MicroStrategy ONE

Configure OAuth Parameters Using Microsoft Entra ID for Denodo

Starting in MicroStrategy ONE (December 2024), use Microsoft Entra ID, formerly known as Azure AD, to configure your OAuth parameters.

Configure Your Application in Microsoft Entra ID

  1. Configure a Microsoft Entra ID application for Denodo OAuth to add the additional permission for Denodo.

    For more information, see Quickstart: Register an Application with the Microsoft Identity Platform.

  2. Go to your newly created app and in the left pane, click Authentication.

  3. In Allow public client flows, toggle Enable the following mobile and desktop flows to Yes.

  4. In the left pane, click Certificates & secrets under Manage.

  5. In Client secrets, click New client secret.

  6. Enter a Description and Expires value.

  7. Click Add and note the client secret value for later use.

  8. In the left pane, click Expose an API under Manage.

  9. Click Add a scope.

  10. Type a Scope name.

    The scope name should be the same name as the role in the database.

    For Denodo, scopes are the names of roles. Once Denodo has the scopes of the token, it obtains the roles with the same names and executes the request with the privileges granted to these roles.

  11. Type an Admin consent display name and Admin consent description.

  12. Click Save.

  13. In the left pane, click API permissions and click Add a permission.

  14. Click the My APIs tab and select your application.

  15. Select the check box next to the custom scope you created and click Add permissions.

  16. In the left pane, click Manifest and check if the requestedAccessTokenVersion is set to 2.

    If the value is not 2, update it to 2, and click Save.

Integrate Denodo with Microsoft Entra ID

For more information on enabling OAuth in Denodo, follow the instructions in the JWT section of Enabling OAuth Authentication.

  1. Open the Denodo Administration Tool and log in with an Administrator account.

  2. In the menu, click Administration and Server configuration.

  3. Click Server authentication and OAuth.

  4. Define the following values:

    • Select a validation mode: Select Use JWT.

    • Select the signing algorithm: Choose RS256.

    • Issuer: Use the value from your OpenID configuration. To find this value, use https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration.

    • JWKS URL: Use the value from your OpenID configuration. To find this value, use https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration.

    • Audience: Enter your Entra ID application client ID.

    • Scope field name: Type scp.

  5. Click OK.

  6. To create roles in Virtual DataPort and grant them the appropriate privileges, see Creating Roles.

    The role name is used in Expose an API in the Entra ID application.

Create Enterprise Security Objects

To create IAM objects, see Manage OAuth Enterprise Security with Identity and Access Management (IAM) Objects.

Client ID and Client Secret values can be found in Configure Your Application in Microsoft Entra ID.

Use the following format in Scope, openid offline_access api://<client id>/<scope name>. You can copy the api://<client id>/<scope name> value in Microsoft Entra from the Scopes section in Expose an API.