> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cognite.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage groups and group membership

> Create groups in Cognite Data Fusion (CDF) and link them to Microsoft Entra ID groups to manage group membership.

Instead of assigning capabilities to individual users and applications, you use **groups** in CDF to define what **capabilities** members (users or applications) have to work with different CDF resources.

You can manage CDF group **membership** from your identity provider - Microsoft Entra ID.

<a id="step-1" />

## Step 1: Create a group in Microsoft Entra ID

<Steps>
  <Step title="Sign in to the Azure portal">
    Sign it to your Azure portal > Search for and select **Microsoft Entra ID**.
  </Step>

  <Step title="Navigate to New group">
    Under **Manage**, select **Groups** > **New group**.
  </Step>

  <Step title="Create a group">
    In the New Group window, select **Security** as the **Group type**, enter a **Group name**, and then select **Create**.

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/create_aad_group.png" alt="Create group" width="60%" />
    </Frame>
  </Step>

  <Step title="Add members">
    Select the group to open it, add **members** - users or service accounts, to the group (service accounts are called applications).
  </Step>

  <Step title="Copy the Object Id">
    Copy and make a note of the **Object Id**.

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/copy_aad_objectId_oidc.png" alt="Copy Object Id" width="60%" />
    </Frame>
  </Step>
</Steps>

<a id="step-2" />

## Step 2: Create a group in CDF and link it to the Microsoft Entra ID group

<Steps>
  <Step title="Sign in to Cognite Data Fusion">
    Sign in to [Cognite Data Fusion](https://fusion.cognite.com) as an admin.
  </Step>

  <Step title="Create a group">
    Select the **Admin** workspace, and then **Access management** > **Groups** > **Create group**.
  </Step>

  <Step title="Configure the group">
    Enter a **Unique name** for the group and **Add capabilities**.
  </Step>

  <Step title="Link the group">
    In **Members** select **Externally managed**, and in the **Source ID** field, enter the **Object Id** for the Microsoft Entra ID (ME\_ID) group exactly as it exists in ME-ID. It will link the CDF group to an Azure AD group.

    <Frame>
      <img src="https://apps-cdn.cogniteapp.com/@cognite/docs-portal-images/1.0.0/images/cdf/access/create_CDF_group_sourceId_oidc.png" alt="Create new group with link to AAD group object ID" width="60%" />
    </Frame>
  </Step>

  <Step title="Link the group to an application">
    In the **Application (Client) ID** dropdown, select the existing or create a new Application (Client) ID to link groups to specific applications to improve query efficiency. Application (Client) ID is a unique public identifier for an application registered with an authorization server. You can set more than one Application (Client) ID for a group.

    When users make a query to CDF, their Effective Access (EA) is determined by the union of all capabilities and scopes from the groups they're members of. When users make a query from an application, only the groups linked to that application are considered for EA.

    <Info>
      This feature is currently supported only for CDF organizations configured with Microsoft Entra ID as their identity provider (IdP).
    </Info>

    <Warning>
      If a group isn't linked to any application and the user is a member of that group, the group is considered for all queries, regardless of the application used.

      If a service account is a member of a group, and the group is linked to an Application (Client) ID different from the service account's client ID, the group is ignored.
    </Warning>
  </Step>

  <Step title="Select Create">
    The members of the Microsoft Entra ID group automatically become members of the linked CDF group with the associated capabilities.
  </Step>
</Steps>
