2025-10-28: Upgraded ACLs to use Azure AI Search Query-time ACL

This release makes a significant change to our optional ACL feature, which builds on the login feature.

Previously we implemented access controls by storing oids and groups in the search index for each chunk, and dynamically building a search filter based off the oids/groups in the logged in user's token.
Now, Azure AI Search has built-in support to filter documents based off a user's token, so we keep the same index setup, but we delegate the filtering to the AI Search query itself.
If you already have the ACL feature enabled, you should be able to pull in the new changes, run "azd up", and have prepdocs setup the new permission filtering option on the index. If you have the AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS option enabled, then you'll also need to run the migration script to explicitly add a global identifier to the ACLs for those documents. Please also ensure that your azd environment has AZURE_ENFORCE_ACCESS_CONTROL, as we discovered some code paths weren't requiring that before (but do now).

If you are new to using the feature, please read through the login and ACLs guide to learn more.

What's Changed

• Better support for coding agents by @pamelafox in #2725
• added polish locales by @michuhu in #2729
• Bump jiter from 0.8.2 to 0.11.0 by @dependabot[bot] in #2731
• Bump msal from 1.30.0 to 1.33.0 by @dependabot[bot] in #2713
• Resolve issues with colliding private endpoint names, and redundant private endpoints by @kachihro in #2740
• Add missing set in command by @pamelafox in #2746
• Add tests for auth_init.py by @pamelafox in #2741
• Bump oauthlib from 3.2.2 to 3.3.1 by @dependabot[bot] in #2747
• Sanitize image markdown in sources by @pamelafox in #2765
• Restrict locations due to App Insights components availability by @pamelafox in #2764
• Add 'australiaeast' to allowed regions by @kachihro in #2770
• Bump multidict from 6.0.5 to 6.7.0 by @dependabot[bot] in #2768
• Group telemetry together for pip updates by @pamelafox in #2792
• Bump prismjs and react-syntax-highlighter in /app/frontend by @dependabot[bot] in #2791
• Bump the telemetry group with 21 updates by @dependabot[bot] in #2793
• Add dependabot group for pydantic by @pamelafox in #2795
• Bump markupsafe from 2.1.5 to 3.0.3 by @dependabot[bot] in #2794
• Bump vite from 5.4.19 to 6 in /app/frontend by @dependabot[bot] in #2782
• Bump pypdf from 6.0.0 to 6.1.3 in /app/backend by @pamelafox in #2799
• Bump rapidfuzz from 3.13.0 to 3.14.1 by @dependabot[bot] in #2798
• Bump asgiref from 3.8.1 to 3.10.0 by @dependabot[bot] in #2797
• Update link thats now 404ing by @pamelafox in #2801
• Bump the pydantic group with 2 updates by @dependabot[bot] in #2796
• Switch from security filter to built-in ACL enforcement by @mattgotteiner in #2771

New Contributors

• @michuhu made their first contribution in #2729
• @kachihro made their first contribution in #2740

Full Changelog: 2025-09-11...2025-10-28