Summary
This article describes the Microsoft Graph API Application permissions that can be configured for the Azure application representing Dremio when trying to configure Dremio for Single Sign On (SSO) Authentication with AzureAD/Entra ID as the identity provider (IdP).
Reported Issue
When configuring Dremio for Single Sign On (SSO) Authentication with AzureAD, the customer's infra/security does not allow for such open application permissions for MS Graph API.
Overview
When configuring Dremio SSO Authentication with an identity provider (IdP) using Azure Active Directory (Azure AD), customers will note that the Dremio previously required Microsoft Graph API Application Permissions state setting User.Read.All and Group.Read.All. However, these permissions may be too open per specific customer environment/security requirements. This article explains alternate, more granular permissions that can be set to get Dremio working for SSO against Azure AD.
Relevant Versions Tools and Integrations
All versions of Dremio.
Steps to Resolve
Although the Dremio documentation previously may have stated using "Group.Read.All" Application Permissions for Microsoft Graph API, the more granular "GroupMember.Read.All" permission setting will work. So the least Dremio is able to work with are User.Read.All and GroupMember.Read.All.
Note: if you get a 403 error like this, the Enterprise Application permissions are incorrect:
ERROR c.d.extusr.azuread.AzureGraphClient - Failure when getting url [https://graph.microsoft.com/v1.0/users/test-user-1@dremiosup.com] with response code 403
Below is a list of all AAD graph API Dremio uses:
user-get
user-list-transitivememberof
group-get
group-list
Tips & Tricks
1. Don't forget to set coordinator.web.auth.config, pointing to the correct absolute path for azuread.json within the dremio.conf file.
i.e
coordinator.web.auth.config: " opt/dremio/conf/azuread.json"
Otherwise the following error might be seen when trying to use an Azure AD user in Dremio:
2023-05-08 07:02:35,102 [qtp1109030187-227] ERROR c.d.extusr.azuread.AzureGraphClient - Failure when getting url [https://graph.microsoft.com/v1.0/groups?%24filter=%28displayName+eq+%27your-group-name%27%29] with response code 403: [org.glassfish.jersey.client.internal.HttpUrlConnector$2@ed65409]
2. Also when enabling debug logging for AzureAD within dremio.conf:
<logger name="com.dremio.extusr.azuread" level="debug" />
<logger name="com.dremio.extusr.oauth" level="debug" />
<logger name="com.dremio.services.credentials.AzureVaultCredentialsProvider" level="debug" />
The following debug logging is seen in the Dremio server.log:
2023-05-08 07:02:35,102 [qtp1109030187-227] DEBUG c.d.e.a.AzureADUserGroupService - Failed to load group by name [your-group-name]
Additional Resources
Dremio docs on setting up Azure AD: https://docs.dremio.com/current/get-started/cluster-deployments/customizing-configuration/dremio-conf/sso-config/