ADLS as Private Data Storage
Follow this guide to configure your Alteryx Analytics Cloud (AAC) workspace to replace Alteryx Data Storage (ADS) with an instance of Azure Data Lake Storage (ADLS) that you own.
Limitations
Connectivity
No connectivity to external ADLS file-systems outside of the Storage Account used for Private Data Storage.
No connectivity to Amazon Redshift.
ADS isn't accessible while using ADLS as Private Data Storage.
Engine Availability
EMR Spark as an engine isn't supported.
Limited support for long-running jobs over 60 minutes with Photon as an engine. Longer jobs might result in a failed state.
Platform
You can't switch between Private Data Storage options (for example, S3 to ADLS or ADLS to S3).
After the initial release of ADLS as Private Data Storage, you must create a new workspace to enable the storage option.
Prerequisites
For Alteryx Analytics Cloud...
Be a user on a Professional or an Enterprise AACAAC plan.
Have a Workspace Admin role assigned to you.
Use ADS as the base storage. The workspace shouldn't be set up with another Private Storage option.
For Azure Data Lake Storage...
Have administrative access to these services:
Azure Portal
Microsoft Entra (Azure AD)
Azure Key Vault
Have administrative access to the file systems and storage account on ADLS.
Users must at least have the Storage Blob Data Contributor role or a similar custom role with these permissions:
Type
Permission
Description
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Delete a Blob.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Return a Blob or a list of Blobs.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Write to a Blob.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Moves the Blob from 1 path to another.
Data Actions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
Returns the result of adding Blob content.
Actions
Microsoft.Storage/storageAccounts/blobServices/containers/read
Return a container or a list of containers.
Actions
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Returns a user delegation key for the Blob service.
Step 1: Set Up Single Sign-On (SSO)
Follow this guide to configure SSO for your workspace using Microsoft Entra (Azure AD).
Step 2: Set Up Cloud Authorization
Important
If you use SAML SSO in your workspace, create a second application within Azure for your Cloud Authorization integration.
Establish a secure connection between AACAAC and your ADLS location.
Step 2a: Create an Application on Azure Portal
Sign in to your Azure Portal as an administrator.
Go to the Applications > App Registration page.
Select New Registration.
In the Name field, enter a name for your app. For example, the name of your AACAAC workspace.
In the Redirect URI dropdown, select
Web
and then enter the Callback URL. Follow this template:https://{platformEnvironment}/workspace/${workspaceName}/sso/azureCallback
. Example:https://us1.alteryxcloud.com/workspace/YOUR-WORKSPACE/sso/azureCallback
Select Register.
Note and copy your Application (Client) ID and Directory (Tenant) ID. You will use these later in Step 2c.
Go to your application’s API Permissions page.
Select Add a permission and then select Microsoft Graph.
Select Delegated permissions.
Check the box next to email, profile, user.read, openid, and offline_access.
Select Add permissions.
Again select Add a permission and then select Azure Storage.
Select Delegated permissions.
Check the box next to user_impersontation.
Select Add permissions.
Go to your application's Certificates & secrets page. and then select the Client secrets tab.
Select New client secret.
In the Description field, enter a description of your app. For example, the name of your AACAAC workspace.
Set Expires to an appropriate value and then select Save.
Note and copy the secret Value. You will use this later in Step 2b.
Go to the Federated Credentials tab. and then select Add credential.
From the Federated credential scenario dropdown, select Other issuer.
In the Issuer field, enter
https://accounts.google.com
.In the Subject Identifier field, enter 1 of these options based on your AACAAC enironment location:
US1:
115363405640771453608
EU1:
103517307997047250975
AU1:
106202870273509843893
In the Name field, enter
AccessFromAlteryx
.Select Save.
Step 2b: Configure a Key Vault on Azure Portal
Go to the Key Vaults page on your Azure Portal.
Select Create.
Under the Basics tab, select appropriate values for Subscription and Resource Group per your organization's requirements.
In the Key valut name field, enter a name for your key vault. For example, the name of your AACAAC workspace.
Select Next to go to the Access configurations tab.
Set the Permissions model to Vault access policy and then select Create under Access policies. A Create an access policy dialog appears.
In the access policy dialog under the Permissions tab, check all Secret permissions boxes.
Select Next to go to the Principal tab.
On the Principals tab, search for the app you created previously in Step 2a. Once you've located the app, select it and then select Next.
On the next Application tab, no action is needed. Select Next to continue.
On the Review + create tab, select Create. This action closes the access policy dialog and creates a new Access Policy for your application.
Return to the Create key vault dialog for your app. Select Review + Create and then select Create. This action initiates the deployment of your key vault.
Once the deployment completes, under Next Steps, select Go to resource. This action takes you to the Key Vault Overview page.
On the Key Vault Overview page, go to Secrets and then select Generate/Import to assign a secret.
In the Name field, enter a name for your secret. For example, the name of your AACAAC workspace.
In the Secret field, enter your app's secret Value you copied previously in Step 2a.
Select Create and then copy the Key Vault Secret Name. You will use this later in Step 2c.
Go to Overview and then copy the Vault URI. You will use this later in Step 2c.
Step 2c: Configure Cloud Authorization on AACAAC
Return to your AACAAC workspace.
Go to Profile menu > Workspace Admin > Private Data Handling > Cloud Authorization and then select Microsoft Azure.
Important
AACAAC requires SSO before proceeding. If you haven't set up SSO for this workspace, follow this guide.
Enter the Azure AD Tenant ID you copied in Step 2a after creating an app on the Azure Portal.
Enter the Azure AD Client ID you copied in Step 2a after creating an app on the Azure Portal.
Enter the Azure AD Client Secret Name you copied in Step 2b after creating a key vault on the Azure Portal.
Enter the Azure Key Vault URL you copied in Step 2b after creating a key vault on the Azure Portal.
Select Save.
Step 3: Set Up ADLS as Private Data Storage
Follow these steps to set ADLS as the Private Data Storage location in your AACAAC workspace.
Within your AACAAC workspace, go to Profile menu > Workspace Admin > Private Data Handling > Storage and then select Azure Data Lake Storage (ADLS).
In the Account Name, enter your ADLS Storage Account name.
In the Default Root Filesystem field, enter the default container for users. Note that users can override the default location in Profile menu > Preferences > Storage.
To validate your credentials, select Save. If valid, a pop-up window appears to confirm the configuration of ADLS as Private Data Storage. Follow the on-screen instructions.
ADLS as Private Data Storage is now complete. For users to access the storage, ensure users have access to ADLS and have at least a Storage Blob Data Contributor role or similar in Azure.
To access your ADLS data, go to the Data page and select Azure Data Lake Storage from the left pane. You can also access your data in your Designer Cloud workflows.