Active Directory Enable Access for All Users at Tenant Level
- Ciprian LUCACI
- 1 Tenant Consent Configuration Guide
- 1.1 Step 1. Open Azure Portal
- 1.2 Step 2. Open Active Directory
- 1.3 Step 3. Click on App Registrations
- 1.4 Step 4. Search for the App Registration Name used by Lakehouse Optimizer
- 1.5 Step 5. Click on API Permissions
- 1.6 Step 6. Add Microsoft Graph permissions
- 1.7 Step 7. Add Azure Key Vault permissions
- 1.8 Step 8. Add AzureDatabricks permissions
- 1.9 Step 9. Add Service Management permissions
- 1.10 Step 10. Grant consent by Tenant admin
- 1.11 Step 11. Validation and Verification
Approval Required from IT Department
Depending on how your Azure subscription is configured by the IT department, you might come across the following “Approval required” screen. The approval must be granted by the IT department.
It is not something related to configurations done by LHM installation process.
Access can be granted for all registered users in the Active Directory subscription by following this guide. Once these steps are completed, approval will not be required any more for each user that tries to log in with single sign-on.
In other words, the following guide will help you configure the login process such that users with a valid AD user using single-sign-on will login automatically, without having to click on “grant permissions” dialogs or contact IT for further approvals.
Tenant Consent Configuration Guide
Step 1. Open Azure Portal
https://portal.azure.com/#home
Step 2. Open Active Directory
or search for “Azure Active Directory”.
Step 3. Click on App Registrations
Step 4. Search for the App Registration Name used by Lakehouse Optimizer
(1) Click on All Applications
(2) Search by Client ID or App Registration Name that you used during the installation process of Lakehouse Optimizer
(3) Click on app registration name
Step 5. Click on API Permissions
Step 6. Add Microsoft Graph permissions
(1) Click on Add a permission
(2) Click on Microsoft Graph in the right side panel
(3) Click on Delegated permissions
(4) Select the following permissions:
email
offline_access
openid
profile
(5) Click on Add permissions
Step 7. Add Azure Key Vault permissions
(1) Click on Add a permission
(2) Click on Azure Key Vault in the right side panel
(3) Select user_impersonation permission
(4) Click Add permission
Step 8. Add AzureDatabricks permissions
(1) Click on Add a permission
(2) Click on APIs my organization uses, the second tab in the right side panel
(3) Search for AzureDatabricks (without space)
use the exact term, without spaces
this search box uses exact matching
(4) Click on AzureDatabricks in the right side panel
(5) Select user_impersonation permission
(6) Click Add permission
Step 9. Add Service Management permissions
(1) Click on Add a permission
(2) Click on Azure Service Management in the right side panel
(3) Select user_impersonation permission
(4) Click Add permission
Once you are at this step, your API permissions should look like this
Step 10. Grant consent by Tenant admin
Ask the tenant admin to click on the grayed out button.
This will grant consent automatically for all registered users in the Active Directory.
Once this button is clicked, the API Permissions screen will have a green check mark (✅) look like this:
Step 11. Validation and Verification
Once you have successfully completed all the previous steps, then any user with a valid AD account trying to sign-in to Lakehouse Optimizer using the single-sign-on method will automatically be granted consent to the App Registration used by Lakehouse Optimizer. In other words, the user will login automatically, without having to click on “grant permissions” dialogs or contact IT for further approvals.