Multifactor Authentication with ESP HDInsight Cluster
Published Nov 02 2021 12:10 AM 2,958 Views

Enterprise Security Package (ESP) provides Active Directory integration for Azure HDInsight. This integration allows domain users to use their domain credentials to authenticate with HDInsight clusters and run big data jobs.

HDInsight ID Broker (HIB) provides single sign on with Azure Active Directory with modern OAuth authentication to Apache Ambari while having multifactor authentication enforcement. HDInsight ID Broker provides the authentication infrastructure that enables protocol transition from OAuth (modern) to Kerberos (legacy) without needing to sync password hashes to Azure AD DS. This infrastructure consists of components running on a Windows Server virtual machine (VM) with the HDInsight ID Broker node enabled, along with cluster gateway nodes.



Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

Use the following table to determine the best authentication option based on your organization's needs.


Use Case: Customer can choose the Authentication option from above table. In this example we will focus on how to enable multifactor Authentication for the HDInsight cloud users and to Access Ambari with MFA.

  • Enable Multifactor Authentication
  • Access Ambari with MFA

Prerequisite to Run this Lab:

  1. Setup Azure Active Directory.
    azure-docs/ at master · Microsof...
  2. Setup Active Directory Domain Services.
    azure-docs/ at master · Microsof...
  3. Create ESP HDInsight Cluster with HIB Enable based on the Authentication option chosen.
    Azure HDInsight ID Broker (HIB) | Microsoft Docs

Please follow the Below Steps to Enable MFA and access Ambari.

Step 1:  From Azure Active Directory got to -> Security-> Multi Factor Authentication -> Activate the Premium Feature.



Step 2: Please click on per user MFA



Step 3: Multi Factor Authentication setting page will open


Step 4:
From Service Settings Page select the verification options.


Step 5:
From User Setting select the user want to enable the Multifactor Authentication.





Step 6:
Alternatively  Conditional MFA policy can be created as per the business requirement.


Step 7:
Creating ESP Cluster (HIB) the user must be part of Group for users. Here hditest2 is part of clusterusers group



Step 8:
Login to Ambari with the user id enable for Multifactor Authentication




Step 9: Initially it will ask to setup Authenticator




Step 10: Once setup is done please provide the authentication code displayed in Microsoft Authenticator.


Step 11:
Ambari Login Successful with MFA Authentication




Version history
Last update:
‎Nov 02 2021 12:10 AM
Updated by: