Skip to main content

Set up Azure AD and CDF groups to control access

Instead of assigning capabilities to individual users and applications, you use groups in Cognite Data Fusion (CDF) to define what capabilities members (users or applications) have to work with different CDF resources. You link and synchronize the CDF groups to user groups in your identity provider (IdP), for instance, Microsoft Entra ID (formerly Azure Active Directory).

For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in your IdP to add the relevant users and applications. Next, you create a CDF group with the necessary capabilities and then link the CDF group and the IdP group.

This flexibility allows you to manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization's IdP service outside of CDF.

Step 1: Create a group in Microsoft Entra ID

  1. Make sure that you have already registered the Cognite API and applications in Microsoft Entra ID.

  2. Sign in to the Azure portal as an admin.

  3. If you have access to multiple tenants, in the top menu, use the Directory + subscription filter Directory + subscription filter to select the tenant in which you want to register an application.

  4. Search for and select Microsoft Entra ID.

  5. Under Manage, select Groups > New group.

  6. In the New Group window, select Security as the Group type, enter a Group name, and then select Create.

    Create group
  7. Select the group to open it, and then copy and make a note of the Object Id.

Copy Object Id
  1. Sign in to the CDF portal application as an admin.

  2. In the top menu, select Manage & Configure > Manage access.

  3. On the Access management page, select Groups > Create group.

  4. Enter a Unique name for the group and Add capabilities.

  5. In the Source ID field, enter the Object Id for the Microsoft Entra ID (ME_ID) group exactly as it exists in ME-ID. It will link the CDF group to an Azure AD group.

    Create new group with link to AAD group object ID
  6. Select Create.

Step 3: Add members to the Microsoft Entra ID group

  1. In Microsoft Entra ID, add members (users or applications) to the group.

The members of the Microsoft Entra ID group automatically become members of the linked CDF group with the associated capabilities.