Delegated Azure Credentials

Workbench | Enhanced Advanced

When Workbench is configured to use Microsoft Entra ID for Single Sign-On (SSO), users can also be granted delegated permissions for additional Azure resources without needing to sign in again.

These delegated credentials eliminate the need for end users to manage complex authentication workflows when accessing Azure services from within Workbench.

And while the most common delegated permissions are to access Azure services themselves (such as object storage or one of their cloud-backed databases), the same mechanism can be used to grant access to any third-party application in the same Microsoft Entra ID tenant.

Requirements

You must:

• Be using OpenID Connect Authentication with Microsoft Entra ID to authenticate users.
• Have access to your organization’s Microsoft Entra ID configuration, or have an administrator who will on your behalf.
• If the Job Launcher is enabled the launcher-sessions-callback-address setting must be configured correctly.

Workbench Configuration

To allow Workbench to request delegated Azure credentials after sign-in, offline_access must be listed in the auth-openid-scopes option:

/etc/rstudio/rserver.conf

auth-openid-scopes=offline_access

Azure Configuration

Note

This guide uses the Azure portal as an example, but there are many ways to manage Azure resources. Choose a method in line with your organization’s IT and security policies.

Add delegated permissions

Delegated credentials are set on a per-service basis. To grant end users access to a specific Azure service, you need to add the appropriate API permissions to Workbench’s application registration in Entra ID.

Using the Azure portal:

1. Navigate to the Azure Active Directory Service.
2. From the sidebar, click App registrations.
3. In the table, find the application that is used to configure Single Sign-On for Workbench and then open it.
4. From the sidebar, select API permissions and then click Add a permission.
5. Select a service you want Workbench users to have access to, such as Azure Storage.
6. Choose Delegated permissions (rather than Application permissions, if present).
7. Under Permissions, ensure the entry for user_impersonation is selected.
8. Click Add permissions.

Entries should appear in the Configured permissions table corresponding to the Azure service(s) you selected.

Grant consent for delegated permissions

In order for users to get delegated credentials without having to sign in again, an administrator must consent to these permissions on their behalf.

Using the Azure portal:

1. Navigate to the Azure Active Directory Service.
2. From the sidebar, select Enterprise applications.
3. In the table, find the application that is used to configure Single Sign-On for Workbench and then open it.
4. From the sidebar, select Permissions and click Admin consent.
5. Click Grant admin consent for your organization and follow the steps in the pop-up window.

The table should populate with the permissions that you added to the Workbench application registration. You can also return to that registration in the Azure portal and confirm that the Status column shows “Granted for your organization”.

Exposing Azure credentials to Workbench users

Once delegated permissions are configured on the Azure portal, users can retrieve access tokens on demand through the posit-sdk (Python) or rstudioapi (R) packages. Each call specifies the Azure resource to access:

Python

from posit.workbench import Client

client = Client()
token = client.oauth.get_delegated_azure_token("https://storage.azure.com")
access_token = token["access_token"]

View get_delegated_azure_token() documentation.

R

token <- rstudioapi::getDelegatedAzureToken("https://storage.azure.com")
access_token <- token$access_token

View getDelegatedAzureToken() documentation.

Azure DevOps Git integration

Important

Azure DevOps Git integration via git-credential-pwb is only supported in RStudio Pro sessions.

Workbench also includes a Git credential helper (git-credential-pwb) that automatically provides Azure-delegated credentials when users interact with Azure DevOps Git repositories. To enable this, add delegated permissions for Azure DevOps following the same steps described in the Add delegated permissions section.

Once configured, users can clone Azure DevOps repositories without managing personal access tokens:

git clone https://dev.azure.com/{organization}/{project}/_git/{repository}

For complete usage documentation, including example workflows and troubleshooting, see the Workbench-managed Azure credentials section of the User Guide.

Microsoft Foundry for Positron Assistant

In Positron Pro sessions, delegated Azure credentials authenticate with Microsoft Foundry as a language model provider for Positron Assistant. Administrators must configure the resource endpoint URL and enable the Microsoft Foundry provider. See Microsoft Foundry for setup instructions.