Configure access management

This article outlines the steps to set up a Microsoft Entra ID (ME-ID) tenant and a Cognite Data Fusion (CDF) project to allow users to sign in to Cognite apps with their organizational ID.

When you sign up with Cognite, you'll receive information about the environment where your CDF project(s) will be hosted. Follow the instructions in this article to configure the necessary groups, applications, and URLs in your Entra ID tenant. You will also receive a list of Cognite or partner users to add as guest users to your Entra ID tenant to help set up the project.

To configure the CDF project to manage access to your data securely, we also ask you to provide us with the necessary information about your Entra ID tenant. Collect the information as you go through the steps, and submit the information to Cognite when you have completed the steps.

注意

Make sure that you submit client secrets through a secret and encrypted channel, for example via Yopass.

Step 1: Collect the Entra ID tenant information

To connect the CDF project to your Entra ID tenant, we need to know the domain name and ID of the tenant.

1. Sign in to the Azure portal as an admin.

2. If you have access to multiple tenants, in the top menu, use the Directory + subscription filter to select the correct tenant.

3. Search for and select Microsoft Entra ID.

4. On the Overview page:

   1. Copy and make a note of the Primary domain.
   2. Copy and make a note of the Tenant ID.

   

Step 2: Create groups in Entra ID to link to CDF groups

Groups in CDF define what capabilities members (users or applications) have to work with CDF data. To manage the group membership from Entra ID, you link and synchronize the CDF groups to groups in Entra ID.

It is common to have at least two CDF projects — one for production and one for testing. The two projects will share the same AAD, but to separate the access rights, you need to create different groups for each project.

1. Sign in to the Azure portal as an admin.
2. If you have access to multiple tenants, in the top menu, use the Directory + subscription filter to select the correct tenant.
3. Search for and select Microsoft Entra ID.
4. On the Overview page, select Add > Group.
5. For each row in the table below, create a security group and copy and make a note of the Object Id for each group.

Group name	Group description
CDF-Prod-Admin	Administration of the CDF project.
CDF-Prod-ReadWrite	Read and write access to all data in the project. Access to data contextualization and data governance capabilities.
CDF-Prod-ReadWrite-Dataset	Same as CDF-Prod-ReadWrite, but scoped on specific dataset.
CDF-Prod-ReadWrite-Site2	Same as CDF-Prod-ReadWrite, but scoped on specific site.
CDF-Prod-ReadOnly	Read access to data in the project. Used for people developing or using dashboards and Cognite applications.
CDF-Prod-ReadOnly-Dataset	Same as CDF-Prod_ReadOnly, but scoped on specific dataset.
CDF-Prod-ReadOnly-Site2	Same as CDF-Prod-ReadOnly, but scoped on specific site.
CDF-Test-Admin1	Administration of the Cognite Data Fusion project.
CDF-Test-ReadWrite1	Read and write access to all data in the project. Access to data contextualization and data governance capabilities.
CDF-Test-ReadOnly1	Read access to data in the project. Used for people developing or using dashboards and Cognite applications.

¹ Only if you will be using a dedicated test environment.
² For customers who uses sites.

ヒント

For a seamless first-time sign-in for users, we recommend creating a CDF group with capabilities to view and use data and apps. Then, include all user accounts in the group.

CAUTION: All authenticated users automatically become members of the group and are granted all the capabilities assigned to the group. Make sure that the group has only the minimum required capabilities to access the necessary applications and data.

Step 3: Add guest users to the Entra ID groups

You have received a list of Cognite or partner users who will help configure the CDF project. Add them as guest users to your Entra ID tenant:

1. Add the solution architect(s) (often the primary technical contact points) to CDF-Prod_Admin, CDF-Test-Admin, CDF-Prod_ReadWrite, and CDF-Test-ReadWrite.
2. Add other Cognite or partner users to CDF-Prod_ReadWrite and CDF-Test-ReadWrite.

Step 4: Add app registration in Entra ID

Each Cognite application runs independently and accesses data from Cognite Data Fusion. Because of this, they have to be registered in Entra ID.

We recommend that you use a different application registration for each extractor and tool, for example, one registration for transformations, one for functions, etc. If you have many functions and transformations, we recommend splitting them across multiple application registrations.

1. Sign in to the Azure portal as an admin.

2. If you have access to multiple tenants, in the top menu, use the Directory + subscription filter to select the correct tenant.

3. Search for and select Microsoft Entra ID.

4. On the Overview page, select Add > App registration.

5. In the Register an application window, enter CDF-Data_Processing as the Name and under Supported account types, select Accounts in this organization directory only.

6. Select Register.

7. Copy and make a note of the Application (client) ID.

   

8. Under Manage, select Certificates & secrets > New client secret.

9. Enter a client secret description and an expiry time of minimum 3 months, and then select Add.

   

10. Copy and make a note of the client secret in the Value field.

    important

    Make sure you copy this value now. This value will be hidden after you leave this page.

11. Add the app registration to the required group in Entra ID, for example to CDF-Prod_ReadWrite.

Step 5: Send Cognite the Azure AD tenant information and Azure Admin Group ID

To configure the CDF project to manage access to your data securely, return the information you have collected in the steps above to Cognite.

注意

Make sure that you submit the information about client secrets through a secret and encrypted channel, for example via Yopass.

Step 6: Register the Cognite API and applications in Entra ID

Use the information you have received from Cognite and follow the steps in register the Cognite API and applications in Microsoft Entra ID to register the Cognite API and the Cognite applications you want to allow users to access.

When you have completed the registrations, test and verify that your Entra ID users can access the Cognite applications and the relevant CDF data.