On this page

    Microsoft Azure Active Directory

    Overview

    This topic describes how to configure Microsoft Azure Active Directory (AAD) as an enterprise identity provider (IdP).

    To configure this provider, you must first register Dremio as an application on the Azure portal and add AAD as a provider in Dremio Cloud.

    Prerequisites

    • To register Dremio as an application in the Azure portal, you must be an Azure tenant administrator, or possess explicit permissions to register an application in Azure Active Directory. However, to grant admin consent to an application, you must be an Azure tenant administrator.
    • You must also be a Dremio Cloud admin to configure an enterprise IdP.
    • To configure an identity provider, you need data as explained from the AAD overview and application section:
      • Azure Active Directory Domain
      • Client ID
      • Client Secret

    Azure Portal Configuration

    From the Azure portal, perform the following steps to register an Azure application:

    1. Click Azure services > Azure Active Directory.
    2. Click App registrations > New registration to register Dremio.
    3. On the Register an application page, enter a value for Name.
    4. For Supported account types, Accounts in this organizational directory only (<your org> only - Single tenant) is selected by default. Select a different account type as required by your organization.
    5. (Optional) For Redirect URI, select Web from the drop-down list and enter the following URI: https://accounts.dremio.cloud/login/callback. This URI can also be retrieved from the Dremio Cloud Add Provider dialog.

    note:

    The redirect URI can also be specified in the Azure portal at a later time under Platform configurations on the Authentication page.

    1. Click Register. After you register the application, copy the Application (client) ID, which is needed later to configure the IdP in Dremio Cloud.

    2. Navigate to the application that you just registered on the Azure portal. To create a new secret, under Manage in the sidebar, click Certificates & secrets > Client secrets > New client secret.

    3. From the Add a client secret pane, enter a Description.

    4. For Expires, set the lifespan of the certificate.

    5. Click Add. The key value appears in the Client secrets section of the page.

    6. Copy the client secret (password) that is generated. You will not be able to retrieve it once you leave this page and you’ll need it in a later step to configure the IdP in Dremio Cloud.

    7. To enter the delegated permissions, under Manage, click API permissions. On the API permissions page, the User.Read permission should be selected already.

    8. Click Add a permission. In the Request API permissions slide-out, select Microsoft APIs > Microsoft Graph.

    9. Under Microsoft Graph, click Delegated permissions as this is the type of permissions that your application requires.

    10. From the Select permissions field, search and select the boxes for each of the API permissions below.

      • Directory.Read.All - Requires Azure tenant administrator approval before the permission is assigned.
        • When you search this permission, Directory is displayed. Click Directory and check the Directory.Read.All box.
        • Permits the application to read data in your organization’s directory. For example, users, groups and applications. Note that users may consent to applications that need this permission if the application is registered in their own organization’s tenant.
      • email - Permits the application to read your users' primary email address.
      • offline_access - Permits the application to read and update user data, even when they are not currently using the application.
      • openid - Permits users to sign in to the application with their work or school accounts and permits the application to view basic user profile information.
      • profile - Permits the application to view your users' basic profiles (name, avatar, and email address).
      • User.Read - Permits users to log in to the application, and permits the application to read the profile of logged-in users. It also permits the application to read basic company information of logged-in users.
    11. Click Add permissions. The permissions are added in the API permissions page. Only an Azure tenant administrator can click Grant admin consent for <your-org> (next to Add a permission) to grant admin consent for the Directory.Read.All permission.

    12. To obtain the domain name, navigate to Azure Active Directory’s Overview page and copy the Primary domain value.

    Azure Properties Required for Dremio Configuration

    For the following details, navigate to the Azure Active Directory page on your Azure portal. Copy the following properties to configure AAD for Dremio Cloud:

    PropertyTracing the Property in the Portal
    Client ID
    1. Click App Registrations.
    2. Copy the Application (client) ID.
    Client Secret
    1. Click App Registrations.
    2. Click your registered application.
    3. To create a new client secret, under the Manage section for your application, click Certificates & secrets.
    4. Under Client secrets, click New client secret.
    5. From the Add a client secret pane, enter a Description.
    6. For Expires, set the lifespan you wish to grant the certificate.
    7. Click Add. The key value appears in the Client secrets section of the page.
    8. Copy the client secret as soon as it is generated as you will not be able to retrieve it again after leavinge the Certificates and secrets page.
    Azure Active Directory Domain
    1. From the Overview page, copy the Primary domain value under Basic Information.

    Dremio Configuration

    Perform the following steps in Dremio Cloud to finish configuring AAD as an identity provider:

    1. Click the Settings (gear) icon at the bottom-left corner of the screen and then click Organization Settings.

    2. Click the Authentication tab from the left sidebar. Under Enterprise section, click Add Provider.

    3. Using the Add Provider dialog, select Azure Active Directory.

    4. For Step 2: Create an application in Azure Active Directory, if you have not configured the redirect URL for an Azure application, copy the redirect URL from the Dremio Cloud UI and go to the Azure portal to edit this property under Platform configurations on your registered application’s Authentication page.

    5. For Step 3: Enter the required information from Azure Active Directory, enter the required information from AAD:

      • For Azure Active Directory Domain, enter the domain.
      • For Client ID, enter the client ID.
      • For Client Secret, enter the client secret.
    6. Click Add. Azure Active Directory is now listed under the Enterprise section. However, it is not enabled by default.

    7. To activate the AAD provider, check the box under the Active column.

    AAD is now configured as an authentication IdP and will display as an option for users logging in on Dremio Cloud.

    Configuring AAD for SCIM

    Microsoft Azure AD may be configured to securely provision external users on Dremio Cloud using SCIM. This process is described in depth for various third-party SaaS solutions here and consists of the following steps:

    1. Adding SCIM as an app
    2. Configuring SCIM attribute mapping
    3. Generating a personal access token in Dremio
    4. Setting the scope of users/groups to provision

    When prompted for a Tenant URL, enter the following:

    https://scim.dremio.cloud/scim/v2/
    

    For the Secret Token, generate an access token as described in the next section below.

    Generating Access Tokens

    Dremio Personal Access tokens (valid for 90 days max) with the format bearer {PAT} may be used when configuring AAD with SCIM. To obtain this, please refer to the Personal Access Tokens page.

    Granting or Revoking User/Group Access by Scope

    User and group access to Dremio may be managed in Azure AD through the use of scoping filters, which serve as attribute-based rules to determine whether a user should be provisioned for an application like Dremio.