# Register apps in Azure AD to use with extractors

You can use OpenID Connect and your existing identity provider (IdP) framework to manage access to CDF data securely. We currently support Azure AD, Microsoft's cloud-based identity and access management service.

This article explains how to register and configure apps in Azure AD (AAD) to use with extractors or scheduled custom scripts.

In this article:


To perform the steps below, you need to be an administrator of Azure AD.

# Before you start

Make sure you have registered the Cognite API and the CDF portal application in Azure AD and set up Azure AD and CDF groups to control access to CDF data.

# Step 1: Register an app in Azure AD to use with an extractor


Cognite recommends that you register one app per extractor and per environment. For example, we recommend 3 app registrations to run one extractor in dev, test, prod environments.

  1. Sign in to the Azure portal (opens new window) as an admin.

  2. If you have access to multiple tenants, use the Directory + subscription filter Directory + subscription filter in the top menu to select the tenant in which you want to register an application.

  3. Search for and select Azure Active Directory.

  4. Under Manage, select App registrations > New registrations.

  5. In the Register an application window, enter the app name, and then select Register.

  6. Copy and make a note of the Application (client) ID. This value is required for authentication when reading and writing data with the extractor.

  7. Under Manage, select Certificates & secrets > New client secret.

    OIDC Client secret

  8. Enter a client secret description and an expiry time, and then select Add.

  9. Copy and make a note of the client secret in the Value field.


    Make sure you copy this value now. This value will be hidden after you leave this page.

# Step 2: Create a group in Azure AD and add the registered app as its member

  1. Open the overview window in Azure AD and select Manage > Groups.

  2. Create a group, read more here.

  3. Open the group. Under Manage, select Members > Add members.

  4. Find the app you created above and click Select.

  5. Add all users you want to have access to extractors as members.

  6. Return to the overview, and then copy and make a note of the Object Id.

OIDC Add app to group

  1. Sign in to Cognite Data Fusion (opens new window)as an admin.

  2. In the top menu, select Manage & Configure > Manage access.

  3. In the Access management window, select Groups > Create new group.

  4. In the Create a new group window, enter the group name (case sensitive).

  5. Add the necessary capabilities for your extractor. See Extractor capabilites below for details.

  6. Link the group to an Azure AD group:

    1. In the Source ID field, enter the Object Id for the AAD group exactly as it exists in AAD. You can use the same group Id for multiple extractors.

    2. In the Source name field, enter the name of the group in Azure AD.

# Step 4: Run extractors using the client secret or client ID

  1. Configure and run the extractor according to the extractor documentation.

# Extractor capabilities

The table below lists the required CDF capabilities for the Cognite extractors.

Extractor Capabilities
PI Extractor
  • timeseries:read, timeseries:write
  • raw:read, raw:write, raw:list, for state store configured to use Raw.
  • events:read, events:write, for logging extractor incidents as events in CDF.
DB Extractor
  • raw:read, raw:write, raw:list
OPC UA Extractor
  • timeseries:read, timeseries:write
  • assets:read, assets:write, if raw-metadata or skip-metadata are not set.
  • events:read, events:write, if events are enabled.
  • raw:read, raw:write, raw:list, if raw-metadata is enabled, or the state-store is set to use Raw.
  • relationships:read, relationships:write, if relationships are enabled.
  • datasets:read, if using dataset-external-id.
  • projectsAcl:list, groupsAcl:list, if using OIDC tokens for authentication.
Documentum Extractor
  • files:read, files:write
Last Updated: 11/2/2021, 7:56:54 AM