# Set up Azure AD and CDF groups to control access
Instead of assigning capabilities to individual users and applications, you use groups in Cognite Data Fusion (CDF) to define what capabilities members (users or applications) have to work with different CDF resources. You link and synchronize the CDF groups to user groups in your identity provider (IdP), for instance Azure Active Directory (AAD).
For example, if you want users or applications to read, but not write, time series data in CDF, you first create a group in your IdP to add the relevant users and applications. Next, you create a CDF group with the neccessary capabilities, and then link the CDF group and the IdP group.
This flexibility allows you to manage and update your data governance policies quickly and securely. You can continue to manage users and applications in your organization's IdP service outside of CDF.
In this article:
# Step 1: Create a group in Azure AD
Make sure that you have already registered the Cognite API and applications in Azure AD.
Sign in to the Azure portal (opens new window) as an admin.
If you have access to multiple tenants, in the top menu, use the Directory + subscription filter to select the tenant in which you want to register an application.
Search for and select Azure Active Directory.
Under Manage, select Groups > New group.
In the New Group window, select Security as the Group type, enter a Group name, and then select Create.
Select the group to open it, and then copy and make a note of the Object Id.
# Step 2: Create a group in CDF and link it to the Azure AD group
Sign in to Cognite Data Fusion (opens new window) as an admin.
In the top menu, select Manage & Configure > Manage access.
In the Access management window, select Groups > Create new group.
In the Create new group window, enter a Unique name for the group and Add capabilities.
Link the CDF group to an Azure AD group:
- In the Source ID field, enter the Object Id for the AAD group exactly as it exists in AAD.
- In the Source name field, enter the name of the group in Azure AD.
# Step 3: Add members to the Azure AD group
- In Azure AD, add members (users or applications) to the group.
The members of the Azure AD group automatically become members of the linked CDF group with the associated capabilities.