Azure (Microsoft Entra ID)

Enhanced Advanced

Register application in Microsoft Entra ID

The Azure administrator registers a new OAuth Application in Microsoft Entra ID.

The Azure administrator adds a redirect_uri for the OAuth application as seen in the screenshot below. Azure sends the user credentials to the redirect_uri at the end of the OAuth handshake, allowing Posit Connect to obtain a temporary access token and refresh token.

The OAuth application is configured with the following redirect URL (sometimes referred to as a callback URL): https://connect.example.org/__oauth__/integrations/callback.

Note

Replace connect.example.org with the address of the Connect server.

Note

For OAuth application administrators who prefer to use the same OAuth application for both Posit Connect and Posit Workbench, simply register the Workbench redirect URL (https://workbench.example.org/oauth_redirect_callback) in addition to the Connect redirect URL.

The Register OAuth App page of the Azure Console.

Click Register to submit the form.

Add API permissions

In the API permissions section, the Azure administrator adds the required permission(s) for the OAuth application. API permissions define the capabilities granted to the user when they request credentials from this OAuth application. These permissions are also referred to as scopes.

Note

Depending on which permissions are required, the Azure administrator provides additional scopes values to the Connect administrator.

This is also referred to as a Resource App ID in the Azure console. See the Azure documentation to learn more about API Permissions and scopes.

The AzureDatabricks/user_impersonation permission uses the following scope value 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default. This scope allows Connect to access the viewer’s Databricks resources. This documentation uses the Databricks permission as an example but all Azure API permissions are supported. Choose only the permissions that are required by your application.

To allow users to access their Azure Databricks resources using this OAuth application, add a permission for AzureDatabricks/user_impersonation as seen below:

The API Permissions section of the Azure Console with an added permission for `AzureDatabricks/user_impersonation`.

Setup client authentication

The Azure administrator decides whether this OAuth application requires client authentication.

For Public OAuth applications, the Azure administrator enables the Allow public client flows option under Authentication > Advanced settings.

For Confidential OAuth applications, the Azure administrator adds a new client secret under the Certificates & secrets section.

Note

If unsure which whether to create a Confidential or Public OAuth application, choose Confidential.

The Azure administrator makes note of the tenant_id, client_id, and client_secret from the registered OAuth application and shares this information with the Posit Connect administrator.

Copy tenant ID and client ID.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the Integrations tab on the Connect dashboard. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Note

The OAuth scope 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default is a reference to the AzureDatabricks/user_impersonation permission that allows deployed content on Connect to access protected Azure Databricks resources.

For more information about defining scopes, see the Add API permissions section above.

Create Azure OAuth integration.

Alternatively, the example below shows how to create a Confidential Azure OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server.

Terminal
curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "azure",
    "name": "Azure OAuth integration",
    "config": {
      "tenant_id": "<azure-tenant-id>",
      "client_id": "<azure-client-id>",
      "client_secret": "<azure-client-secret>",
      "scopes": "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default offline_access"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }