Microsoft Entra ID

Dremio supports Microsoft Entra ID as an enterprise identity provider. Microsoft Entra ID administrators can follow these instructions to enable single sign-on (SSO) authentication and allow users to log in to Dremio using Microsoft Entra ID as the trusted third party.

Prerequisites

Configuring SSO in Microsoft Entra ID requires:

• Privileges in Microsoft Entra ID that permit you to add, configure, and register applications.
• The CONFIGURE SECURITY organization-level privilege or membership in the ADMIN role.

Configure an Application for SSO

To configure SSO in Microsoft Entra ID for Dremio users:

1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

2. In the left navigation menu under Manage, click App registrations.

3. Click New registration.

4. Type a name for the application in the Name field.

5. Select your desired account type in the Supported account types list. The default selection is Accounts in this organizational directory only (<your org> only - Single tenant).

6. Under Redirect URI, in the Select a platform dropdown list, select Web and enter the following URI in the provided field:

   • US region: https://accounts.dremio.cloud/login/callback
   • EMEA region: https://accounts.eu.dremio.cloud/login/callback

7. Click Register.

8. Copy and save the value for the Application (client) ID. You will use it to configure authentication in Dremio later in this procedure.

9. In the left navigation menu under Manage, click Certificates & secrets.

10. Click New client secret.

11. In the Add a client secret panel, type a description for the secret in the Description field and select your desired lifespan for the secret in the Expires dropdown list.

12. Click Add.

13. Copy and save the value for the secret. The secret value is sensitive information and should be kept private. You will use it to configure authentication in Dremio later in this procedure.

14. In the left navigation menu under Manage, click API permissions.

15. Confirm that the following permission is listed under *API / Permissions name:

    • User.Read: Permits users to log in to the application and permits the application to read the profiles and basic company information for logged-in users.

16. Click Add a permission.

17. In the Request API permissions panel, click the Microsoft Graph tile.

18. Click the Delegated permissions tile.

19. Under OpenId permissions, click the checkboxes next to the following options:

    • email: Permits the application to read users' primary email addresses.
    • openid: Permits users to sign in to the application with their work or school accounts and permits the application to view basic user profile information.
    • profile: Permits the application to view basic user profile information (name, avatar, and email address).

20. Click Add permissions. The list of configured permissions should now include the following permissions:

    • email
    • openid
    • profile

21. In the left navigation menu under Manage, click Branding & properties.

22. Copy and save the Publisher domain (<domain_name>.onmicrosoft.com). You will use it to configure authentication in Dremio later in this procedure.

23. In the Dremio console, click on the left navigation bar and then select Organization settings.

24. Click the Authentication tab in the left sidebar.

25. In the Enterprise section, click Add Provider to open the Add Provider dialog.

26. In Step 1, select Microsoft Entra ID in the dropdown list.

27. In Step 3, enter the domain, client ID, and secret information that you copied from Microsoft Entra ID in the corresponding fields.

28. Click Add. After the page loads, you should see Microsoft Entra ID listed as an authentication provider in the Enterprise section.

29. Click the Enabled toggle to activate the Microsoft Entra ID authentication provider.

Microsoft Entra ID is now configured as an enterprise authentication provider. Log in with Microsoft Entra ID appears in the list of login options for your Dremio users. Any Microsoft Entra ID user in your organization can use Log in with Microsoft Entra ID for SSO login.

Assign People and Groups to the Microsoft Entra ID Application

The Microsoft Entra ID application is configured to allow SSO login for any Microsoft Entra ID user in your organization. To adjust the application settings so that only users who are assigned to the app can use Microsoft Entra ID SSO to log in to Dremio:

1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

2. In the left navigation menu under Manage, click Enterprise applications.

3. Click the name of the SSO application.

4. In the left navigation menu under Manage, click Properties.

5. Find the Assignment required? toggle and click Yes.

6. Click Save.

With user assignment required, users who are not assigned to the application receive an error message from Microsoft when they try to use Microsoft Entra ID SSO for Dremio.

Follow the instructions in the Microsoft Entra ID documentation to assign users and groups to your application.

Before the user can click Log in with Microsoft Entra ID in the list of login options for Dremio, one of the following conditions must be met:

• The user has been invited by an admin and has activated their account through an email link.
• An admin has set up SCIM provisioning and synced the user via SCIM.

Use privileges and roles to manage user access to objects in Dremio.

Use Microsoft Entra ID SSO to Log in to Dremio

To use Microsoft Entra ID SSO to log in to Dremio:

1. Open the Dremio console login page:

   • US region: https://app.dremio.cloud/
   • EMEA region: https://app.eu.dremio.cloud/

2. Type your email address in the Email field and click Continue.

3. Click Log in with Microsoft Entra ID.

4. You will be redirected to the Microsoft website for authentication.

5. Microsoft Entra ID authenticates your identity and redirects you to Dremio, which then logs you in.

You can use the Microsoft Entra ID SCIM provisioning feature to sync groups and memberships from Microsoft Entra ID to Dremio and manage access for Dremio users and groups. To configure, see Configure Microsoft Entra ID with SCIM.

Revoke Microsoft Entra ID SSO Login for a User or Group

To revoke users' access to Microsoft Entra ID SSO login for Dremio:

1. In Microsoft Entra ID, navigate to your application.

2. Find the row for the user or group you want to deactivate and click to select the checkbox for the user or group.

3. Click Remove.

4. In the confirmation dialog, click Yes.

Starting immediately, the users cannot use Microsoft Entra ID SSO to log in to Dremio.

