Teams & Access Control

Configure team separation and role-based access using Azure AD.

Overview

Team separation is a core feature of Ajutant. It ensures that conversations, documents, and assistant access are isolated by team. The board can’t see legal’s chats. HR can’t access finance’s document uploads. This isn’t a “nice to have” in regulated industries — it’s a requirement.

How It Works

Ajutant maps Azure AD security groups to platform teams. When a user signs in, their group memberships determine:

  1. Which assistants they see on the dashboard
  2. Which conversations they can access (their own only)
  3. Which document collections they can query

There’s no application-level user management to maintain. Your existing Azure AD groups are the single source of truth.

Setting Up Teams

1. Create Azure AD Security Groups

If you don’t already have suitable groups, create them in Azure AD / Entra ID:

Legal Team → sg-ajutant-legal
HR Team → sg-ajutant-hr
Finance Team → sg-ajutant-finance
Executive Team → sg-ajutant-exec

2. Map Groups in Ajutant

Navigate to Admin → Teams and map each Azure AD group:

  • Team name — Display name in Ajutant (e.g., “Legal”)
  • Azure AD Group ID — The Object ID of the security group
  • Default assistants — Which assistants are available to this team by default

3. Assign Users

Add users to the appropriate Azure AD groups. Changes propagate to Ajutant on next sign-in — no sync delay.

Admin Roles

Ajutant has two admin levels:

RoleCapabilities
Platform AdminFull access: manage assistants, teams, models, settings
Team AdminManage assistants and documents for their team only

Platform Admins are identified by membership in a designated Azure AD group (configured during deployment).

Access Control Rules

  • Users see only assistants assigned to their team(s)
  • Users in multiple groups see assistants from all their teams
  • Conversation data is private to the user who created it
  • Document collections can be scoped to specific teams
  • Admin access does not grant visibility into user conversations
Privacy by default
Even Platform Admins cannot read user conversations. The admin panel shows usage statistics and configuration — not conversation content.