Creating a Custom AzureAD App
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
When to Create a Custom Application
CData embeds OAuth Application Credentials with CData branding that can be used when connecting via either a Desktop Application or from a Headless Machine.You may choose to use your own AzureAD Application Credentials when you want to
- control branding of the Authentication Dialog
- control the redirect URI that the application redirects the user to after the user authenticates
- customize the permissions that you are requesting from the user
Custom AzureAD Applications
You can use a custom AzureAD application to authenticate a service account or a user account. You can always create a custom AzureAD application, but note that desktop and headless connections support embedded OAuth, which simplifies the process of authentication. See "Establishing a Connection" for information about using the embedded OAuth application.Create a Custom AzureAD App
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
- Log in to https://portal.azure.com.
- In the left-hand navigation pane, select Azure Active Directory, then applicationRegistrations, and click New registration.
- Enter an application name and select the desired tenant setup. When creating a custom AzureAD application in Azure Active Directory, you can define whether the application is single- or multi-tenant. If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData JDBC Driver for Azure Synapse. Otherwise, the authentication attempt fails with an error. If your application is for private use only, "Accounts in this organization directory only" should be sufficient. Otherwise, if you want to distribute your application, choose one of the multi-tenant options.
- Set the redirect url to http://localhost:33333, the driver's default. Or, specify a different port and set CallbackURL to the exact reply URL you defined.
- Click Register to register the new application. This opens an application management screen. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
- Navigate to the "Certificates & Secrets" and define the application authentication type. There are two types of authentication available: using a client secret or a certificate. The recommended authentication method is using a certificate.
- Option 1: Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
- Option 2: Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will need it as the OAuthClientSecret.
- Select API Permissions > Add. If you plan for your application to connect without a user context, select Application Permissions (OAuthGrantType = CLIENT). Otherwise, use the Delegated permissions.
- Save your changes.
- If you have selected to use permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page.
- Set the AuthScheme to AzureAD. This is required to create users for the OAuth app.
- Add the user to the database by running: CREATE USER [OAuth_APP] FROM EXTERNAL PROVIDER. This command must be run by the SQL Active Directory admin asssigned to the Azure Synapse instance.
- Enable the Directory readers role for the Active Directory admin user.
Custom AzureAD Service Principal Applications
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Create a Custom AzureAD App with an Azure Service Principal
Follow the steps below to obtain the AzureAD values for your application.
- Log in to https://portal.azure.com.
- In the left-hand navigation pane, select Azure Active Directory then App Registrations and click New registration.
- Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the driver's default.
- After creating the application, copy the Application (client) Id value displayed in the "Overview" section. This value is used as the OAuthClientId
- Define the app authentication type by going to the "Certificates & Secrets" section. There are two types of authentication available: using a client secret and using a certificate. The recommended authentication method is via a certificate.
- Option 1 - Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
- Option 2 - Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will use it as the OAuthClientSecret.
- On the Authentication tab, make sure to select Access tokens (used for implicit flows).