Setup and administration for Cognite extractors
You can use OpenID Connect and your existing identity provider (IdP) framework to manage access to Cognite Data Fusion (CDF) data securely. We currently support Microsoft Entra ID.
Setup and administration for Microsoft Entra ID
This article explains how to register and configure apps in Microsoft Entra ID (ME-ID) to use with extractors or scheduled custom scripts.
To perform the steps below, you must be an administrator of Microsoft Entra ID.
Before you start
Make sure you have registered the Cognite API and the CDF in Microsoft Entra ID and set up Microsoft Entra ID and CDF groups to control access to CDF data.
Step 1: Register an app in Microsoft Entra ID to use with an extractor
Cognite recommends that you register one app per extractor and per environment. For example, we recommend 3 app registrations to run one extractor in dev, test, and prod environments.
- Sign in to the Azure portal as an admin.
- If you have access to multiple tenants, use the Directory + subscription filter () in the top menu to select the tenant in which you want to register an application.
- Search for and select Microsoft Entra ID.
- Under Manage, select App registrations > New registrations.
- In the Register an application window, enter the app name and select Register.
- Copy and make a note of the Application (client) ID. You'll need this value for authentication when reading and writing data with the extractor.
- Under Manage, select Certificates & secrets > New client secret.
-
Enter a client secret description and an expiry time, and then select Add.
-
Copy and make a note of the client secret in the Value field.
ImportantMake sure you copy this value now. This value will be hidden after you leave this page.
Step 2: Create a group in Microsoft Entra ID and add the registered app as its member
- Open the overview window in Microsoft Entra ID and select Manage > Groups.
- Create a group. Read more here.
- Open the group. Under Manage, select Members > Add members.
- Find the app you created above and click Select.
- Add all users you want to have access to extractors as members.
- Return to the overview, and then copy and make a note of the Object Id.
Step 3: Create a group in CDF and link to the Microsoft Entra ID group
- Sign in to CDF as an admin and navigate to Access > Groups > Create new group.
- In the Create a new group window, enter the group name (case sensitive).
- Add the necessary capabilities for your extractor. See Extractor capabilities for details.
- Link the group to an Microsoft Entra ID group:
- In the Source ID field, enter the Object Id for the AAD group exactly as it exists in AAD. You can use the same group Id for multiple extractors.
- In the Source name field, enter the name of the group in Microsoft Entra ID.
Step 4: Run extractors
Configure and run the extractor according to the extractor documentation.