Overview
When configuring Dremio SSO Authentication with an identity provider (IdP) using Azure Active Directory (Azure AD), customers will note that the Dremio required Microsoft Graph API Application Permissions state setting User.Read.All and Group.Read.All. However, these permissions may be too open per specific customer environment/security requirements. This article explains alternate, more granular permissions that can be set to get Dremio working for SSO against Azure AD.
Applies To
All versions of Dremio.
Details
Although the Dremio documentation states using "Group.Read.All" Application Permissions for Microsoft Graph API, the more granular "GroupMember.Read.All" permission setting will work. So the least Dremio is able to work with are User.Read.All and GroupMember.Read.All.
Note: if you get a 403 error like this, the Enterprise Application permissions are incorrect:
ERROR c.d.extusr.azuread.AzureGraphClient - Failure when getting url [https://graph.microsoft.com/v1.0/users/test-user-1@dremiosup.com] with response code 403
Below is a list of all AAD graph API Dremio uses:
user-get
user-list-transitivememberof
group-get
group-list
Additional Tip: Don't forget to set coordinator.web.auth.config, pointing to the correct absolute path for azuread.json within the dremio.conf file.
i.e
coordinator.web.auth.config: " opt/dremio/conf/azuread.json"
Otherwise the following error might be seen when trying to use an Azure AD user in Dremio:
2023-05-08 07:02:35,102 [qtp1109030187-227] ERROR c.d.extusr.azuread.AzureGraphClient - Failure when getting url [https://graph.microsoft.com/v1.0/groups?%24filter=%28displayName+eq+%27your-group-name%27%29] with response code 403: [org.glassfish.jersey.client.internal.HttpUrlConnector$2@ed65409]
Additionally seeing the below DEBUG log messages in the coordinator server.log when adding the following debug logging for AzureAD within dremio.conf:
<logger name="com.dremio.extusr.azuread" level="debug" />
<logger name="com.dremio.extusr.oauth" level="debug" />
<logger name="com.dremio.services.credentials.AzureVaultCredentialsProvider" level="debug" />
2023-05-08 07:02:35,102 [qtp1109030187-227] DEBUG c.d.e.a.AzureADUserGroupService - Failed to load group by name [your-group-name]
Further Reading
Dremio docs on setting up Azure AD: https://docs.dremio.com/current/get-started/cluster-deployments/customizing-configuration/dremio-conf/sso-config/