# Authenticate with Azure AD
In this article:
# Before you start
Make sure the CDF project is configured for authentication with Azure AD:
- Register the Cognite API and the CDF portal application in Azure AD.
- Set up Azure AD and CDF groups to control access to CDF data.
- Register and configure the relevant applications and components in Azure AD.
In all code samples below, you need to specify:
<Tenant ID>- the ID of the Azure AD tenant where the user is registered.
<Client ID>- the ID of the application in Azure AD.
<Cluster>- the cluster where your CDF project is installed. For example,
<CDF project>- the name of the CDF project.
If you don't know which values to use for these variables, contact your CDF administrator or Cognite Support.
# Authenticate with user credentials
You can authenticate the Python SDK with Azure AD by using a token retrieved with user credentials.
You can get the token by letting the user sign in interactively via a browser and use the authenticate with interactive login and token refresh flow to access CDF when you're running short-term scripts or using Jupyter.
If a browser is not available, for example, if you are logged into a terminal, you can use the authenticate with user credentials and device code flow.
# Authenticate with interactive login and token refresh
Use this flow to authenticate with user credentials using the Microsoft Authentication Library (MSAL) and a token refresh.
You need to reuse the
PublicClientApplication, and give a
Callable to the
CogniteClient to make the SDK ask for a new token on each request. The token is served from a memory cache but refreshed if needed (without requiring a user login or device code for the refresh).
NOTE: To use this flow with the code sample below, make sure the app is registered in Azure AD as the type Mobile and desktop applications with http://localhost:53000 as the Redirect URI.
# Authenticate with user credentials and device code
If a browser is not available, for example, if you are logged into a terminal, use this flow to authenticate with user credentials and use a device code to refresh the token.
NOTE: To use this flow, you need to select Allow public client flows under Authentication when registering the app in Azure AD.
# Authenticate with client secret
The SDK supports using client secrets directly by providing the client directly to the
CogniteClient with the
token_scopes. Use this flow for long-running jobs like extractors.
NOTE: Make sure that you have not set the
COGNITE_API_KEY environment variable. It will override the token setup.
Code sample: sample_client_secret.py (opens new window)