Skip to main content

Identity & Access

No Separate Identity Store

Sensei IQ does not maintain its own identity system. There are no Sensei-managed usernames, passwords, or authentication credentials for users of the application. Authentication is handled entirely by Microsoft Entra ID (formerly Azure Active Directory) — the same identity platform your organization already uses for Microsoft 365.

This means that all of your existing identity governance — password policies, MFA requirements, Conditional Access policies, account lifecycle management — applies to Sensei IQ automatically.

Authentication: Microsoft Entra ID & OAuth 2.0

When a user opens Sensei IQ, the authentication flow is managed by Microsoft:

  1. The user's browser initiates an OAuth 2.0 authorization request to your tenant's Entra ID
  2. Entra ID authenticates the user (applying your tenant's sign-in policies, including MFA if configured)
  3. Entra ID issues an access token scoped to the Power Platform resource
  4. Power Apps and Dataverse validate the token on every request

Sensei does not participate in this authentication flow. We do not issue tokens, store credentials, or intercept authentication requests.

Multi-Factor Authentication

MFA enforcement for Sensei IQ is governed by your organization's Conditional Access policies in Entra ID. If your organization requires MFA for Power Platform or all cloud applications, that requirement applies to Sensei IQ without any additional configuration.

Sensei recommends that organizations enable MFA for all users of Sensei IQ as part of their standard M365 security posture. However, the ability to enforce or relax this requirement rests entirely with your tenant administrators.

Authorization: Dataverse Security Roles

Once authenticated, access to data within Sensei IQ is governed by Dataverse security roles. These roles define what records a user can read, create, update, or delete within each Dataverse table.

Sensei IQ ships with a set of pre-defined security roles designed around the principle of least privilege:

  • Users are granted access to the records relevant to their function
  • Administrative capabilities are separated into distinct roles
  • Role assignments are managed by your organization's Dataverse administrators

Sensei does not have the ability to assign or modify security role assignments in your environment. Role management is entirely within your administrators' control.

Service Principals for Integrations & Deployments

Some Sensei IQ capabilities — including external system integrations and certain automated processes — use Microsoft Entra service principals registered within your tenant. Service principals allow Sensei IQ components to perform automated operations without relying on individual user credentials.

Key characteristics of Sensei IQ service principals:

  • Registered in your tenant: Service principals are created in your Entra ID, not in Sensei's environment
  • Least privilege: Each service principal is granted only the permissions required for its specific function
  • Client-controlled: Your administrators can view, monitor, audit, and revoke service principal access at any time through the Entra ID portal
  • No credential sharing: Service principal secrets are stored in Azure Key Vault and are never transmitted outside of Sensei's secure development and deployment infrastructure
  • Audited: All service principal activity is logged in your tenant's audit logs, accessible via Microsoft Purview

Clients can independently verify and revoke any service principal at any time.

Access Revocation

Because Sensei IQ runs entirely within your tenant and uses your identity platform, your organization has complete, unilateral control over access revocation:

  • Individual user access: Remove the user's Dataverse security role or disable their Entra ID account
  • Sensei staff access (if granted): Remove the Dataverse user record for the Sensei consultant's account
  • Service principal access: Delete or disable the service principal registration in Entra ID
  • Full application access: Remove the Power Platform solution and associated app registrations

No coordination with Sensei is required to revoke any form of access.