DataMapper: Global authentication by a non-DataMapper user

What is the purpose of this authentication?

Datamapper sometimes requires global access to data in your Microsoft tenant (e.g. via Microsoft Graph).

For security and compliance reasons, this access must be approved by a Global Admin.

The Global Admin does not need access to Datamapper.

Who is involved?

  • Datamapper user (Custom Owner)

    Initiates authentication in Datamapper

  • Global Admin (non-Datamapper user)

    Grants admin consent in Microsoft Entra ID

High-level flow

  1. Datamapper user starts authentication
  2. A Microsoft login URL is generated
  3. Global Admin updates the URL with tenant ID
  4. Global Admin completes authentication
  5. Datamapper shows authentication as completed

Step-by-step

1. Datamapper user starts authentication

  • Log in to Datamapper
  • Go to the relevant Global Connector
  • Click Authenticate
  • Copy the URL from the browser

2. Share the URL with the Global Admin

  • Send the URL securely (email, Teams, etc.)

3. Global Admin updates the URL

  • Locate this part of the URL:
login.microsoftonline.com/common/
  • Replace common  with your tenant ID

Example:

login.microsoftonline.com/<TENANT-ID>/adminconsent?...

Also shown here in this screenshot that appears after clicking on the link invitation to DataMapper and login:

4. Global Admin completes authentication

  • Open the updated URL in a browser
  • Sign in as Global Admin
  • Review and approve the requested permissions

5. Authentication completed

  • Datamapper automatically registers the consent
  • The connector is now ready for use

Does the Global Admin need Datamapper access?

No.

The Global Admin:

  • Only signs in to Microsoft
  • Does not access Datamapper
  • Does not share credentials

What permissions are granted?

Only the explicit permissions requested by Datamapper.

Access is:

  • Token-based
  • Limited to approved scopes
  • Aligned with enterprise security standards

Frequently asked questions


Why can’t the Datamapper user complete authentication themselves?

Because Microsoft requires certain permissions to be approved by a Global Admin.


Is this secure?

Yes. The flow supports:

  • Zero Trust principles
  • Separation of roles
  • Microsoft Entra ID best practices

What if the wrong tenant is used?

Ensure common  is replaced with the correct tenant ID before authentication.

Still need help? Contact Us Contact Us