Azure App Registration
In order to use Azure connected data sources in AnaplanXL web there was a multi-tenant application that relied on the xlcubed.com domain.
As this is being depreciated customers are encouraged to create their own App Registration in their Azure tenant, and configure their AnaplanXL web instances to use that. This document will explain how to do that.
You need an Azure admin with permission to create an App registration to do this.
App registration
- Go to the App registrations screen and click "New registration"
- Configure basic settings
- Give the App a name that will be meaningful to your users
- Add a Web Redirect URI to your instance(s) of AnaplanXLWeb
- This is the URI of your web server followed by /SSOToken.html
- I am using a test instance on my local machine I can reach at http://localhost/xlcubedweb so I use http://localhost/xlcubedweb/SSOToken.html.
- Authentication
- Click Manage -> Authentication
- Check the box for ID tokens and press Save
- Client secret
- Click Manage -> Certificates & secrets
- Click New client secret
- Give the secret a name and choose the expiry
- If the secret expires you must create a new secret and update the web configuration to use it. (This is covered later)
- Copy the secret as you will need it later
- Permissions
- Click Manage -> API permissions
- Microsoft Graph is automatically configured for you and should be left as-is.
- Click Add a permission
- You can now pick the permissions you require based on the data source you want to connect to. If you select "APIs my organization uses" you can get a searchable list.
- When picking a permission you must choose from the Delegated permissions. These allow data access as the signed in user so that their permissions are correctly applied. Granting the App registration permission means it can access the data on behalf of the user, it will not grant them additional permissions to data they cannot normally access.
- Commonly used permissions are:
- Azure Analysis Services – Model.ReadWrite.All
- Allows users to connect to Azure SSAS and query the data in the cubes
- Azure Analysis Services – Model.ReadWrite.All
- Commonly used permissions are:
- Power BI – Dataset.Read.All and Workspace.Read.All
- Allows users to view workspaces and data sets, and to run queries against them.
- Power BI – Dataset.Read.All and Workspace.Read.All
- Azure SQL Database – user_impersonation
- Allows users access to Azure SQL databases.
- Azure SQL Database – user_impersonation
Once you have selected the API permissions you want the App registration is complete.
Configure AnaplaXL Web
For this you will need:
- Application (client) ID
- The Redirect URI you added in the App registration
- The Client secret you copied from the App registration
- The Tenant ID of the Azure tenant
- You can get the Client ID from the App registration Overview page
- You can get the Tenant ID from the Tenant properties page
- Open the web.config file on your AnaplanXL web server and add the following three keys to the appSettings region.
<add key="AzureClientID" value="{your client id}" />
<add key="AzureClientSecret" value="{your client secret }" />
<add key="AzureRedirectUrl" value="{your client redirect}" />
<add key="AzureAuthorityAudience" value="{your tenant id}" />
Now when a user tries to access data through AnaplanXL web they will be prompted to authenticate using SSO with your App registration, and that will then be used to delegate permissions to the data source.
When a user first tries to access an Azure resource they will see a consent screen like this where they allow the data to be accessed on their behalf. Administrators and preauthorise an application so that users do not see a consent screen. https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps#consent
