diff --git a/metadata-ingestion/source_docs/azure-ad.md b/metadata-ingestion/source_docs/azure-ad.md index 5a8287ce8d..19ca49da35 100644 --- a/metadata-ingestion/source_docs/azure-ad.md +++ b/metadata-ingestion/source_docs/azure-ad.md @@ -78,6 +78,10 @@ to read your organization's Users and Groups. The following permissions are requ - `GroupMember.Read.All` - `User.Read.All` +You can add a permission by navigating to the permissions tab in your DataHub application on the Azure AD portal. ![Azure AD API Permissions](./images/azure_ad_api_permissions.png) + +You can view the necessary endpoints to configure by clicking on the Endpoints button in the Overview tab. ![Azure AD Endpoints](./images/azure_ad_endpoints.png) + You can use the following recipe to get started with Azure ingestion! See [below](#config-details) for full configuration options. ```yml @@ -88,9 +92,10 @@ source: client_id: "00000000-0000-0000-0000-000000000000" tenant_id: "00000000-0000-0000-0000-000000000000" client_secret: "xxxxx" - redirect: "https://login.microsoftonline.com/common/oauth2/nativeclient" authority: "https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000" token_url: "https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/oauth2/token" + # All of the below parameters are optional. + redirect: "https://login.microsoftonline.com/common/oauth2/nativeclient" graph_url: "https://graph.microsoft.com/v1.0" ingest_users: True ingest_groups: True @@ -116,11 +121,11 @@ Note that a `.` is used to denote nested fields in the YAML configuration block. |----------------------------------------|-----------------|----------|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `client_id` | string | ✅ | | Application ID. Found in your app registration on Azure AD Portal | | `tenant_id` | string | ✅ | | Directory ID. Found in your app registration on Azure AD Portal | -| `client_secret` | string | ✅ | | Client secret. Found in your app registration on Azure AD Portal | -| `redirect` | string | ✅ | | Redirect URI. Found in your app registration on Azure AD Portal | +| `client_secret` | string | ✅ | | Client secret. Found in your app registration on Azure AD Portal | | `authority` | string | ✅ | | The [authority](https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration) is a URL that indicates a directory that MSAL can request tokens from. | | `token_url` | string | ✅ | | The token URL that acquires a token from Azure AD for authorizing requests. This source will only work with v1.0 endpoint. | -| `graph_url` | string | ✅ | | [Microsoft Graph API endpoint](https://docs.microsoft.com/en-us/graph/use-the-api) | +| `redirect` | string | | | Redirect URI. Found in your app registration on Azure AD Portal. Defaults to https://login.microsoftonline.com/common/oauth2/nativeclient. | +| `graph_url` | string | | | [Microsoft Graph API endpoint](https://docs.microsoft.com/en-us/graph/use-the-api). Defaults to https://graph.microsoft.com/v1.0. | | `ingest_users` | bool | | `True` | Whether users should be ingested into DataHub. | | `ingest_groups` | bool | | `True` | Whether groups should be ingested into DataHub. | | `ingest_group_membership` | bool | | `True` | Whether group membership should be ingested into DataHub. ingest_groups must be True if this is True. | diff --git a/metadata-ingestion/source_docs/images/azure_ad_api_permissions.png b/metadata-ingestion/source_docs/images/azure_ad_api_permissions.png new file mode 100644 index 0000000000..f67bd0a0c2 Binary files /dev/null and b/metadata-ingestion/source_docs/images/azure_ad_api_permissions.png differ diff --git a/metadata-ingestion/source_docs/images/azure_ad_endpoints.png b/metadata-ingestion/source_docs/images/azure_ad_endpoints.png new file mode 100644 index 0000000000..5ec19c4896 Binary files /dev/null and b/metadata-ingestion/source_docs/images/azure_ad_endpoints.png differ diff --git a/metadata-ingestion/src/datahub/ingestion/source/identity/azure_ad.py b/metadata-ingestion/src/datahub/ingestion/source/identity/azure_ad.py index 25ea6be637..bb5c6718b1 100644 --- a/metadata-ingestion/src/datahub/ingestion/source/identity/azure_ad.py +++ b/metadata-ingestion/src/datahub/ingestion/source/identity/azure_ad.py @@ -36,10 +36,12 @@ class AzureADConfig(ConfigModel): client_id: str tenant_id: str client_secret: str - redirect: str authority: str token_url: str - graph_url: str + + # Optional: URLs for redirect and hitting the Graph API + redirect: str = "https://login.microsoftonline.com/common/oauth2/nativeclient" + graph_url: str = "https://graph.microsoft.com/v1.0" # Optional: Customize the mapping to DataHub Username from an attribute in the REST API response # Reference: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#response-1 @@ -228,7 +230,9 @@ class AzureADSource(Source): ) else: # Unless told otherwise, we only care about users and groups. Silently skip other object types. - pass + logger.warning( + f"Unsupported @odata.type '{odata_type}' found in Azure group member. Skipping...." + ) def _add_user_to_group_membership( self,