Microsoft Authenticator

This node provides authentication to access Microsoft Azure and Office 365 cloud services. It supports the standard authentication of Azure AD/Office 365 (based on OAuth 2), as well as authentication mechanisms specific to Azure Storage.

Options

Authentication type
Authentication type to use. The following types are supported:
  • Interactive (OAuth 2): Interactive user login in your web browser, when you click on Login. In the browser window that pops up, you may be asked to consent to the scopes of access. The acquired access token typically will only be valid for a short amount of time, then you need to login again. Technically, this uses the OAuth 2.0 authorization code flow.
  • Username/Password (OAuth 2: Non-interactive user login. This is well-suited for workflows on KNIME Hub, however you cannot to consent to the scopes of access, hence consent must be given beforehand, e.g. during a previous interactive login, or by an Azure AD directory admin. Second, accounts that require multi-factor authentication (MFA) will not work. Technically, this uses the OAuth 2.0 Resource Owner Password Credentials flow.
  • Client/Application secret (OAuth 2): Non-interactive login as the service principal of the configured client/app. This is well-suited for workflows on KNIME Hub. Technically, this uses the OAuth 2.0 client credentials flow. MicrosoftAzure cloud services are accessed on behalf of the application's service principal, not on behalf of a user (see here).
  • Azure storage shared key: Authenticates using an Azure storage account and its secret key. Can only be used to access Azure Blob Storage and Azure Data Lake Storage Gen2.
  • Azure Storage shared access signature (SAS): Authenticates using a shared access signature (SAS). Can only be used to access Azure Blob Storage and Azure Data Lake Storage Gen2. For more details on shared access signatures see here.
Tenant ID/Domain
The directory tenant the application plans to operate against, in ID or domain-name format, for example cf47ff49-7da6-4603-b339-f4475176432b, or mycompany.onmicrosoft.com.
Username and password
The username and password to use.
Client/App ID and secret
The client/app ID and secret to use.
Storage account and shared key
The storage account name and shared key (also called access key) to use.
Service SAS URL
The Azure Service SAS URL. Note that only Service SAS is supported. The SAS URL must delegate access to the Blob storage service, or an object within.
Scope type
Scopes are permissions that need to be requested during login. They specify what the resulting access token can be used for. This setting defines whether to select scopes from a list of predefined standard scopes or to enter custom scopes manually.
Standard scopes (delegated permissions)
Choose scopes from a predefined list of standard scopes. These scopes are delegated permissions and define what the resulting access token can be used for.
Standard scopes (application permissions)
Choose scopes from a predefined list of standard scopes. These scopes are application permissions and define what the resulting access token can be used for.
Custom scopes
Enter a list of custom scopes to request during login. These scopes are permissions and define what the resulting access token can be used for.
Azure Storage account
If the Azure Blob Storage/Azure Data Lake Storage Gen2 scope is chosen, then this field specifies the specific Azure storage account to request access to.
Which authorization endpoint to use
Whether to use the Microsoft default authorization endpoint, or a custom one.
Custom endpoint URL
Custom authorization endpoint URL to use.
Which client/app to use
Whether to use the KNIME default app, or enter a custom one. The KNIME default app is called "KNIME Analytics Platform" and its ID is cf47ff49-7da6-4603-b339-f4475176432b.
ID
The custom client/app ID to use.
Redirect URL (should be http://localhost:XXXXX)
Redirect URL to use during interactive login. Technical note: Only URLs such as http://localhost:37489 are allowed (localhost, no https, random non-privileged port number). Any URL entered here must be part of the configuration of your custom app.
HTTP User-Agent
Whether to use the default HTTP User-Agent or a custom one, when fetching the OAuth2 access token. The default User-Agent is OS-specific, for example "KNIME (Windows 11)". A custom User-Agent only needs to be set in rare cases, for example if the default User-Agent is rejected by a conditional access rule in Azure Entra ID.
Custom HTTP User-Agent
Sets a custom HTTP User-Agent when fetching the OAuth2 access token. This only needs to be set in rare cases, where the default KNIME User-Agent is rejected.
Login
Clicking on login opens a new browser window/tab which allows to interactively log into the service.

Input Ports

This node has no input ports

Output Ports

Icon
Credential with an OAuth 2 access token, or shared key/SAS URL for Azure Storage, depending on the chosen authentication type.

Popular Predecessors

  • No recommendations found

Popular Successors

  • No recommendations found

Views

This node has no views

Workflows

Links

Developers

You want to see the source code for this node? Click the following button and we’ll use our super-powers to find it for you.