Skip to main content

Microsoft Azure Active Directory Enterprise

This topic describes how to configure Microsoft Azure Active Directory (AAD) as an enterprise identity provider (IdP).

To configure this provider, you must first register Dremio as an application on the Azure portal and add AAD as a provider in Dremio Cloud.

Prerequisites

  • To register Dremio as an application in the Azure portal, you must be an Azure tenant administrator, or possess explicit permissions to register an application in Azure Active Directory. However, to grant admin consent to an application, you must be an Azure tenant administrator.
  • You must also be a Dremio Cloud admin to configure an enterprise IdP.
  • To configure an identity provider, you need data as explained from the AAD overview and application section:
    • Azure Active Directory Domain
    • Client ID
    • Client Secret

Azure Portal Configuration

From the Azure portal, perform the following steps to register an Azure application:

  1. Click Azure services > Azure Active Directory.

  2. Click App registrations > New registration to register Dremio.

  3. On the Register an application page, enter a value for Name.

  4. For Supported account types, Accounts in this organizational directory only (<your org> only - Single tenant) is selected by default. Select a different account type as required by your organization.

  5. (Optional) For Redirect URI, select Web from the drop-down list and enter the following URI: https://accounts&#46;dremio.cloud/login/callback. This URI can also be retrieved from the Dremio Cloud Add Provider dialog.

    note

    The redirect URI can also be specified in the Azure portal at a later time under Platform configurations on the Authentication page.

  6. Click Register. After you register the application, copy the Application (client) ID, which is needed later to configure the IdP in Dremio Cloud.

  7. Navigate to the application that you just registered on the Azure portal. To create a new secret, under Manage in the sidebar, click Certificates & secrets > Client secrets > New client secret.

  8. From the Add a client secret pane, enter a Description.

  9. For Expires, set the lifespan of the certificate.

  10. Click Add. The key value appears in the Client secrets section of the page.

  11. Copy the client secret (password) that is generated. You will not be able to retrieve it once you leave this page and you'll need it in a later step to configure the IdP in Dremio Cloud.

  12. To enter the delegated permissions, under Manage, click API permissions. On the API permissions page, the User.Read permission should be selected already.

  13. Click Add a permission. In the Request API permissions slide-out, select Microsoft APIs > Microsoft Graph.

  14. Under Microsoft Graph, click Delegated permissions as this is the type of permissions that your application requires.

  15. From the Select permissions field, search and select the boxes for each of the API permissions below.

    • User.Read.All - Permits the application to read all users' full profiles on behalf of the signed-in user.
      • When you search for this permission, User is displayed. Click the down-arrow for User and select the checkbox for the User.Read.All permission.
      • The User.Read.All permission requires approval from an Azure tenant administrator to be assigned. Note that users may provide approval if the application is registered in their own organization’s tenant.
    • GroupMember.Read.All - Permits the application to read group properties, memberships, calendars, conversations, files, and other group content for all groups that the signed-in user can access.
      • When you search for this permission, Group is displayed. Click the down-arrow for Group and select the checkbox for the GroupMember.Read.All permission.
      • The GroupMember.Read.All permission requires approval from an Azure tenant administrator to be assigned. Note that users may provide approval if the application is registered in their own organization’s tenant.
    • email - Permits the application to read your users' primary email address.
    • offline_access - Permits the application to read and update user data, even when they are not currently using the application.
    • openid - Permits users to sign in to the application with their work or school accounts and permits the application to view basic user profile information.
    • profile - Permits the application to view your users' basic profiles (name, avatar, and email address).
    • User.Read - Permits users to log in to the application, and permits the application to read the profile of logged-in users. It also permits the application to read basic company information of logged-in users.
  16. Click Add permissions. The permissions are added in the API permissions page. Only an Azure tenant administrator can click Grant admin consent for <your-org> (next to Add a permission) to grant admin consent for the User.Read.All and GroupMember.Read.All permissions.

  17. To obtain the domain name, navigate to Azure Active Directory's Overview page and copy the Primary domain value.

Azure Properties Required for Dremio Configuration

For the following details, navigate to the Azure Active Directory page on your Azure portal. Copy the following properties to configure AAD for Dremio Cloud:

PropertyTracing the Property in the Portal
Client ID
  1. Click App Registrations.
  2. Copy the Application (client) ID.
Client Secret
  1. Click App Registrations.
  2. Click your registered application.
  3. To create a new client secret, under the Manage section for your application, click Certificates & secrets.
  4. Under Client secrets, click New client secret.
  5. From the Add a client secret pane, enter a Description.
  6. For Expires, set the lifespan you wish to grant the certificate.
  7. Click Add. The key value appears in the Client secrets section of the page.
  8. Copy the client secret as soon as it is generated as you will not be able to retrieve it again after leavinge the Certificates and secrets page.
Azure Active Directory Domain
  1. From the Overview page, copy the Primary domain value under Basic Information.

Dremio Configuration

Perform the following steps in Dremio Cloud to finish configuring AAD as an identity provider:

  1. Click the Settings (gear) icon at the bottom-left corner of the screen and then click Organization Settings.

  2. Click the Authentication tab from the left sidebar. Under Enterprise section, click Add Provider.

  3. Using the Add Provider dialog, select Azure Active Directory.

  4. For Step 2: Create an application in Azure Active Directory, if you have not configured the redirect URL for an Azure application, copy the redirect URL from the Dremio Cloud UI and go to the Azure portal to edit this property under Platform configurations on your registered application's Authentication page.

  5. For Step 3: Enter the required information from Azure Active Directory, enter the required information from AAD:

    • For Azure Active Directory Domain, enter the domain.
    • For Client ID, enter the client ID.
    • For Client Secret, enter the client secret.
  6. Click Add. Azure Active Directory is now listed under the Enterprise section. However, it is not enabled by default.

  7. To activate the AAD provider, check the box under the Active column.

AAD is now configured as an authentication IdP and will display as an option for users logging in on Dremio Cloud.

Configuring AAD for SCIM

Microsoft Azure AD may be configured to securely provision external users on Dremio Cloud using SCIM. This process is described in depth for various third-party SaaS solutions here and consists of the following steps:

  1. Adding SCIM as an app

  2. Configuring SCIM attribute mapping

    These are the supported attribute mappings:

    Attribute in AADAttribute in Dremio Cloud
    userPrincipalNameusername and email
    family namelast name
    given namefirst name
    Switch(IsSoftDeleted),, "False*, "True", "True", "False*)active
  3. Generating a personal access token in Dremio

  4. Setting the scope of users/groups to provision

When prompted for a Tenant URL, enter the URL for your control plane:

US Control Plane
https://scim.dremio.cloud/scim/v2/
EU Control Plane
https://scim.eu.dremio.cloud/scim/v2/

For the Secret Token, generate an access token as described in the section below.

note

User email addresses are controlled by AAD rather than Dremio. If a user's email address changes, you must update it in AAD. Then, the user will be able to use the new email address to log in to Dremio as a new user.

Generating Access Tokens

Dremio personal access tokens (valid for up to 180 days) with the format bearer {PAT} may be used when configuring AAD with SCIM. To obtain this, please refer to the Personal Access Tokens page.

Granting or Revoking User/Group Access by Scope

User and group access to Dremio may be managed in Azure AD through the use of scoping filters, which serve as attribute-based rules to determine whether a user should be provisioned for an application like Dremio.