Cognite Data Fusion: Enabling CDF OData apis for Microsoft Sustainability Manager

Related products: API and SDKs

Microsoft Sustainability Manager(MSM) is a service which answers organizations needs of  building insights they need to manage their environmental footprint, embed sustainability through their organization and value chain, and create new value in a changing landscape. Building insights on the tool with CDF as source will give added advantage to Cognite’s customers in accelerating sustainability progress and business growth by bringing together a set of environmental, social, and governance (ESG) capabilities.

The connector available in MSM is limited and the one which can be used for connecting to CDF resources are our OData Apis, However, OData call for now, only support authenticating with organizational account. 

On sign-in event for a CDF project, with organizational account, an app called App Service (a Microsoft 1st Party app) is trying to access a resource - Cognitedata API: westeurope-1 - by specifying one of its identifiers as part of the sign-in request:   login.microsoftonline.com/common/oauth2/authorize?client_id=*&response_type=code&redirect_uri=*&resource=https%3a%2f%2fwesteurope-1.cognitedata.com&prompt=select_account&state=*
  When AAD handles this sign-in request, however, it returns the following error message:
     *   AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 7ab7862c-4c57-491e-8a45-d52a7e023983(App Service). Resource value from request: https://westeurope-1.cognitedata.com. Resource app ID: 209cbd1f-df92-4fb1-8e30-054812586bc9. List of valid resources from app registration: .

The resource app (Cognitedata API: westeurope-1)  https://westeurope-1.cognitedata.com is defined as one of its Identifier URIs. . In these scenarios, when the App Registration is created, we would also need to add "App Service" as a pre-authorized application on your resource (Cognitedata API: westeurope-1) - which can be done by navigating to Azure AD >> App Registrations >> Cognitedata API >> Expose an API >> Add a Client Application >> 7ab7862c-4c57-491e-8a45-d52a7e023983 >> Add Application:
Once these steps are performed, Azure AD should be able to find the "missing" resource. 

I’m surprised dynamic consent (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#incremental-and-dynamic-user-consent) is not an option?
This is what many applications use when applied to different, unknown at registration, APIs (including fusion.cognite.com).

Specifying a known client application in the registration for a Cognitedata API (in it’s registration) would need to be assessed carefully, as it impacts all customers using that application in Azure.


NewGathering Interest