g., groups, role,
department) rather than Okta.

---

364-370: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make the role-mapping evaluation rules internally consistent.

This section now describes three different behaviors for attributeRoleMappings: first match wins, highest privilege wins, and a no-match Admin/Viewer fallback. Those rules are mutually incompatible, so admins will configure mappings differently depending on which sentence they trust.

Please collapse this to one rule set and make the bullet + note use the same semantics.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 364 - 370, The
role-mapping text is inconsistent; update the section so all sentences use one
consistent rule set for attributeRoleMappings: state that attributeRoleMappings
are ordered and use first-match-wins (if multiple role mapping rules match the
first matching rule is applied), keep Team and business unit mappings as “all
matching rules apply,” and make the no-match fallback explicit (if no role
mapping matches, the first user to sign in receives Admin and subsequent users
receive Viewer). Ensure the bullets and the Note both reflect this single
semantics and reference attributeRoleMappings and role mapping rules
consistently.

---

289-327: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add the required Web UI / API / config.json tabs to this setup section.

Step 9 currently documents only the UI path plus a reference table, so readers still don't get the standard API and copy-pastable config.json flows this docs path requires. Please restructure this section into the required tabs and include a validated config.json example alongside the UI instructions.

As per coding guidelines, docs/**/*.mdx: Mintlify MDX documentation must have Web UI / API / config.json tabs; validate config.json examples against transports/config.schema.json.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 289 - 327, Update the
"Step 9: Configure Bifrost" section to present three tabs: "Web UI", "API", and
"config.json"; under the Web UI tab keep the existing UI step list and
screenshot, under the API tab add curl/HTTP examples to create/update the SCIM
provider (include request URL, headers, and JSON body fields matching tenantId,
clientId, clientSecret, audience, attributeRoleMappings, attributeTeamMappings,
attributeBusinessUnitMappings), and under the config.json tab provide a
complete, copy-pastable JSON block named for the SCIM Entra provider that
validates against transports/config.schema.json (include required keys tenantId,
clientId, clientSecret and optional audience and mapping arrays), then ensure
the docs text references the mapping behavior (first-match for
attributeRoleMappings, all-match for attributeTeamMappings/business units) and
add the restart warning after save as before.

♻️ Duplicate comments (1)

docs/enterprise/setting-up-entra.mdx (1)

423-424: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Don't imply the groups claim is always present.

“which is already in the token” conflicts with the earlier Step 6 / Step 8 guidance where groups is only available after enabling group claims. As written, this fallback can send readers into a broken setup.

✏️ Suggested wording

-If you don't want to use app roles at all, switch your Bifrost mappings to use the `groups` attribute (which is already in the token) instead of `roles`. See [Attribute Mappings](`#attribute-mappings`).
+If you don't want to use app roles at all, switch your Bifrost mappings to use the `groups` attribute instead of `roles` — but only after enabling group claims in the token configuration / manifest steps above. See [Attribute Mappings](`#attribute-mappings`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 423 - 424, The sentence
implies the groups claim is always present; update the text so the fallback to
using the `groups` attribute for Bifrost mappings is conditional — e.g., say "if
group claims are enabled in Entra" — and remove or replace "which is already in
the token" with a note referencing the earlier guidance (Step 6 / Step 8) that
`groups` is only present after enabling group claims; keep mentions of `groups`,
`roles`, `Bifrost mappings`, and the "Attribute Mappings" section so readers
know where to configure it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 333-339: The paragraph currently refers to "Okta claims" and
points to Step 4 / Step 5 which are no longer the claim-setup steps; update the
wording to reference Entra instead of Okta and remove broken step links: in the
sentence mentioning claims, replace "Okta claims" with "Entra claims" and change
the Step 4 / Step 5 pointer to a neutral reference like "the groups claim
configured earlier" or "the custom role claim you added in the Entra
application" so readers are directed to the correct claim-configuration context;
ensure the three mapping types (attributeRoleMappings, attributeTeamMappings,
attributeBusinessUnitMappings) remain intact and that examples cite Entra claim
names (e.g., groups, role, department) rather than Okta.
- Around line 364-370: The role-mapping text is inconsistent; update the section
so all sentences use one consistent rule set for attributeRoleMappings: state
that attributeRoleMappings are ordered and use first-match-wins (if multiple
role mapping rules match the first matching rule is applied), keep Team and
business unit mappings as “all matching rules apply,” and make the no-match
fallback explicit (if no role mapping matches, the first user to sign in
receives Admin and subsequent users receive Viewer). Ensure the bullets and the
Note both reflect this single semantics and reference attributeRoleMappings and
role mapping rules consistently.
- Around line 289-327: Update the "Step 9: Configure Bifrost" section to present
three tabs: "Web UI", "API", and "config.json"; under the Web UI tab keep the
existing UI step list and screenshot, under the API tab add curl/HTTP examples
to create/update the SCIM provider (include request URL, headers, and JSON body
fields matching tenantId, clientId, clientSecret, audience,
attributeRoleMappings, attributeTeamMappings, attributeBusinessUnitMappings),
and under the config.json tab provide a complete, copy-pastable JSON block named
for the SCIM Entra provider that validates against transports/config.schema.json
(include required keys tenantId, clientId, clientSecret and optional audience
and mapping arrays), then ensure the docs text references the mapping behavior
(first-match for attributeRoleMappings, all-match for
attributeTeamMappings/business units) and add the restart warning after save as
before.

