Skip to main content

Configure Microsoft Entra ID as an Identity Provider Enterprise

Dremio supports Microsoft Entra ID (formerly Azure Active Directory) as an enterprise identity provider. Entra ID administrators can follow these instructions to enable single sign-on (SSO) authentication and allow users to log in to Dremio using Entra ID as the trusted third party.

Prerequisites

Configuring SSO in Entra ID requires:

  • Privileges in Entra ID that permit you to add, configure, and register applications
  • System administrator access for an Enterprise account in Dremio

If you are not a tenant administrator in Entra ID, you also need consent from the tenant administrator when you add the required API permissions in Entra ID.

Configure an Application for SSO

To configure SSO in Entra ID for Dremio users:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click App registrations.

  3. Click New registration.

  4. Type a name for the application in the Name field.

  5. Select your desired account type in the Supported account types list. The default selection is Accounts in this organizational directory only (<your org> only - Single tenant).

  6. Under Redirect URI, in the Select a platform drop-down list, select Web and enter the following URI in the provided field: https://accounts.dremio.cloud/login/callback.

  7. Click the Register button.

  8. Copy and save the value for the Application (client) ID. The client ID is sensitive information and should be kept private. You will use it to configure authentication in Dremio later in this procedure.

  9. In the left-navigation menu under Manage, click Certificates & secrets.

  10. Click New client secret.

  11. In the Add a client secret panel, type a description for the secret in the Description field and select your desired lifespan for the secret in the Expires drop-down list.

  12. Click the Add button.

  13. Copy and save the value for the secret. The secret value is sensitive information and should be kept private. You will use it to configure authentication in Dremio later in this procedure.

  14. In the left-navigation menu under Manage, click API permissions.

  15. Confirm that the following permission is listed under API / Permissions name:

    • User.Read: Permits users to log in to the application, and permits the application to read the profiles and basic company information for logged-in users.
  16. Click Add a permission.

  17. In the Request API permissions panel, click the Microsoft Graph tile.

  18. Click the Delegated permissions tile.

  19. Under OpenId permissions, click the checkboxes next to the following options:

    • email: Permits the application to read users' primary email addresses.
    • offline_access: Permits the application to read and update users' data, even when they are not currently using the application.
    • openid: Permits users to sign in to the application with their work or school accounts and permits the application to view basic user profile information.
    • profile: Permits the application to view basic user profile information (name, avatar, and email address).
  20. In the search field under Select permissions, search for and select the checkboxes for each of the following permissions:

    • GroupMember.Read.All: Permits the application to read group properties, memberships, calendars, conversations, files, and other group content for all groups that the signed-in user can access.
      • In the search results, click the down-arrow for Group and select the checkbox for the GroupMember.Read.All permission.
    • User.Read.All: Permits the application to read all users' full profiles on behalf of the signed-in user.
      • In the search results, click the down-arrow for User and select the checkbox for the User.Read.All permission.
  21. Click the Add permissions button. The list of configured permissions should now include the following permissions:

    • email
    • GroupMember.Read.All
    • offline_access
    • openid
    • profile
    • User.Read
    • User.Read.All
  22. Click Grant admin consent for <tenant>.

    note

    If you are not a tenant administrator, the Grant admin consent for Dremio option is grayed out. A tenant administrator must provide the required consent for the GroupMember.Read.All and User.Read.All API permissions for the application.

  23. In the Grant admin consent confirmation dialog, click Yes. The statuses for the GroupMember.Read.All and User.Read.All API permissions change to Granted for <tenant>.

  24. In the left-navigation menu under Manage, click Branding & properties.

  25. Copy and save the Publisher domain (<domain_name>.onmicrosoft.com). You will use it to configure authentication in Dremio later in this procedure.

  26. In the Dremio console, on the organization page, click next to the organization name.

  27. Click the Authentication tab in the left sidebar.

  28. In the Enterprise section, click Add Provider to open the Add Provider dialog.

  29. In Step 1, select Azure Active Directory in the dropdown list.

  30. In Step 3, enter the domain, client ID, and secret information that you copied from Entra ID in the corresponding fields.

  31. Click Add. After the page loads, you should see Azure Active Directory listed as an authentication provider in the Enterprise section.

  32. Click the Enabled toggle to activate the Entra ID authentication provider.

Entra ID is now configured as an enterprise authentication provider. The Log in with Azure Active Directory button appears in the list of log-in options for your Dremio users. Any Entra ID user in your organization can use the Log in with Azure Active Directory button for SSO login.

Assign People and Groups to the Entra ID Application

The Entra ID application is configured to allow SSO login for any Entra ID user in your organization. To adjust the application settings so that only users who are assigned to the app can use Entra ID SSO to log in to Dremio:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click Enterprise applications.

  3. Click the name of the SSO application.

  4. In the left-navigation menu under Manage, click Properties.

  5. Find the Assignment required? toggle and click Yes.

  6. Click Save.

With user assignment required, users who are not assigned to the application receive an error message from Microsoft when they try to use Entra ID SSO for Dremio.

Follow the instructions in the Entra ID documentation to assign users and groups to your application to ensure that users can use Entra ID for SSO log-in. The users you assign, whether individually or through their membership in an assigned group, can use the Log in with Azure Active Directory button immediately.

Use privileges and roles to manage user access to objects in Dremio.

Use Entra ID SSO to Log in to Dremio

Any Entra ID user who is assigned to the Dremio Cloud application can log in with Entra ID immediately. To use Entra ID SSO to log in to Dremio:

  1. Open the Dremio console login page: https://app.dremio.cloud/.

  2. Type your email address in the Email field and click Continue.

  3. Click the Log in with Azure Active Directory button.

  4. When you are redirected to the Microsoft website for authentication, enter your Entra ID user email, phone number, or Skype ID and click Next. Depending on your organization's security policies for Microsoft services, you may also be directed to use an authenticator app and asked to confirm whether you wish to stay signed in.

Entra ID authenticates your identity and redirects you to Dremio, which then logs you in.

note

To configure Entra ID's SCIM provisioning feature and use Entra ID to manage access for Dremio users, follow Configure SCIM Provisioning with Microsoft Entra ID.

Revoke Entra ID SSO Login for a User or Group

To revoke users' access to Entra ID SSO login for Dremio:

  1. In Entra ID, navigate to your application.

  2. Find the row for the user or group you want to deactivate and click to select the checkbox for the user or group.

  3. Click Remove.

  4. In the Do you want to remove these assignments? confirmation dialog, click Yes.

Starting immediately, the deactivated users cannot use Entra ID SSO to log in to Dremio.

caution

If you revoke a user's access to use Entra ID SSO login in Entra ID, the user can still log in to Dremio with their Dremio username and password. To completely delete Dremio users so that they cannot log in to Dremio at all, you must also manually remove their user accounts in Dremio.