Delegated Azure Credentials
When Workbench is configured to use Microsoft Entra ID for Single Sign-On (SSO), users can also be granted delegated permissions for additional Azure resources without needing to sign in again.
These delegated credentials eliminate the need for end users to manage complex authentication workflows when accessing Azure services from within Workbench.
And while the most common delegated permissions are to access Azure services themselves (such as object storage or one of their cloud-backed databases), the same mechanism can be used to grant access to any third-party application in the same Microsoft Entra ID tenant.
Requirements
Currently, this feature is only supported for RStudio Pro sessions.
You must:
- Be using OpenID Connect Authentication with Microsoft Entra ID to authenticate users.
- Have access to your organization’s Microsoft Entra ID configuration, or have an administrator who will on your behalf.
- If the Job Launcher is enabled the
launcher-sessions-callback-address
setting must be configured correctly.
Workbench Configuration
To allow Workbench to request delegated Azure credentials after sign-in, offline_access
must be listed in the auth-openid-scopes
option:
/etc/rstudio/rserver.conf
auth-openid-scopes=offline_access
Azure Configuration
This guide uses the Azure portal as an example, but there are many ways to manage Azure resources. Choose a method in line with your organization’s IT and security policies.
Add delegated permissions
Delegated credentials are set on a per-service basis. To grant end users access to a specific Azure service, you need to add the appropriate API permissions to Workbench’s application registration in Entra ID.
Using the Azure portal:
- Navigate to the Azure Active Directory Service.
- From the sidebar, click App registrations.
- In the table, find the application that is used to configure Single Sign-On for Workbench and then open it.
- From the sidebar, select API permissions and then click Add a permission.
- Select a service you want Workbench users to have access to, such as Azure Storage.
- Choose Delegated permissions (rather than Application permissions, if present).
- Under Permissions, ensure the entry for
user_impersonation
is selected. - Click Add permissions.
Entries should appear in the Configured permissions table corresponding to the Azure service(s) you selected.
Grant consent for delegated permissions
In order for users to get delegated credentials without having to sign in again, an administrator must consent to these permissions on their behalf.
Using the Azure portal:
- Navigate to the Azure Active Directory Service.
- From the sidebar, select Enterprise applications.
- In the table, find the application that is used to configure Single Sign-On for Workbench and then open it.
- From the sidebar, select Permissions and click Admin consent.
- Click Grant admin consent for your organization and follow the steps in the pop-up window.
The table should populate with the permissions that you added to the Workbench application registration. You can also return to that registration in the Azure portal and confirm that the Status column shows “Granted for your organization”.
Exposing Azure Credentials to Workbench Users
Once delegated permissions are configured on the Azure portal, users must request them interactively when needed. R users can run ?rstudioapi::getDelegatedAzureToken
for further instruction, and some third-party packages make use of this function to get credentials automatically when possible.