Configure ArcGIS Pro to access a GeoCatalog

Learn how to configure ArcGIS Pro to access geospatial datasets from the Microsoft Planetary Computer Pro GeoCatalog by using OAuth 2.0-delegated authentication with Microsoft Entra ID.

This process requires that you:

• Register two applications in Microsoft Entra ID (a web API and a desktop client).
• Configure delegated permissions with the user_impersonation scope.
• Connect ArcGIS Pro to Azure Blob Storage and SpatioTemporal Asset Catalog (STAC)-compliant datasets in the Microsoft Planetary Computer Pro environment.

Learn how to securely browse and access data hosted in Microsoft Planetary Computer Pro directly in ArcGIS Pro by using Microsoft Entra ID user impersonation.

Prerequisites

• Access to a Microsoft Entra ID tenant
• Azure subscription with permissions to manage app registrations
• ArcGIS Pro installed on your machine

Tip

Before you begin, review background information in Register an application in Microsoft Entra ID.

Register a web API application for ArcGIS Pro

Public

1. Open the Azure portal and search for Entra. Select Microsoft Entra ID.

   

2. Go to App registrations > New registration.

   

3. Register the Web API app. Here are some name suggestions:

   • ArcGISPro-GeoCatalog-WebAPI
   • ArcGIS Pro

4. Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).

   

   

5. In your new app (named ArcGIS Pro in our example), go to Authentication > Add a platform > Web.

   

6. In Configure Web > Redirect URI, add <https://localhost>. Select Configure.

   

7. Return to Authentication > Add a platform, and then select Mobile and desktop applications.

   

8. In Configure Web > Redirect URI, add arcgis-pro://auth. Select Configure.

   

9. Under Implicit grant and hybrid flows, select the checkbox for ID tokens (used for implicit and hybrid flows). Select Save.

   

10. Select API Permissions on the left menu. Add and grant admin consent for:

    • Azure Storage > user_impersonation
    • Microsoft Graph > User.Read (default)

    

11. After you add permissions, select Grant admin consent for Default Directory.

    

12. On the left menu, select Expose an API > Add. Under Edit application ID URI add your app's URI in Application ID URI.

    

13. Select Add a scope and add the following information:

    • user_authentication (display name: ArcGISPro-API-User-Auth)

      

    • user_impersonation (display name: ArcGISPro-API-Impersonation)

      

14. Select Add a client application. Choose and take note of the client ID. You need the client ID to set up an authentication connection in ArcGIS Pro.

    

US Gov

1. Open the Azure portal and search for Entra. Select Microsoft Entra ID.

   

2. Go to App registrations > New registration.

   

3. Register the Web API app. Here are some name suggestions:

   • ArcGISPro-GeoCatalog-WebAPI
   • ArcGIS Pro

4. Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).

   

   

5. In your new app (named ArcGIS Pro in our example), go to Authentication > Add a platform > Web.

   

6. In Configure Web > Redirect URI, add <https://localhost>. Select Configure.

   

7. Return to Authentication > Add a platform, and then select Mobile and desktop applications.

   

8. In Configure Desktop + devices add arcgis-pro://auth in Custom redirect URIs.

   

9. In the Mobile and desktop applications panel, select Add URI. Enter https://login.microsoftonline.us/common/oauth2/nativeclient as a second redirect URI.

   

10. Under Implicit grant and hybrid flows, select the checkbox for ID tokens (used for implicit and hybrid flows). Select Save.

    

11. Select API Permissions on the left menu. Add and grant admin consent for:

    • Azure Storage > user_impersonation
    • Microsoft Graph > User.Read (default)

    

12. After you add permissions, select Grant admin consent for Default Directory.

    

13. On the left menu, select Expose an API > Add. Under Edit application ID URI add your app's URI in Application ID URI.

    

14. Select Add a scope and add the following information:

    • user_authentication (display name: ArcGISPro-API-User-Auth)

      

    • user_impersonation (display name: ArcGISPro-API-Impersonation)

      

15. Select Add a client application. Choose and take note of the client ID. You need the client ID to set up an authentication connection in ArcGIS Pro.

    

Register a desktop client application for ArcGIS Pro

Public

After you register your first application, register a second (with a distinct name). The second app represents ArcGIS Pro Desktop and configures its API permissions. Ensure that the new app can access the web API that you exposed with the first application.

1. Create a second app registration for the ArcGIS Pro desktop client with one of these suggested names: ArcGISPro-GeoCatalog-DesktopClient or GeoCatalog-ArcGIS. Set the account type by selecting Single tenant.

   

   

2. Configure the desktop client app. In this example, we use the name GeoCatalog-ArcGIS. Repeat the steps from the first app registration:

   • For Add a platform, select Web.
   • For Redirect URI, add <https://localhost>.
   • For Add a platform, select Mobile and desktop applications.
   • For Redirect URI, add arcgis-pro://auth.
   • Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows). Select Save.

