MicroStrategy ONE

Enable OIDC Authentication with Azure Databricks Using Azure AD

Starting in MicroStrategy ONE Update 11, MicroStrategy supports integrating MicroStrategy with Azure Databricks for sign-sign on (SSO) with OpenID Connect (OIDC) authentication.

Learn to configure Databricks OIDC authentication with Azure Databricks using Azure AD:

Prerequisites

Configure Your Application in Azure AD

  1. Configure an Azure AD application for Azure Databricks SSO to add the additional resource permission for Azure Databricks. For more information, see https://learn.microsoft.com/en-us/azure/databricks/dev-tools/app-aad-token#configure-an-app-in-azure-portal.

  2. Go to the newly created app and click Authentication.
  3. Under Allow public client flows, toggle Enable the following mobile and desktop flows to Yes.

Assign an Azure AD User to the Azure Databricks Workspace

  1. Launch workspace from the Azure Portal.
  2. Click your username and select Admin Settings from the drop-down.
  3. Click Add user.
  4. Enter the user email address.
  5. Click OK.
  6. Assign the user Databricks SQL access.

Configure MicroStrategy for Databricks OIDC Authentication

Create and Map a MicroStrategy User to an Azure AD User in Workstation

  1. Open the Workstation window.
  2. In the Navigation pane, click Environments.
  3. Log in to your environment. You must have administrator privileges.
  4. In the Navigation pane, click User and Groups.
  5. Click next to All Users.
  6. In the left pane, click Privileges and add the following privileges:
  • Access data from Databases, Google BigQuery, BigData, OLAP, BI tools
  • Create and edit database instances and connections
  • Create and edit database logins
  • Create configuration objects
  • Create dataset in Workstation
  • Configure project data source
  • Monitor Database Connections
  • Use Workstation

  1. In the left pane, click Authentication.
  2. Enter a user's email address in Trusted Authenticated Requires User ID.

  3. Click Save.

Configure MicroStrategy Library in Workstation

  1. Open the Workstation window.
  2. Connect to your Library environment using standard authentication. You must have administrator privileges.
  3. Right-click your connected environment and click Configure Enterprise Security > Configure OIDC.
  4. From the identity provider drop-down, select Azure.
  5. Copy the Mobile and desktop applications Redirect URIs and add them to the native application URIs in your Azure AD application.
  6. In Azure AD, go to your Azure AD application.
  7. Click Manifest and download the manifest file.
  8. In Workstation, upload the manifest file in MicroStrategy Configuration.

  9. In Azure AD, copy the OpenID Connect Metadata Document link:
    1. Go to your Azure AD application and click Overview > Endpoints.
    2. Click OpenID Connect metadata document and copy the link.
  10. In Workstation, paste the link in OpenID Connect Metadata Document.
  11. Click Save.
  12. Restart the web server.

For more information on enabling OIDC authentication, see Enable Single Sign-On with OIDC Authentication.

Configure MicroStrategy Web

  1. Go to the MicroStrategy Web admin page similar to https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategy/servlet/mstrWebAdmin.
  2. Find the connected Intelligence server and click Modify.
  3. Next to the trust relationship between the Web server and MicroStrategy Intelligence server, click Setup.
  4. Enter your user credentials with administrator privileges and click Create Trust Relationship.
  5. In the left pane, click Default properties.
  6. Select the checkbox next to OIDC Authentication.
  7. In OIDC Configuration, complete the fields.

  8. Click Save.
  9. Restart the web server.

Create an Enterprise Security Object

Create an enterprise security object for Azure AD using Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

The value of the scope should be 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default. Do not update the value of the scope field. For more information, see https://learn.microsoft.com/en-us/azure/databricks/dev-tools/service-prin-aad-token.

Create a Databricks Data Source with OIDC Single Sign-On

  1. Open the Workstation window.
  2. In the Navigation pane, click , next to Data Sources.
  3. Choose Databricks.
  4. Enter a Name.
  5. Expand the Default Database Connection drop-down and click Add New Database Connection.
  6. Enter a Name.
  7. Select OAuth from the Connection Method drop-down.
  8. Enter the required information:
    1. Log in to your Databricks workspace.
    2. Select your cluster to go to the Clusters management page.
    3. Click the Advanced Options drop-down.
    4. Click the JDBC/ODBC tab to find the Hostname, Port, HTTP Path, and Database.

    5. Enter the corresponding fields in your MicroStrategy Database Connection.

  9. In Workstation, select OIDC Single Sign-On from the Authentication Mode drop-down.
  10. Select the IAM created in Create an Enterprise Security Object.
  11. Click Save.
  12. Select the Projects to which the data source is assigned and can be accessed.
  13. Click Save.

Create a Databricks Data Source with OAuth

  1. Open the Workstation window.
  2. In the Navigation pane, click , next to Data Sources.
  3. Choose Databricks.
  4. Enter a Name.
  5. Expand the Default Database Connection drop-down and click Add New Database Connection.
  6. Enter a Name.
  7. Select OAuth from the Connection Method drop-down.
  8. Enter the required information:
    1. Log in to your Databricks workspace.
    2. Select your cluster to go to the Clusters management page.
    3. Click the Advanced Options drop-down.
    4. Click the JDBC/ODBC tab to find the Hostname, Port, HTTP Path, and Database.

    5. Enter the corresponding fields in your MicroStrategy Database Connection.

  9. In Workstation, select OAuth from the Authentication Mode drop-down.
  10. Select the IAM created in Create an Enterprise Security Object.
  11. Click Save.
  12. Select the Projects to which the data source is assigned and can be accessed.
  13. Click Save.

Test the OIDC Connection

Workstation

  1. Open the Workstation window.

  2. Check that the environment is using the Default OIDC authentication mode.

    1. Log in to your MicroStrategy environment.
    2. In the Navigation pane, click Environments.
    3. Right-click the environment you are using and click Edit Environment Information.
    4. Verify that Default OIDC is selected in Authentication Mode.
  3. Log in to your MicroStrategy environment using your Azure AD username and password.
  4. In the Navigation pane, click , next to Datasets.
  5. Select Data Import Cube, then click OK.
  6. Select the Databricks gateway.
  7. Select any of the import options and click Next.
  8. Select the data source you created.
  9. The namespaces and tables display.

Library

  1. Open MicroStrategy Library and click Log in with OIDC.
  2. In the toolbar, click and choose Dashboard.
  3. Click Blank Dashboard and click Create.
  4. Click New Data and select the Databricks gateway.
  5. Select any of the import options and click Next.
  6. Select the data source you created.
  7. The namespaces and tables display.

Web

  1. Open MicroStrategy Web and log in using your Azure AD username and password.
  2. Click Create.
  3. Click Add External Data and select the Databricks gateway.
  4. Select any of the import options and click Next.
  5. Select the data source you created.
  6. The namespaces and tables display.