Skip to main content

Authentication Service Principal

Administrator

When users log in to DataCentral using their corporate Microsoft credentials (Entra ID / Azure AD), DataCentral must be registered as a trusted application within that directory.

This registration is known as the Authentication Service Principal (or Entra ID App Registration).

1. Inheriting vs. Overriding

DataCentral's multi-tenant architecture allows for two approaches to authentication:

  • Shared Host Authentication: The Host Administrator registers a single DataCentral application in their Entra ID directory. All Tenants use this shared application to authenticate users. This is simpler to manage but provides less isolation.
  • Dedicated Tenant Authentication: A Tenant Administrator registers a dedicated DataCentral application in their own organization's Entra ID directory. This provides strict isolation, allowing the Tenant to enforce their own Conditional Access policies (e.g., MFA, IP restrictions) and branding on the Microsoft login screen.

2. Registering the Application in Azure

If you are configuring a dedicated Authentication Service Principal for your Tenant, you must first create an App Registration in the Azure Portal.

  1. Log in to the Azure Portal as an Entra ID Administrator.
  2. Navigate to Microsoft Entra ID > App registrations.
  3. Click New registration.
  4. Provide a name (e.g., "DataCentral Portal").
  5. Select the supported account types (typically "Accounts in this organizational directory only").
  6. Under Redirect URI, select "Web" and enter the specific reply URL provided by DataCentral (e.g., https://yourtenant.datacentral.ai/signin-oidc).
  7. Click Register.

3. Configuring Authentication Settings

Once the application is registered, you must configure its authentication settings.

  1. In the App Registration menu, select Authentication.
  2. Under "Implicit grant and hybrid flows", ensure that ID tokens is checked. DataCentral uses the OpenID Connect (OIDC) protocol, which requires ID tokens to securely identify the logged-in user.
  3. Click Save.

4. Granting API Permissions

DataCentral requires minimal permissions to authenticate a user.

  1. In the App Registration menu, select API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph > Delegated permissions.
  4. Add the following permissions:
    • email (View users' email address)
    • openid (Sign users in)
    • profile (View users' basic profile)
  5. Click Add permissions.
  6. Important: An Entra ID Global Administrator must click "Grant admin consent for [Your Organization]".

5. Configuring DataCentral

After the Azure configuration is complete, you must provide the details to DataCentral.

  1. Log in to DataCentral as a Tenant Administrator.
  2. Navigate to Administration > Settings > Authentication.
  3. Locate the Entra ID (Azure AD) section.
  4. Enter the following details from your Azure App Registration:
    • Tenant ID: Your Entra ID Directory (Tenant) ID.
    • Client ID: The Application (Client) ID of the App Registration.
  5. Click Save.

Users in your Tenant will now be redirected to your organization's specific Microsoft login page when accessing DataCentral.