Skip to main content
When you have registered Transformations, users can sign in with their organizational ID to transform data in a CDF project.
CDF projects running in Google Cloud Platform need to be allowlisted to support scheduling of transformations using OpenID Connect (OIDC) credentials. Contact your Cognite representative to be added to the allowlist.

Before you start

Make sure you have registered the Cognite API and the CDF application in Microsoft Entra ID and set up Microsoft Entra ID and CDF groups to control access to CDF data.
To perform the steps below, you need to be an administrator of Azure AD.

Step 1: Register an app in Microsoft Entra ID to use with Transformations

1

Sign in to Azure portal

Sign in to the Azure portal as an admin.
2

Select your tenant

If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
3

Open Microsoft Entra ID

Search for and select Microsoft Entra ID.
4

Create new app registration

Under Manage, select App registrations > New registrations.
5

Register the application

In the Register an application window, enter the app name, and then select Register.
6

Copy the Application ID

Copy and make a note of the Application (client) ID. This value is required for authentication when reading and writing data in Transformations.
7

Create a client secret

Under Manage, select Certificates & secrets > New client secret.
OIDC client secret configuration
8

Configure the secret

Enter a client secret description and an expiry time, and then select Add.
9

Copy the client secret value

Copy and make a note of the client secret in the Value field.
Make sure you copy this value now. This value will be hidden after you leave this page.

Step 2: Create a group in Azure AD and add the registered app as its member

1

Open Groups in Azure AD

Open the overview window in Azure AD and select Manage > Groups.
2

Create a group

Create a group.
3

Add members to the group

Open the group. Under Manage, select Members > Add members.
4

Add the app as a member

Find the app you created above and click Select.
5

Add users

Add all users you want to have access to Transformations as members.
6

Copy the Object ID

Return to the overview, and then copy and make a note of the Object Id.
OIDC app group configuration showing Object ID
1

Navigate to Groups in CDF

Sign into CDF as an admin and navigate to Access > Groups.
2

Create a new group

Select Create new group and enter a unique name for the group.
3

Add capabilities

Add read and write capabilities accordingly for the CDF resources you want to read and write using transformations. For instance, if you are transforming the data in CDF RAW and writing the data to assets, you must add raw:read and asset:write capabilities.
The minimum requirement is to add projects:list, groups:list, transformations:read, transformations:write, and sessions:create.
4

Create the group

Select Create.
5

Configure OpenID connect

Open the OpenID connect tab and insert your token_url. The token_url contains the ID of your Microsoft Entra ID tenant. To find your tenant ID, see this article.
To schedule transformations, you must add the capability sessions:create and set the token_url to maintain access to Transformations for an extended time period.To enable Run as current user for transformations, you must add the sessions:create capability.
6

Link to Microsoft Entra ID group

Link the transformations group to a Microsoft Entra ID group:
  1. In the Source ID field, enter the Object Id for the AAD group exactly as it exists in AAD. You can use the same group Id for multiple transformations.
  2. In the Source name field, enter the name of the group in Azure AD.

Step 4: Run transformations

Verify that the configuration is successful by following the steps in Transform data.
Transformations with the same Client ID run as the same user with the same access. This ID and the Client secret must be given before a user can schedule and run transformations.
Last modified on January 27, 2026