If you revoke a user's access to use Microsoft Entra ID SSO login in Microsoft Entra ID and the user has created a Dremio password for login, they can still log in to Dremio with their Dremio username and password. To completely delete Dremio users so that they cannot log in to Dremio at all, you must also delete or deactivate the user through SCIM provisioning or manually remove their user accounts in Dremio.

Configure Microsoft Entra ID with SCIM

System for Cross-domain Identity Management (SCIM) automates the synchronization of user accounts between your identity provider (IdP) and Dremio, eliminating the need for manual user management. When configured, your IdP securely sends user credentials to Dremio via SCIM, automatically creating accounts for new users as needed. These users can then log in to Dremio according to your organization's authentication policies.

Prerequisites

Configuring SCIM provisioning in Microsoft Entra ID requires:

• Privileges in Microsoft Entra ID that permit you to register and configure applications.
• A Dremio personal access token (PAT) for a Dremio user who is a member of the ADMIN role.

Configure an Application for SCIM Provisioning

To create an application for SCIM provisioning in Microsoft Entra ID:

1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

2. In the left navigation menu under Manage, click Enterprise applications.

3. Click New application.

4. Click Create your own application.

5. In the Create your own application panel, type a name for the application in the provided field.

6. Under What are you looking to do with your application? select the Integrate any other application you don't find in the gallery (Non-gallery) option.

7. Click Create.

8. In the left navigation menu under Manage, click Provisioning.

9. Click Get started.

10. In the Provisioning Mode dropdown list, select Automatic.

11. Under Admin Credentials, enter the correct Tenant URL for your control plane:

    • US control plane: https://scim.dremio.cloud/scim/v2/?aadOptscim062020
    • EU control plane: https://scim.eu.dremio.cloud/scim/v2/?aadOptscim062020
      
      
    note

    The Tenant URL must include the aadOptscim062020 query parameter due to a Microsoft Entra ID issue with SCIM 2.0 compliance.

    If you previously configured a SCIM app with Microsoft Entra ID, SCIM syncing may fail for requests to deactivate users, add and update user attributes, and remove group members. If you observe these failures, follow the Microsoft documentation to upgrade from the older customappsso job to the SCIM job.

12. Enter your Dremio PAT in the Secret Token field.

13. (Optional) Click Test Connection to confirm that Microsoft Entra ID can connect to the tenant URL.

14. Click Save.

15. (Optional) Click the down arrow next to Settings and adjust the settings as desired. Click Save when you are finished.

16. Return to the Provisioning Overview page for the application.

17. In the left navigation menu under Manage, click Provisioning.

18. Under Provisioning Status, toggle the setting to On.

19. Click Save.

SCIM provisioning is now configured and enabled. You can create users, update user attributes, and deactivate users in Dremio, all from Microsoft Entra ID.

Read Microsoft's documentation about how long it takes to provision users for details about Microsoft Entra ID's initial and incremental provisioning cycles.

If desired, you can use Microsoft Entra ID's scoping filters to apply attribute-based rules for user provisioning. Read Scoping users or groups to be provisioned with scoping filters in the Microsoft documentation for more information.

Create Users

After you configure a Microsoft Entra ID application for SCIM provisioning, you must assign users and groups to the application. Dremio automatically creates a new Dremio user account for anyone you assign to the SCIM application who does not already have an account. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

Create Roles

If you add a group to your SCIM application in Microsoft Entra ID, your designated group becomes a role in Dremio populated with the group's members. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

Use Microsoft Entra ID to manage any roles you create with groups. Any changes you make to a role or its membership in Dremio are immediately overwritten by the next provisioning cycle from Microsoft Entra ID. Making changes in Dremio can result in synchronization errors.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in Microsoft Entra ID are propagated to the user account in Dremio. Follow the instructions in the Microsoft documentation to edit user profile information.

• First name and Last name attributes in Microsoft Entra ID are mapped to user accounts in Dremio. After you configure an application for SCIM provisioning in Microsoft Entra ID and assign users to it, you can change these user attributes in Microsoft Entra ID to update the corresponding user information in Dremio.
• Microsoft Entra ID controls user email addresses. If a user's email address changes, you must create a new user in Microsoft Entra ID and assign them to the application for SCIM provisioning. Then, assign the new Microsoft Entra ID user to the SCIM application (either individually as a user or by adding them to an assigned group). Microsoft Entra ID creates a new Dremio user who can log in to Dremio with the new email address as a new user.

Deactivate Users

When you delete a user or group from the application for SCIM provisioning in Microsoft Entra ID, the affected users become inactive in Dremio and cannot log in to Dremio at all, whether with Microsoft Entra ID SSO or username and password.

To delete a user or group from your SCIM application in Microsoft Entra ID:

1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

2. In the left navigation menu under Manage, click Enterprise applications.

3. Find your SCIM application in the list and click the application's name.

4. In the left navigation menu under Manage, click Users and groups.

5. Click to select the checkbox for the user or group you want to remove.

6. Click Remove.

7. In the confirmation dialog, click Yes.

The users you deleted, whether individually or by their group membership, become inactive in Dremio. If you delete a group, Microsoft Entra ID automatically removes the group's corresponding role in Dremio.

If you delete a group in Microsoft Entra ID, the group's corresponding role is automatically removed in Dremio and the group members' Dremio user accounts are set to inactive. Deleting a Microsoft Entra ID group does not delete the group members' Dremio user accounts.

To completely delete Dremio users, you must manually remove their user accounts in Dremio in addition to deleting the users and any groups they belong to from the SCIM application in Microsoft Entra ID.