Microsoft Authenticator

This node provides authentication to access Microsoft Azure and Office 365 cloud services. It supports the standard authentication of Azure AD/Office 365 (based on OAuth 2), as well as authentication mechanisms specific to Azure Storage.

Options

Authentication type

Authentication type to use. The following types are supported:

• Interactive (OAuth 2): Interactive user login in your web browser, when you click on Login. In the browser window that pops up, you may be asked to consent to the scopes of access. The acquired access token typically will only be valid for a short amount of time, then you need to login again. Technically, this uses the OAuth 2.0 authorization code flow.
• Username/Password (OAuth 2: Non-interactive user login. This is well-suited for workflows on KNIME Hub, however you cannot to consent to the scopes of access, hence consent must be given beforehand, e.g. during a previous interactive login, or by an Azure AD directory admin. Second, accounts that require multi-factor authentication (MFA) will not work. Technically, this uses the OAuth 2.0 Resource Owner Password Credentials flow.
• Client/Application secret (OAuth 2): Non-interactive login as the service principal of the configured client/app. This is well-suited for workflows on KNIME Hub. Technically, this uses the OAuth 2.0 client credentials flow. MicrosoftAzure cloud services are accessed on behalf of the application's service principal, not on behalf of a user (see here).
• Azure storage shared key: Authenticates using an Azure storage account and its secret key. Can only be used to access Azure Blob Storage and Azure Data Lake Storage Gen2.
• Azure Storage shared access signature (SAS): Authenticates using a shared access signature (SAS). Can only be used to access Azure Blob Storage and Azure Data Lake Storage Gen2. For more details on shared access signatures see here.

Tenant ID/Domain

The directory tenant the application plans to operate against, in ID or domain-name format, for example cf47ff49-7da6-4603-b339-f4475176432b, or mycompany.onmicrosoft.com.

Username and password

The username and password to use.

Client/App ID and secret

The client/app ID and secret to use.

Storage account and shared key

The storage account name and shared key (also called access key) to use.

Service SAS URL

The Azure Service SAS URL. Note that only Service SAS is supported. The SAS URL must delegate access to the Blob storage service, or an object within.

Scope type

Scopes are permissions that need to be requested during login. They specify what the resulting access token can be used for. This setting defines whether to select scopes from a list of predefined standard scopes or to enter custom scopes manually.

Standard scopes (delegated permissions)

Choose scopes from a predefined list of standard scopes. These scopes are delegated permissions and define what the resulting access token can be used for. You can leave the list empty. In this case, the scopes required by downstream nodes need to be consented to beforehand, otherwise downstream nodes might fail.

Standard scopes (application permissions)

Choose scopes from a predefined list of standard scopes. These scopes are application permissions and define what the resulting access token can be used for. You can leave the list empty. In this case, the scopes required by downstream nodes need to be consented to beforehand, otherwise downstream nodes might fail.

Custom scopes

Enter a list of custom scopes to request during login. These scopes are permissions and define what the resulting access token can be used for. You can leave the list empty. In this case, the scopes required by downstream nodes need to be consented to beforehand, otherwise downstream nodes might fail.

Azure Storage account

If the Azure Blob Storage/Azure Data Lake Storage Gen2 scope is chosen, then this field specifies the specific Azure storage account to request access to.

Which authorization endpoint to use

Whether to use the Microsoft default authorization endpoint, or a custom one.

Custom endpoint URL

Custom authorization endpoint URL to use.

Which client/app to use

Whether to use the KNIME default app, or enter a custom one. The KNIME default app is called "KNIME Analytics Platform" and its ID is cf47ff49-7da6-4603-b339-f4475176432b.

ID

The custom client/app ID to use.

Redirect URL (should be http://localhost:XXXXX)

Redirect URL to use during interactive login. Technical note: Only URLs such as http://localhost:37489 are allowed (localhost, no https, random non-privileged port number). Any URL entered here must be part of the configuration of your custom app.

HTTP User-Agent

Whether to use the default HTTP User-Agent or a custom one, when fetching the OAuth2 access token. The default User-Agent is OS-specific, for example "KNIME (Windows 11)". A custom User-Agent only needs to be set in rare cases, for example if the default User-Agent is rejected by a conditional access rule in Azure Entra ID.

Custom HTTP User-Agent

Sets a custom HTTP User-Agent when fetching the OAuth2 access token. This only needs to be set in rare cases, where the default KNIME User-Agent is rejected.

Login

Clicking on login opens a new browser window/tab which allows to interactively log into the service.

Views

This node has no views

Workflows

• [Repositorio]KNIME Hub
• [Template] - Read data from SharePointKNIME Hub
• 03 Microsoft Fabric Integration OverviewKNIME Hub
• 07_Microsoft_Sharepoint_Data_AccessKNIME Hub
• 11_Working_with_Utility_NodesKNIME Hub
• Show all 121 workflows

Links

• No links available

Developers