3. Add access to the web API app:

   • On the API permissions tab, select Add a permission.

   • Go to the APIs my organization uses tab and search for the Web API app that you created previously (for example, ArcGIS Pro).

   • Select the app name to open the Request API Permissions screen.

     

   • Select both user_authentication and user_impersonation, the delegated permissions that you defined in the first app.

   • Select Add permissions.

     

4. Add the following delegated permissions:

   • Azure Storage > user_impersonation
   • Azure Orbital Spatio > user_impersonation
   • Microsoft Graph > User.Read (enabled by default)
   • Add permissions
   • Grant admin consent

   

   

US Gov

After you register your first application, register a second (with a distinct name). The second app represents ArcGIS Pro Desktop and configures its API permissions. Ensure that the new app can access the web API that you exposed with the first application.

1. Create a second app registration for the ArcGIS Pro desktop client with one of these suggested names: ArcGISPro-GeoCatalog-DesktopClient or GeoCatalog-ArcGIS. Set the account type by selecting Single tenant.

   

   

2. Configure the desktop client app. In this example, we use the name GeoCatalog-ArcGIS. Repeat the steps from the first app registration:

   • For Add a platform, select Web.
   • For Redirect URI, add <https://localhost>.
   • For Add a platform, select Mobile and desktop applications.
   • For Redirect URI, add arcgis-pro://auth.
   • Add another redirect URI for Mobile and desktop applications: https://login.microsoftonline.us/common/oauth2/nativeclient.
   • Under Implicit grant and hybrid flows, select ID tokens (used for implicit and hybrid flows). Select Save.

3. Add access to the web API app:

   • On the API permissions tab, select Add a permission.

   • Go to the APIs my organization uses tab and search for the Web API app that you created previously (for example, ArcGIS Pro).

   • Select the app name to open the Request API Permissions screen.

     

   • Select both user_authentication and user_impersonation, the delegated permissions that you defined in the first app.

   • Select Add permissions.

     

4. Add the following delegated permissions:

   • Azure Storage > user_impersonation.
   • Azure Orbital Spatio > user_impersonation.
   • Microsoft Graph > User.Read (Enabled by default).
   • Select Add permissions.
   • Select Grant admin consent.

   

   

Configure ArcGIS Pro (desktop) for Microsoft Planetary Computer Pro GeoCatalog access

This section outlines how to configure authentication and data access in the ArcGIS Pro desktop application. You use OAuth 2.0 integration with Microsoft Entra ID and access the Microsoft Planetary Computer Pro GeoCatalog. This section includes steps to add an authentication connection and create storage and STAC data connections.

Add an authentication connection

Public

1. Go to the ArcGIS Pro settings page in one of the following ways:

   • From an open project, select the Project tab on the ribbon.
   • From the start page, select the Settings tab.

2. On the left menu, select Options.

3. Go to Options > Application > Authentication.

4. Select Add Connection.

5. Enter a value in the Connection Name field.

6. For Type, select Microsoft Entra ID.

7. Enter values in the Entra Domain and Client ID fields.

   • You can find your Microsoft Entra ID domain (also known as your primary domain) from Microsoft Entra ID in the Azure portal.
   • For Client ID, enter the client ID you set in the Add a client application step.

8. Add the following values in the Scopes fields:

   • https://storage.azure.com/.default
   • https://geocatalog.spatio.azure.com/.default

   

9. Select OK.

10. Sign in through the Authentication dialog and complete the prompts.

    

Tip

For more information, see the documentation: Connect to authentication providers from ArcGIS Pro.

US Gov

1. Go to the ArcGIS Pro settings page in one of the following ways:

   • From an open project, select the Project tab on the ribbon.
   • From the start page, select the Settings tab.

2. On the left menu, select Options.

3. Go to Options > Application > Authentication.

4. Select Add Connection.

5. Enter a value in the Connection Name field.

6. For Type, select Microsoft Entra ID.

7. Select Azure US Government under Azure Environment

8. Enter values in the Entra Domain and Client ID fields.

   • You can find your Microsoft Entra ID domain (also known as your primary domain) from Microsoft Entra ID in the Azure portal.
   • For Client ID, enter the client ID that you set in the Add a client application step.

9. Add the following values in the Scopes fields:

   • https://storage.usgovcloudapi.net/.default
   • https://geocatalog.spatio.azure.us/.default

   

10. Select OK.

11. Sign in through the Authentication dialog and complete the prompts.

    

Tip

For more information, see the documentation: Connect to authentication providers from ArcGIS Pro.

