Microsoft Authenticator (Deprecated)

This Node Is Deprecated — This node is kept for backwards-compatibility, but the usage in new workflows is no longer recommended. The documentation below might contain more information.

This node provides authentication to access Microsoft Azure and Office 365 cloud services.

It supports these authentication modes:

  • Interactive authentication: Performs an interactive user login in your web browser, when you click on Login. In the browser window that pops up, you may be asked to consent to the requested level of access The login results in a token being stored in a configurable location. The token will be valid for a certain amount of time that is defined by your Azure AD settings. Technically, the login uses the OAuth 2.0 authorization code flow.
  • Username/password authentication: Performs a non-interactive user login to obtain a fresh token every time the node executes. Since this login is non-interactive and you get a fresh token every time, this mode is well-suited for workflows on KNIME Server/ Hub. However, it also has some limitations: First, you cannot to consent to the requested level of access, hence consent must be given beforehand, e.g. during a previous interactive login, or by an Azure AD directory admin. Second, accounts that require multi-factor authentication (MFA) will not work. Technically, the login uses the OAuth 2.0 Resource Owner Password Credentials flow.
  • Client/Application secret authentication: Performs a non-interactive application login to obtain a fresh token every time the node executes. Since this login is non-interactive and you get a fresh token every time, this mode is well-suited for workflows on KNIME Server/ Hub. Please note however, that Microsoft Azure/Office 365 cloud services are accessed on behalf of the application, not on behalf of a user (see here). Technically, the login uses the OAuth 2.0 client credentials flow.
  • Shared key authentication (Azure Storage only): Specific to Azure Blob Storage and Azure Data Lake Storage Gen2. Performs authentication using an Azure storage account and its secret key.
  • Shared access signature (SAS) authentication (Azure Storage only): Specific to Azure Blob Storage and Azure Data Lake Storage Gen2. Performs authentication using shared access signature (SAS). For more details on shared access signatures see the Azure storage documentation.

Options

Interactive authentication

Login
Click Login to open a browser window, where you can login with your Microsoft identity and, if necessary, consent to the requested access level (see below). The login results in a token being stored in a configurable location (see below).
Token storage
Allows to define where the token obtained during login gets stored:
  • Memory: The token is temporarily stored in-memory. The token will be removed once the workflow is closed.
  • File: Allows to specify a file where the token will be written to (in encrypted form) upon login, and read from when the node is executed. This allows the same token to be used by nodes in different workflows. Note that the file is (over)written every time you successfully login.
  • Node: The token is persistently stored (in encrypted form) in the settings of this node and will be saved with the workflow.
Clear selected
Clears the token from the currently selected storage. Please note that when File is selected as storage, then the specified file will be deleted.
Clear all
Clears the token from all selected storages. Please note that any file specified in the File storage option will be deleted.
Request access to

Allows to define which permissions should be requested for the token during login.

Technical note: Selecting any option here will request certain delegated permissions (OAuth2 scopes) so that the Azure AD app registered by KNIME can perform API calls on behalf of the logged in user. The Azure AD App is called KNIME Analytics Platform and its Application ID is cf47ff49-7da6-4603-b339-f4475176432b.

Each option corresponds to one or more permissions:

  • Sharepoint files and list items (Read): Requests the Sites.Read.All permission. This permission allows the token to be used for reading files and list items stored on SharePoint Online. Note that access to any specific SharePoint site needs to be additionally granted to the user by that site.
  • Sharepoint files and list items (Read/Write): Requests the Sites.ReadWrite.All permission. This permission allows the token to read and write files as well as list items stored on SharePoint Online. This includes creating and deleting files, but not lists. Note that access to any specific SharePoint site needs to be additionally granted to the user by that site.
  • Sharepoint files, lists and list items (Read/Write): Requests the Sites.Manage.All permission. This permission allows the token to read and write files, lists as well as list items stored on SharePoint Online. This includes creating and deleting files as well as lists. Note that access to any specific SharePoint site needs to be additionally granted to the user by that site.
  • User Groups (Read)(Requires admin consent): Requests the Directory.Read.All permission. This permission is required to browse the Office 365 groups that the logged in user is a member of, when selecting a SharePoint team site to connect to. Note that this permission can only be granted by a Azure AD admin.
  • User Groups (Read)(Limited): Requests the User.Read permission. This permission is required to browse the Office 365 groups that the logged in user is a member of, when selecting a SharePoint team site to connect to. This permission does not require consent by an admin, but cannot access the human-readable names of Office 365 groups, hence only technical IDs will be displayed.
  • Azure Blob Storage/Azure Data Lake Storage Gen2: Requests the user_impersonation permission for a specific Azure storage account. This permission allows the token to access data stored in that storage account. Note that access to any specific data in that account needs to be additionally granted to the user, before any access is possible.
  • Azure SQL Database: Requests the user_impersonation permission. This permission allows the token to access the Azure SQL API. Note that access to any specific databases/resources needs to be additionally granted to the user, before any actual access is possible.
  • Power BI: Requests the Dataset.ReadWrite.All and Workspace.Read.All permissions. This permission allows the token to access the Power BI API in order to list Power BI workspaces (required to get the identifier of the selected Power BI workspace), and read/write datasets. Note that access to any specific Power BI resources needs to be additionally granted to the user, before any actual access is possible.
  • Others (one per line): Requests the permissions entered by the user. You can use this option to enter any OAuth2 scopes, that are not already predefined above. An OAuth scope is specified as a URI, consisting of a resource identifier (Application ID URI) and a permission, for example "https://outlook.office.com/mail.read". This can also be used to access non-Microsoft services such as Snowflake, which are integrated with the Microsoft Identity platform. You can enter multiple scopes in the list separated by new line.

