TVL Managed Superset
Get started

Microsoft Entra ID / Azure AD SSO on Superset 2026

Configure Microsoft Entra ID (Azure AD) SSO on Apache Superset: OIDC, app registration, claims, groups.

· Tuvalu Tech OÜ

Configuring Microsoft Entra ID (formerly Azure AD) SSO on Apache Superset has become standard for Microsoft organizations. Whether via OIDC or SAML, the integration is solid. This guide details the OIDC configuration in 2026.

1. Prerequisites

  • A Microsoft Entra ID tenant;
  • Application Administrator rights to create an app registration;
  • An accessible Superset instance.

If you want preconfigured Entra integration, TVL Managed Superset offers a wizard on Pro+ instances.

2. Create an App Registration

  1. Entra Admin Center → App registrations → New registration;
  2. Name: Apache Superset;
  3. Supported account types: Single tenant (or multi-tenant for SaaS);
  4. Redirect URI: Web → https://superset.example.com/oauth-authorized/azure;
  5. Register.

3. Retrieve parameters

  • Application (client) ID: on the Overview page;
  • Directory (tenant) ID: on the Overview page;
  • Client secret: Certificates & secrets → New client secret.

4. Configure claims

  1. App registration → Token configuration;
  2. Add optional claim → ID token: email, groups, family_name, given_name;
  3. Add groups claim: Security groups + Group ID.

5. Superset configuration

from flask_appbuilder.security.manager import AUTH_OAUTH

AUTH_TYPE = AUTH_OAUTH

OAUTH_PROVIDERS = [
    {
        "name": "azure",
        "icon": "fa-windows",
        "token_key": "access_token",
        "remote_app": {
            "client_id": os.environ["AZURE_CLIENT_ID"],
            "client_secret": os.environ["AZURE_CLIENT_SECRET"],
            "server_metadata_url": f"https://login.microsoftonline.com/{os.environ['AZURE_TENANT_ID']}/v2.0/.well-known/openid-configuration",
            "client_kwargs": {"scope": "openid email profile"},
        },
    }
]

AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Gamma"

This configuration is applied by default on TVL Managed Superset, which follows community best practices.

6. Role mapping from Entra groups

AUTH_ROLES_MAPPING = {
    "12345678-aaaa-bbbb-cccc-superset-admins": ["Admin"],
    "abcdefgh-1111-2222-3333-superset-power":  ["Alpha"],
    "ffffffff-9999-8888-7777-superset-users":  ["Gamma"],
}
AUTH_ROLES_SYNC_AT_LOGIN = True

The values are the Object IDs of Entra groups (UUIDs). Retrievable in Entra → Groups → Object Id.

7. Test

  1. Redeploy Superset;
  2. Go to /login;
  3. Click "Sign in with Azure";
  4. Microsoft authentication (with MFA if configured);
  5. First-time consent screen;
  6. Redirect to Superset.

8. Conditional Access

Major Entra advantage: Conditional Access Policies apply automatically:

  • Mandatory MFA for Superset;
  • IP location restriction;
  • Device compliance required (Intune);
  • Strengthened authentication for sensitive roles.

9. Common pitfalls

  • Redirect URI mismatch;
  • Missing groups claim: if forgotten in Token configuration;
  • Admin consent permissions required for some scopes;
  • Multi-tenant SaaS: configure the "verified domains" and the consent flow;
  • Unused refresh token: Entra recommends secret rotation.

10. Conclusion

Microsoft Entra ID + Apache Superset is a robust combination for Microsoft organizations. Configuration takes 1-2h for a clean setup, with MFA and Conditional Access as a bonus. For hybrid enterprises (on-premise AD + Entra), Entra Connect synchronizes accounts automatically.

Want the benefits of Apache Superset without the friction of installation and maintenance? Deploy your instance in 3 clicks with TVL Managed Superset, hosted in Europe (OVHcloud, Roubaix, France).

For more: SSO OIDC, SAML, Apache Superset vs Power BI.