Propagating SharePoint Document Permissions to AI Search and RAG Pipelines

A security-first architecture for propagating SharePoint document-level permissions into AI search indexes, RAG pipelines, and Copilot extensions. The approach uses Microsoft Graph's Sites.Selected permission for least-privilege access, materializes ACLs at ingestion time by resolving hierarchical SharePoint permissions into flat allowedUsers/allowedGroups fields stored as Microsoft Entra ID GUIDs, and enforces authorization via query-time filtering before documents are returned. Key design decisions include using stable GUIDs over emails, preserving group IDs for offline expansion, and planning for periodic re-ingestion to handle permission staleness. Common pitfalls like using Sites.Read.All, post-retrieval filtering, and ignoring group expansion are also addressed.