When the  is deployed on Azure, it can be configured to provide single sign-on (SSO) with Azure AD (Active Directory) authentication management. Use this section to enable auto-logins for Azure users.  

Supported authentication models:

Users can authenticate with the  using Azure AD accounts in the following scenarios:

Azure Data Lake Store: Users can obtain OAuth access and refresh tokens from AzureAD and use the tokens to access ADLS.

Domain-Joined Clusters: Using Azure AD, the  can be deployed to a domain-joined HDInsight cluster and can run jobs as the authenticated AD user via secure Hadoop impersonation. For more information, see Configure for HDInsight.


  1. You have installed the  on Microsoft Azure. See Install from Azure Marketplace.
  2. You have performed the basic configuration for Azure integration. See Configure for Azure.
  3. Your enterprise uses Azure SSO for User Identity and Authentication.
  4. The  must be registered as a Service Provider in your Azure AD tenant. 
  5. Please acquire the following Service Provider properties:
    1. The Service Provider Application ID (Client ID) and Key (Secret) are used for user authentication to the Azure Key Vault, Azure AD, and Azure Data Lake Store (if connected). These properties are specified in the  as part of the basic Azure configuration.

      NOTE: The must be assigned the Reader role for the Azure Key Vault. Other permissions are also required. See the Azure Key Vault Permissions section below.

    2. The Service Provider Reply URL provides the redirect URL after the user has authenticated with Azure AD.
    3. The Service Provider should be granted Delegated permissions to the Windows Azure Service Management API so it can access Azure Service Management as organization users.


  1. When Azure SSO is enabled, use of the command line interface (CLI) and the publicly available REST APIs is not supported.
  2. Scheduled jobs are run under the access keys for the user who initially created the schedule. They continue to run as scheduled until those keys are explicitly revoked by an admin.

NOTE: With Azure SSO enabled, use of custom dictionaries is not supported.

Configure Azure AD for 

Please verify or perform the following configurations through Azure.

Azure Key Vault Permissions

For the Azure Key Vault:

Configure  for Azure AD

Azure AD Properties

Please configure the following properties. 


Set this value to true to enable Azure AD Single Sign-On. The authenticates users through enterprise Azure AD.


Set this value to the redirect URL callback configured for this Azure AD application in the Azure portal. The URL is in the following format:


azure.sso.allowHttpForRedirectUrlWhen true, the redirectUrl can be specified as an insecure, non-HTTPS value. Default is false.

Set this value to true to enable SSO users to automatically register and login to the when they connect.


This value defines the Azure AD resource for which to obtain an access token.

NOTE: By default, this value is https://datalake.azure.net/ . In most scenarios, this value does not need to be modified.

This default value requires that the application be granted access to the Azure Data Lake API permissions, which is expected in the default Azure deployment.

NOTE: Do not set this value to the URL of the .

User Management

Tip: After SSO is enabled, the first AD user to connect to the platform is automatically registered as an admin user.

Configure auto-registration

Enabling auto-registration:

Auto-registration must be enabled for the  and for Azure AD SSO specifically.

webapp.sso.enableAutoRegistrationThis property has no effect in Azure.
azure.sso.enableAutoRegistrationSet this value to true. For more information, see Azure AD Properties above.

How users are managed depends on whether auto-registration is enabled:


After SSO with auto-registration has been enabled, you can still manage users through the Admin Settings page, with the following provisions:

For more information, see Manage Users


To disable auto-provisioning in the platform, please verify the following property:

  1. Set the following property:

    "webapp.sso.enableAutoRegistration" : false,

  2. Save your changes and restart the platform.
  3. New users of the  must be provisioned by a . See below. 

Provision new users under SSO without auto-registration

If SSO auto-registration is disabled, admin users can provision new users of the platform through the following URL:


Disable user

If a user has been disabled in Azure AD, a must disable the user in the . Otherwise, the user can still access the .

For more information on disabling user accounts, see Manage Users.

User Access

Users acess the application through the :