Configuring Microsoft Entra ID as an Identity Provider Enterprise
Dremio supports Microsoft Entra ID as an enterprise identity provider. Microsoft Entra ID administrators can follow these instructions to enable single sign-on (SSO) authentication and allow users to log in to Dremio using Microsoft Entra ID as the trusted third party.
Prerequisites
Configuring SSO in Microsoft Entra ID requires:
- Privileges in Microsoft Entra ID that permit you to add, configure, and register applications.
- The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role in a Dremio Enterprise account.
Configure an Application for SSO
To configure SSO in Microsoft Entra ID for Dremio users:
-
In the Azure portal under Azure services, click the Microsoft Entra ID tile.
-
In the left-navigation menu under Manage, click App registrations.
-
Click New registration.
-
Type a name for the application in the Name field.
-
Select your desired account type in the Supported account types list. The default selection is
Accounts in this organizational directory only (<your org> only - Single tenant)
. -
Under Redirect URI, in the Select a platform drop-down list, select Web and enter the following URI in the provided field:
- US region: https://accounts.dremio.cloud/login/callback
- EMEA region: https://accounts.eu.dremio.cloud/login/callback
-
Click the Register button.
-
Copy and save the value for the
Application (client) ID
. You will use it to configure authentication in Dremio later in this procedure. -
In the left-navigation menu under Manage, click Certificates & secrets.
-
Click New client secret.
-
In the Add a client secret panel, type a description for the secret in the Description field and select your desired lifespan for the secret in the Expires drop-down list.
-
Click the Add button.
-
Copy and save the value for the secret. The secret value is sensitive information and should be kept private. You will use it to configure authentication in Dremio later in this procedure.
-
In the left-navigation menu under Manage, click API permissions.
-
Confirm that the following permission is listed under API / Permissions name:
- User.Read: Permits users to log in to the application, and permits the application to read the profiles and basic company information for logged-in users.
-
Click Add a permission.
-
In the Request API permissions panel, click the Microsoft Graph tile.
-
Click the Delegated permissions tile.
-
Under OpenId permissions, click the checkboxes next to the following options:
- email: Permits the application to read users' primary email addresses.
- openid: Permits users to sign in to the application with their work or school accounts and permits the application to view basic user profile information.
- profile: Permits the application to view basic user profile information (name, avatar, and email address).
-
Click the Add permissions button. The list of configured permissions should now include the following permissions:
- openid
- profile
-
In the left-navigation menu under Manage, click Branding & properties.
-
Copy and save the Publisher domain (
<domain_name>.onmicrosoft.com
). You will use it to configure authentication in Dremio later in this procedure. -
In the Dremio console, on the organization page, click next to the organization name.
-
Click the Authentication tab in the left sidebar.
-
In the Enterprise section, click Add Provider to open the Add Provider dialog.
-
In Step 1, select Microsoft Entra ID in the dropdown list.
-
In Step 3, enter the domain, client ID, and secret information that you copied from Microsoft Entra ID in the corresponding fields.
-
Click Add. After the page loads, you should see Microsoft Entra ID listed as an authentication provider in the Enterprise section.
-
Click the Enabled toggle to activate the Microsoft Entra ID authentication provider.
Entra ID is now configured as an enterprise authentication provider. The Log in with Microsoft Entra ID button appears in the list of log-in options for your Dremio users. Any Microsoft Entra ID user in your organization can use the Log in with Microsoft Entra ID button for SSO login.
Assign People and Groups to the Microsoft Entra ID Application
The Microsoft Entra ID application is configured to allow SSO login for any Microsoft Entra ID user in your organization. To adjust the application settings so that only users who are assigned to the app can use Microsoft Entra ID SSO to log in to Dremio:
-
In the Azure portal under Azure services, click the Microsoft Entra ID tile.
-
In the left-navigation menu under Manage, click Enterprise applications.
-
Click the name of the SSO application.
-
In the left-navigation menu under Manage, click Properties.
-
Find the Assignment required? toggle and click Yes.
-
Click Save.
With user assignment required, users who are not assigned to the application receive an error message from Microsoft when they try to use Entra ID SSO for Dremio.
Follow the instructions in the Microsoft Entra ID documentation to assign users and groups to your application.
Before the user can click Log in with Microsoft Entra ID in the list of log-in options for Dremio, one of the following conditions must be met:
- The user has been invited by an admin and has activated their account through an email link.
- An admin has set up SCIM provisioning and synced the user via SCIM.
Use privileges and roles to manage user access to objects in Dremio.
Use Microsoft Entra ID SSO to Log in to Dremio
To use Microsoft Entra ID SSO to log in to Dremio:
-
Open the Dremio console login page:
- US region: https://app.dremio.cloud/
- EMEA region: https://app.eu.dremio.cloud/
-
Type your email address in the Email field and click Continue.
-
Click the Log in with Microsoft Entra ID button.
-
You will be redirected to the Microsoft website for authentication.
-
Microsoft Entra ID authenticates your identity and redirects you to Dremio, which then logs you in.
You can use the Microsoft Entra ID SCIM provisioning feature to sync groups and memberships from Microsoft Entra ID to Dremio and manage access for Dremio users and groups. To configure, see SCIM with Microsoft Entra ID.
Revoke Microsoft Entra ID SSO Login for a User or Group
To revoke users' access to Microsoft Entra ID SSO login for Dremio:
-
In Microsoft Entra ID, navigate to your application.
-
Find the row for the user or group you want to deactivate and click to select the checkbox for the user or group.
-
Click Remove.
-
In the Do you want to remove these assignments? confirmation dialog, click Yes.
Starting immediately, the users cannot use Microsoft Entra ID SSO to log in to Dremio.
If you revoke a user's access to use Microsoft Entra ID SSO login in Microsoft Entra ID and the user had created a Dremio password for login, they can still log in to Dremio with their Dremio username and password. To completely delete Dremio users so that they cannot log in to Dremio at all, you must also delete or deactivate the user through SCIM provisioning or manually remove their user accounts in Dremio.