---

Duplicate comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 423-424: The sentence implies the groups claim is always present;
update the text so the fallback to using the `groups` attribute for Bifrost
mappings is conditional — e.g., say "if group claims are enabled in Entra" — and
remove or replace "which is already in the token" with a note referencing the
earlier guidance (Step 6 / Step 8) that `groups` is only present after enabling
group claims; keep mentions of `groups`, `roles`, `Bifrost mappings`, and the
"Attribute Mappings" section so readers know where to configure it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b0855f6a-88f6-4674-a7f2-6c9ae860f7bd

📥 Commits

Reviewing files that changed from the base of the PR and between 328686d and 1c02c4f.

📒 Files selected for processing (1)

• docs/enterprise/setting-up-entra.mdx

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/enterprise/setting-up-entra.mdx (2)

337-337: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix incorrect step cross-references.

The text references incorrect steps:

• "the groups claim from Step 5" → groups claim is configured in Step 6 (Token Claims), not Step 5 (API Permissions)
• "the custom role claim from Step 4" → app roles are created in Step 2 (Create App Roles), not Step 4 (Client Secret)

📝 Suggested fix

-These mappings work with any Entra claim - the `groups` claim from Step 5, the custom `role` claim from Step 4, or any other claim your authorization server includes in the token (e.g., `department`, `organization`).
+These mappings work with any Entra claim - the `groups` claim from Step 6, the custom `role` claim from Step 2, or any other claim your authorization server includes in the token (e.g., `department`, `organization`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` at line 337, Update the sentence that
incorrectly references step numbers: change "the `groups` claim from Step 5" to
"the `groups` claim from Step 6" and change "the custom `role` claim from Step
4" to "the custom `role` claim from Step 2" so the references to "groups claim"
and "custom `role` claim" match the Token Claims (Step 6) and Create App Roles
(Step 2) sections respectively.

---

362-368: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify contradictory role mapping behavior.

Line 362 states users are "not allowed to login" if no rule matches, but lines 367-368 state unmatched users receive a default role (Admin for first user, Viewer for subsequent). These statements contradict each other.

Please clarify when each behavior applies. For example, does line 362 apply only when attributeRoleMappings is configured, while lines 367-368 describe behavior when no mappings exist at all?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` around lines 362 - 368, Clarify the
contradictory statements by specifying the two different cases: when
attribute-based role mappings are configured (attributeRoleMappings / Role
mappings list) and when no mappings exist at all; update the "Role mappings"
bullet to say that if attributeRoleMappings is configured and no rule matches,
users are not allowed to log in, and update the Note to state that when no
attributeRoleMappings are configured at all (no mapping rules present), the
first user to sign in is assigned Admin and subsequent users receive Viewer;
reference the terms "Role mappings"/"attributeRoleMappings" and the Note about
"first user Admin, subsequent Viewer" so readers can see which behavior applies
in each scenario.

