Edit

Share via

Configure ArcGIS Pro to access a GeoCatalog

This guide demonstrates how to configure ArcGIS Pro to access geospatial datasets from the Microsoft Planetary Computer Pro GeoCatalog using OAuth 2.0 delegated authentication with Microsoft Entra ID. This requires registering two applications in Microsoft Entra ID (a Web API and a Desktop client), configuring delegated permissions with user_impersonation scope, and connecting ArcGIS Pro to Azure Blob Storage and SpatioTemporal Access Catalog (STAC) compliant datasets hosted in the Microsoft Planetary Computer Pro environment.

By the end of this guide, you'll be able to securely browse and access Microsoft Planetary Computer-hosted data directly in ArcGIS Pro using Microsoft Entra ID user impersonation.

Prerequisites

  • Access to a Microsoft Entra ID tenant
  • Azure subscription with permissions to manage app registrations
  • ArcGIS Pro installed on your machine

Tip

Before you begin, review Register an application in Microsoft Entra ID for background information on app registration.

Register web API application for ArcGIS Pro

  1. Open the Azure Portal and go to Microsoft Entra ID.

    Screenshot showing a user selecting Microsoft Entra ID from Azure portal.

  2. Navigate to App registrations > New registration.

    Screenshot showing new app registration.

  3. Register the Web API app. Suggested names:

    • ArcGISPro-GeoCatalog-WebAPI or
    • ArcGIS Pro

  4. Set Multitenant as the account type. Screenshot showing register an app ArcGIS Pro.

    Screenshot showing new app registration ArcGIS Pro.

  5. After registration, complete the following configuration within the new app registration ArcGIS Pro.

    • Go to the Authentication tab.

    • Add platform: Web.

    Screenshot showing the selection to add a web platform type of authentication.

  6. Set Redirect URI: https://localhost.

    Screenshot showing how to add a redirect URI.

  7. Add platform: Mobile and Desktop applications

    Screenshot showing add mobile desktop app.

  8. Set Custom Redirect URI: arcgis-pro://auth.

    Screenshot showing configure desktop device.

  9. Enable ID tokens under Implicit grant and hybrid flows.

  10. Select Save.

    Screenshot showing enable ID tokens ArcGIS App authentication.

  11. Go to API Permissions.

    • Add and grant admin consent for:
      • Azure Storage > user_impersonation.
      • Microsoft Graph > User.Read (This permission is enabled by default).

    Screenshot showing howto configure the addition of API permissions.

  12. Grant admin consent after permissions are added.

    Screenshot showing how to grant admins consent.

  13. Go to Expose an API.

    • Add App ID URI.

    Screenshot showing how to add the app id URI .

  14. Define scopes:

    • user_authentication (Display name: ArcGISPro-API-User-Auth)
    • user_impersonation (Display name: ArcGISPro-API-Impersonation)

    Screenshot showing add user authentication scope.

    Screenshot showing add user impersonation scope.

  15. Select Add a client application and note the App ID.

    Screenshot showing how to add a client app.

Register desktop client application for ArcGIS Pro

Register a second application (with a distinct name) to represent ArcGIS Pro Desktop and configure its API permissions --- ensuring it includes access to the web API exposed by the first application.

  1. Create a second app registration for the ArcGIS Pro desktop client.

    • Suggested name: ArcGISPro-GeoCatalog-DesktopClient or GeoCatalog-ArcGIS.

    • Set account type: Single tenant.

    Screenshot showing register second app arcgisprodesktopclient.

    Screenshot showing new app registration GeoCatalog ArcGIS.

  2. Configure the Desktop Client App.

    Complete the following configuration within the new App registration GeoCatalog-ArcGIS.

    • For Authentication, repeat the same steps as in Step 1:

      • Add platform: Web.
      • Set Redirect URI: https://localhost.
      • Add platform.
      • Set Redirect URI: arcgis-pro://auth.
      • Enable ID tokens under Implicit grant and hybrid flows.
      • Select Save.

    • API Permissions: Adding Access to the Web API App.

      • In the API permissions tab, select Add a permission.

      • Go to the APIs my organization uses tab and search for the Web API app created in Step 1 (for example, ArcGIS Pro).

      • Select the app name to open the Request API Permissions screen.

    Screenshot showing request API permissions.

    • Select both user_authentication and user_impersonation; the delegated permissions defined in the first app.

    • Select Add permissions.

    Screenshot showing add API permissions ArcGIS Pro.

    • Continue to add the following delegated permissions:

      • Azure Storage > user_impersonation.
      • Azure Orbital Spatio > user_impersonation.
      • Microsoft Graph > User.Read (This permission is enabled by default).
      • Select Add permissions.
      • Select Grant admin consent.

    Screenshot showing app selection on request API permissions screen.

    Screenshot showing grant admin consents (4).