Prepare and record GeoCatalog information

GeoCatalog URI, collection name, and token API endpoint

1. Create a Microsoft Planetary Computer Pro GeoCatalog in your Azure subscription (for example, arcgisprogeocatalog), and locate it in the appropriate resource group.

   

2. Select the GeoCatalog that you created.

3. Copy the value of its GeoCatalog URI. For example, https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com.

   

4. Paste the link for your GeoCatalog URI in the browser and select the Collections button.

   

5. Record the value in Collection Name. For example, sentinel-2-l2a-tutorial-1000.

6. Construct the token API endpoint by using this pattern: <GeoCatalog URI>/sas/token/<Collection Name>?api-version=2025-04-30-preview. For example: https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com/sas/token/sentinel-2-l2a-tutorial-1000?api-version=2025-04-30-preview.

Find and record the storage location

Each collection within the Microsoft Planetary Computer Pro GeoCatalog stores geospatial data and STAC Item assets in a dedicated storage account and Azure blob container. In the following steps, you find and record the storage account and container names for a specific collection.

Note

An Azure Storage account and blob container are discoverable only after STAC Items or other assets are added to a collection.

There are two easy ways to discover the storage account and blob container for a collection: by using a thumbnail or by using a STAC Item with assets.

Discover the storage account by using a collection thumbnail

1. From a specific Collections page, select the value for Collection Name.

   

2. Select the Edit collection button.

   

3. In the resulting JSON display, locate the key title:assets:thumbnail:href and copy the corresponding value. For example:

   https://<unique-storage>.blob.core.windows.net/sentinel-2-l2a-tutorial-1000-<unique-id>/collection-assets/thumbnail/lulc.png
   

4. Record the values under Account Name and Container Name. For example:

   • (Storage) Account Name: <unique-storage>
   • Container Name: sentinel-2-l2a-tutorial-1000-<unique-id>

   

Discover the storage account by using a STAC Item

1. From a specific Collections page, select STAC Items.

   

2. Select the checkbox next to one of the listed STAC Items.

   

3. Scroll to the bottom of the STAC Item right panel and select the link to retrieve the STAC Item JSON.

   

4. Find the object called assets within the STAC Item JSON specification. Select one of the asset types within this object and find the href key.

    "assets": {
        "image": {
            "href": "https://<unique-storage>.blob.core.windows.net/naip-sample-datasets-<unique-id>/12f/va_m_3807708_sw_18_060_20231113_20240103/image.tif",
        }
    }
   

5. Record the value for Account Name and Container Name. For example:

   • (Storage) Account Name: <unique-storage>
   • Container Name: naip-sample-datasets-<unique-id>

Set up a connection to Azure Blob Storage

1. In ArcGIS Pro, open the Create Cloud Storage Connection File geoprocessing tool to create a new ACS connection file. You can access this tool in the main ribbon on the Analysis tab. Select Tools, and then search for the tool by typing its name.

2. Specify a value for the Connection File Location for the ACS file.

3. Provide a name for Connection File. For example, geocatalog_connection.acs.

4. Select Service Provider > Azure.

5. For Authentication, select the name of the auth profile that you used earlier.

6. For Access Key ID (Account Name), use the Account Name value that you recorded earlier: <unique-storage>.

7. For Bucket (Container) Name use the Container Name value that you recorded earlier: sentinel-2-l2a-tutorial-1000-<unique-id>.

8. Don't specify a value for Folder.

9. Add the provider option ARC_TOKEN_SERVICE_API and set the value to the token API endpoint that you constructed earlier. For example:

    https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com/sas/token/sentinel-2-l2a-tutorial-1000?api-version=2025-04-30-preview
   

10. Add the provider option ARC_TOKEN_OPTION_NAME and set the value to AZURE_STORAGE_SAS_TOKEN.

    

Create a STAC connection to Microsoft Planetary Computer Pro

Tip

Refer to the ArcGIS Pro documentation Create a STAC connection.

1. Provide a name in STAC Connection. For example, GeoCatalog_Connection.

2. For Connection, use the form <GeoCatalog URI>/stac. For example:

    https://arcgisprogeocatalog.<unique-identity>.<cloud-storage>.geocatalog.spatio.azure.com/stac
   

3. Reference the authentication settings that you created in the previous step.

4. Add values for Custom Parameters:

   • Name: api-version
   • Value: 2025-04-30-preview

5. Add the ACS connection file that you created in the previous step to the Cloud Storage Connections list. Select OK.

   

6. Explore the STAC connection.

   Tip

   Learn more about the ArcGIS Explore STAC pane.

   

7. Search, fetch extensive STAC metadata, and view and browse images.

8. Add selected images to the Map or Scene functions.

   

Related content

• Create a cloud storage connection file
• Create a new GeoCatalog
• Create a STAC collection