On this page

    Configuring Authorization for Microsoft Power BI

    This topic describes configuring authorization of Power BI to Dremio with Azure Active Directory (Azure AD or AAD). With this authorization option, Dremio is able to handle secure user authorization with an identity provider (IdP) using JSON Web Tokens (JWTs).

    Requirements

    Understanding Authentication Values

    Dremio serves as a resource provider and authorization server when AAD is used as an authorization server for a client application. However, Azure AD may also serve as an external authorization server when configured in Dremio.

    The following sections offer additional context regarding the values required to correctly enable this feature. Dremio specifically looks for the following JWT claims contained within jwtClaims on OAuth tokens received from a token provider:

    {
    "jwtClaims": {
        "AADTenantId":"2e989880-c1d7-5d47-0gbg-0411g",
        "userClaim":"preferred_username"
        }
    }
    

    The authorization process for these tokens is as described below:

    1. An admin enables Azure AD as a token provider using Dremio’s Power BI Authorization feature.
    2. A user connects to the client application, whereupon the user is sent to the external token provider.
    3. The token provider authorizes the user, obtains their consent, and returns an authorization code followed by a JWT to the client application.
    4. The client application exchanges the JWT for a Dremio token.
    5. The client application then uses the Dremio token to connect to the Dremio service.
    6. Dremio verifies the user using the token and grants access only to resources the user has permissions for.

    Azure Active Directory Tenant ID

    Azure AD utilizes a subscription-application trust relationship, which is used to authorize users with a service such as Power BI or Dremio. Each subscription assigns an organization a tenant ID, which is used to verify and validate users as trusted.

    Dremio requires the following claim in associated tokens:

    "AADTenantId": "2e989880-c1d7-5d47-0gbg-0411g"
    

    Instructions for how to find your tenant ID may be found here.

    User Claim Mapping

    The User Claim Mapping field identifies the specific user the token is being used for, which should consist of their Dremio username. This is considered a private claim name, but is required from an IdP to identify a user’s permissions and access. The field in Dremio is used to identify whatever custom claim is attached to usernames depending on the provider, such as preferred_username.

    Note

    In order to use a token for user claims, the included username must already exist on Dremio.

    From the example above, a user might appear as:

    "preferred_username": "user123"
    

    Configuring Azure Active Directory for Power BI

    To identify the Azure application housing user information for Power BI users, Dremio needs the Azure tenant ID.

    Perform the following steps to configure AAD for Power BI:

    1. From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.
    2. On the Settings page, click Support from the left-hand menu.
    3. Under the Support Key section, enter auth.external-token-providers.enabled in the search bar on the right and click Show.
    4. Where the new support key appears at the top of the list of keys, click the Enable button.
    5. Click BI Applications > Authorization from the left sidebar.
    6. Select Enable single sign on for Power BI.
    7. For Azure Active Directory Tenant ID, enter the tenant ID of your Azure AD account. The tenant ID is described here.
    8. For User Claim Mapping, enter the claim’s name of the Azure AD token that maps to the Dremio username. The user claim is described here.
    9. Click Save.

    Disabling AAD for Power BI

    Perform the following steps to disable the Power BI AAD configuration:

    1. From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.
    2. Click BI Applications > Authorization from the left sidebar.
    3. Deselect Enable single sign on for Power BI to disable the single sign-on service if it is checked.
    4. Click Save.