♻️ Duplicate comments (1)

docs/enterprise/setting-up-entra.mdx (1)

421-421: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify that groups requires Step 6 configuration.

The phrase "which is already in the token" implies the groups claim is present by default, but Step 6 (Configure Token Claims) is marked optional. Users who skipped Step 6 won't have the groups claim available.

Consider adding a reference to Step 6:

📝 Suggested fix

-If you don't want to use app roles at all, switch your Bifrost mappings to use the `groups` attribute (which is already in the token) instead of `roles`. See [Attribute Mappings](`#attribute-mappings`).
+If you don't want to use app roles at all, switch your Bifrost mappings to use the `groups` attribute instead of `roles` — this requires completing Step 6 (Token Claims) first. See [Attribute Mappings](`#attribute-mappings`).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/enterprise/setting-up-entra.mdx` at line 421, Update the sentence
mentioning the `groups` attribute to clarify that the `groups` claim is not
present by default unless the user completed Step 6: Configure Token Claims;
explicitly state that if they skipped Step 6 they must enable/configure the
`groups` claim there before switching Bifrost mappings from `roles` to `groups`,
and add a short inline link/reference to Step 6 and the Attribute Mappings
section so readers know where to configure token claims.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Around line 243-247: The docs currently instruct to set
"accessTokenAcceptedVersion": 2 which uses the deprecated Azure AD Graph
manifest field; update the manifest example to the Microsoft Graph format by
replacing the root-level accessTokenAcceptedVersion with the nested
api.requestedAccessTokenVersion property (i.e., use
api.requestedAccessTokenVersion: 2 instead of accessTokenAcceptedVersion), and
adjust any surrounding text to reference api.requestedAccessTokenVersion and the
Entra admin center showing the modern manifest schema.

---

Outside diff comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Line 337: Update the sentence that incorrectly references step numbers: change
"the `groups` claim from Step 5" to "the `groups` claim from Step 6" and change
"the custom `role` claim from Step 4" to "the custom `role` claim from Step 2"
so the references to "groups claim" and "custom `role` claim" match the Token
Claims (Step 6) and Create App Roles (Step 2) sections respectively.
- Around line 362-368: Clarify the contradictory statements by specifying the
two different cases: when attribute-based role mappings are configured
(attributeRoleMappings / Role mappings list) and when no mappings exist at all;
update the "Role mappings" bullet to say that if attributeRoleMappings is
configured and no rule matches, users are not allowed to log in, and update the
Note to state that when no attributeRoleMappings are configured at all (no
mapping rules present), the first user to sign in is assigned Admin and
subsequent users receive Viewer; reference the terms "Role
mappings"/"attributeRoleMappings" and the Note about "first user Admin,
subsequent Viewer" so readers can see which behavior applies in each scenario.

---

Duplicate comments:
In `@docs/enterprise/setting-up-entra.mdx`:
- Line 421: Update the sentence mentioning the `groups` attribute to clarify
that the `groups` claim is not present by default unless the user completed Step
6: Configure Token Claims; explicitly state that if they skipped Step 6 they
must enable/configure the `groups` claim there before switching Bifrost mappings
from `roles` to `groups`, and add a short inline link/reference to Step 6 and
the Attribute Mappings section so readers know where to configure token claims.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0228902b-d33e-4907-a550-7727e83924dc

📥 Commits

Reviewing files that changed from the base of the PR and between 1c02c4f and 75cbd06.

📒 Files selected for processing (1)

• docs/enterprise/setting-up-entra.mdx

[akshaydeo]

Merge activity

• May 6, 8:54 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 6, 8:58 AM UTC: @akshaydeo merged this pull request with Graphite.

The base branch was changed.