Username/password authentication

Username
Provide the username of your Microsoft identity (typically an email address).
Password
Provide the password of your Microsoft identity. Warning: The password will be stored in weakly encrypted form as part of the node settings in the workflow.
Credentials flow variable
Allows to choose a credentials flow variable that provides the username and password to login with.
Request access to
Allows to define which permissions (OAuth2 scopes) for Azure/Office 365 cloud services should be requested for the token during login. See Interactive Authentication above for more information.

Client/Application secret authentication

Before using this mode, (1) an Azure AD application has to be registered, (2) an application secret has to be created, and (3) an admin has to grant application permissions (not delegated) to the application service principal in the Azure AD tenant to access. In this mode, Azure/Office 365 cloud services are accessed with the application identity and not on behalf of a user. See here for more information.

Tenant ID/Domain
The directory tenant the application plans to operate against, in ID or domain-name format, for example cf47ff49-7da6-4603-b339-f4475176432b, or mycompany.onmicrosoft.com.
Client/Application ID
The application ID that's assigned to your app. You can find this information in the portal where you registered your app.
Secret
The client secret that you generated for your app in the app registration portal.
Credentials flow variable
If credentials flow variables are available, then this option allows to choose such a flow variable to provide the Client/Application ID and Secret to login with.
Request access to

Allows to define which permissions/scopes should be requested during login.

Technical note: Selecting an option here will request application permissions (not delegated) so that the Azure AD application can perform API calls under its own identity, and not on behalf of a user. The application permissions must be granted beforehand to the application service principal by an admin.

Each option corresponds to one resource:

  • SharePoint Online: Requests the https://graph.microsoft.com/.default scope. If the application and service principal are set up correctly, this provides access to reading/writing files and lists in SharePoint Online.
  • Azure SQL Database: Requests the https://database.windows.net/.default scope. If the application/service principal are set up accordingly, this provides access to Azure SQL databases.
  • Power BI: Requests the https://analysis.windows.net/powerbi/api/.default scope. If the application/service principal are set up accordingly, this provides access to Power BI. Note that default workspace, usually called “My Workspace”, does not support application permissions.
  • Other: Resource identifier (application ID URI) of the resource you want to access to. Example of resource identifier: https://graph.microsoft.com/.default

Shared key authentication (Azure Storage only)

Account
Azure Storage account name.
Secret Key
The secret key. Warning: The secret key will be stored in weakly encrypted form as part of the node settings in the workflow.
Credentials flow variable
Allows to choose a credentials flow variable that provides the account and the secret key (as the username and password respectively) to login with.

Shared access signature (SAS) authentication (Azure Storage only)

Service SAS URL
URL that provides shared access signature (SAS) access to Azure Blob Storage or Azure Data Lake Storage Gen2. Warning: The secret key will be stored in weakly encrypted form as part of the node settings in the workflow.

Example URL: https://myaccount.blob.core.windows.net/?sv=2019-02-02&st=...

Credentials flow variable
Allows to choose a credentials flow variable that provides the storage service SAS URL as the password field.

Advanced

OAuth 2.0 authorization endpoint
When using OAuth2-based authentication (Interactive or Username/password), these options can be used to set an OAuth 2.0 authorization endpoint:
  • Default: Use a global default endpoint.
  • Custom:Use a custom endpoint. This can be used to specify an endpoint that is specific to an Azure AD tenant for example.
Application ID
When using OAuth2-based authentication (Interactive or Username/password), these options can be used to set an Application ID (client ID):
  • Default: Use a KNIME's default Application ID cf47ff49-7da6-4603-b339-f4475176432b.
  • Custom:Use a custom Application ID and redirect URL. The redirect URL is used only with Interactive authentication.

Input Ports

Icon
A file system connection to read/write the token, when using File as token storage.

Output Ports

Icon
A Microsoft Office 365 credential that uses the logged in Microsoft identity.

Views

This node has no views

Workflows

Links

Developers

You want to see the source code for this node? Click the following button and we’ll use our super-powers to find it for you.