Register and configure applications and components
The table below lists applications and components with links to configuration steps and details about the authentication flows they use.
| Application configuration steps | Authentication flow | Client secret required? | Microsoft Entra ID multi-tenant | Comments |
|---|---|---|---|---|
| The CDF portal application, Best Day, InField, Maintain, Solutions Portal | Authorization code grant | N | Y | The registration is automatically created when signing in. Needs administrator consent. |
| Cognite extractors/ scheduled custom scripts | Client credentials | Y | N | One app registration per extractor/script and environment (for example, dev, test, prod). |
| CDF Transformations | Y* | N | Needs multiple app registrations. Transformations that logically belong together (access rights are managed together) can share the app registration but may be subject to rate-limiting. * Time-limited jobs can run on behalf of a user. | |
| Cognite Data Source for Grafana | Y | N | The Cognite Data Source for Grafana uses Grafana credentials to connect to CDF. Therefore, you need to set up the Grafana instance to authenticate the user towards the same identity provider (IdP) as your CDF project. Alternatively, you can provide client credentials for each instance of the Cognite Data Source. | |
| Cognite Power BI connector | Authorization code grant | N | Y | The registration is automatically created when signing in. Needs administrator consent. The Cognite Power BI connector and Excel both use the Microsoft Power Query for Excel enterprise application to retrieve data from CDF. If your organization is using both the Cognite Power BI connector app and Excel to retrieve data from CDF, you only need to register Microsoft Power Query for Excel for one of them. |
| Excel | Implicit grant | N | Y | The registration is automatically created when signing in. Needs administrator consent. |
| Custom web applications | N | N | Redirect URI of type Web. | |
| Desktop apps/ Postman/Python SDK/Jupyter/ One-off/short-term scripts | N | N | Redirect URI of type InstalledClient (Mobile / Desktop application). Users can sign in using their browser and use the acquired token in, for example Jupyter. |
IMPORTANT
When you register applications using the client credentials flow, you should NOT share client IDs and secrets across multiple applications, even if the applications have common authentication requirements in CDF. Sharing client IDs and secrets across multiple applications can cause issues with audit logs, with events from multiple entities being identified under a common client ID. The applications may also be subject to rate-limiting.