Configure Azure AD for OAuth and Modern Authentication

Starting in Tableau 2021.1, the Azure Synapse, Azure SQL Database, Azure Databricks, and Azure Data Lake Gen2 connectors support authentication through Azure AD by configuring an OAuth client for Tableau Server.

Note: OAuth support for Azure AD is only supported with Microsoft SQLServer driver 17.3(Link opens in a new window) and later.

Step 1. Register OAuth application for Azure

See the Tableau Community post, Azure Application Registration for On-Prem Server OAuth(Link opens in a new window).

Step 2: Configure Tableau Server

Configuring Tableau Server requires running a TSM command. Azure Data Lake requires a different set of commands than the common command that is run for Azure Synapse, Azure SQL Database, or Azure Databricks.

Configure for Azure Data Lake

To configure Tableau Server for Data Lake, you must have the following configuration parameters:

  • Azure OAuth client ID: this is generated from the procedure in Step 1. Copy this value for [your_client_id] in the first tsm command below.
  • Azure OAuthClient secret: this is generated from the procedure in Step 1. Copy this value for [your_client_secret] in the second tsm command below.
  • The Tableau Server url, such as https://myserver.com. Copy this value for [your_server_url] in the thrid tsm command below.

Run the following tsm commands to configure Tableau Server OAuth for Azure Data Lake:

  • tsm configuration set -k oauth.azuredatalake_storage_gen2.client_id -v [your_client_id] --force-keys
  • tsm configuration set -k oauth.azuredatalake_storage_gen2.client_secret -v [your_client_secret] --force-keys
  • tsm configuration set -k oauth.azuredatalake_storage_gen2.redirect_uri -v http://[your_server_url]/auth/add_oauth_token --force-keys
  • tsm pending-changes apply
  • If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Configure for Azure Synapse, Azure SQL Database, or Azure Databricks.

To configure Tableau Server, you must have the following configuration parameters:

  • Azure OAuth client ID: this is generated from the procedure in Step 1. Copy this value for [your_client_id] in the tsm command that follows.
  • Azure OAuthClient secret: this is generated from the procedure in Step 1. Copy this value for [your_client_secret] in the tsm command that follows.
  • The Tableau Server url, such as https://myserver.com. Copy this value for [your_server_url] in the tsm command that follows.
  • Configuration ID: this is the value for the oauth.config.id parameter in the tsm command that follows. Valid values:
    • Azure Synapse: azure_sql_dw
    • Azure SQL Database: azure_sqldb
    • Azure Databricks: databricks

Run the following tsm commands to configure Azure AD for Azure Synapse, Azure SQL Database, or Azure Databricks:

  • tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"azure_sql_dw\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys
  • tsm pending-changes apply

Setting multiple connectors

If you have multiple connectors to set, you must include all of them in a single command:

  • tsm configuration set -k oauth.config.clients -v "[{\"oauth.config.id\":\"azure_sql_dw\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"azure_sqldb\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}, {\"oauth.config.id\":\"databricks\", \"oauth.config.client_id\":\"[your_client_id]\", \"oauth.config.client_secret\":\"[your_client_secret]\", \"oauth.config.redirect_uri\":\"[your_server_url]/auth/add_oauth_token\"}]" --force-keys
  • tsm pending-changes apply
Thanks for your feedback!