Configure ArcGIS Pro (Desktop) for Microsoft Planetary Computer Pro GeoCatalog access

This section outlines how to configure authentication and data access in the ArcGIS Pro desktop application, using OAuth 2.0 integration with Microsoft Entra ID and access to the Microsoft Planetary Computer Pro GeoCatalog. It includes steps to add an authentication connection and create storage and STAC data connections.

Add an authentication connection

  1. Open the ArcGIS Pro settings page in one of the following ways:

    • From an open project, select the Project tab on the ribbon.
    • From the start page, select the Settings tab.

  2. In the side menu, select Options.

  3. In the Options dialog box, under Application, select Authentication.

  4. Select Add Connection to add a new authentication connection.

  5. In the Add Connection dialog box:

    • Enter a Connection Name.

    • For Type, select Microsoft Entra ID.

    • Enter your Entra Domain and Client ID.

    • Add the following scopes:

      • https://storage.azure.com/.default

      • https://geocatalog.spatio.azure.com/.default

    Screenshot showing how to add a connection.

    • Select OK.

    • Sign in through the Authentication dialog and complete the prompts.

    Screenshot showing how to sign in with the Authentication dialog.

Tip

For more information, see the official ArcGIS Pro documentation Connect to authentication providers from ArcGIS Pro.

Prepare and record GeoCatalog information

  1. Create an Microsoft Planetary Computer Pro GeoCatalog in your Azure subscription (for example, arcgisprogeocatalog), and locate it in the appropriate resource group.

    Screenshot showing find hiddentype GeoCatalog.

  2. Select on the GeoCatalog. For example, arcgisprogeocatalog.

  3. Record the GeoCatalog URI. For example, https://arcgisprogeocatalog.<unique-identity>.<cloud-region>.geocatalog.spatio.azure.com.

    Screenshot showing how to retrieve the GeoCatalog URI.

  4. Open the link to your GeoCatalog URI in the browser and select on the Collections button

    Screenshot showing Microsoft Planetary Computer Pro web interface.

  5. Record the Collection Name. For example, sentinel-2-l2a-tutorial-1000.

  6. Construct the Token API Endpoint using this pattern:

    \<GeoCatalog URI\>/sas/token/\<Collection Name\api-version=2025-04-30-preview

    Example:

    https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-region\>.geocatalog.spatio.azure.com/sas/token/sentinel-2-l2a-tutorial-1000?api-version=2025-04-30-preview

  7. Select the collection name.

    Screenshot showing click on collection name.

  8. Select the Edit collection button.

    Screenshot showing how to edit a GeoCatalog collection.

  9. In the resulting JSON display, locate the key "title:assets:thumbnail:href" and copy the corresponding value. For example:

    https://\<unique-storage\>.blob.core.windows.net/sentinel-2-l2a-tutorial-1000-\<unique-id\>/collection-assets/thumbnail/lulc.png

  10. Record the value of Account Name and Container Name:

    • Account Name: for example <unique-storage>
    • Container Name: for example sentinel-2-l2a-tutorial-1000-<unique-id>

    Screenshot showing collection json display.

Set up a connection to Azure Blob

  1. In ArcGIS Pro, open the Create Cloud Storage Connection File geoprocessing tool to create a new ACS connection file. This tool can be accessed in the main Ribbon on the Analysis Tab. Select the Tools Button, then search for the tool by typing its name.

  2. Specify a Connection File Location for the ACS file.

  3. Provide a Connection File Name. For example, geocatalog_connection.acs.

  4. For Service Provider select Azure.

  5. For Authentication, select the name of the auth profile that you created in previous steps.

  6. For Access Key ID (Account Name), use the Account Name value that you recorded earlier: <unique-storage>.

  7. For Bucket (Container) Name use the Container Name value that you recorded earlier: sentinel-2-l2a-tutorial-1000-<unique-id>.

  8. Add the provider option ARC_TOKEN_SERVICE_API and set the value to your Token API Endpoint that you constructed earlier. For example:

    https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-region\>.geocatalog.spatio.azure.com/api/token/sentinel-2-l2a-tutorial-1000?api=version=2025-04-30-preview

  9. Add the provider option ARC_TOKEN_OPTION_NAME and set the value to AZURE_STORAGE_SAS_TOKEN.

    Screenshot showing create cloud storage connection file sample.

Create a STAC connection to Microsoft Planetary Computer Pro

  1. Create a new STAC connection in ArcGIS Pro (desktop).

    Tip

    Refer to ArcGIS Pro documentation to Create a STAC connection.

    Screenshot showing create new stac connection.

    • Provide a name for the STAC Connection: For example, GeoCatalog_Connection.

    • For Connection use the form\<GeoCatalog URI\>/api. For example,

        https://arcgisprogeocatalog.\<unique-identity\>.\<cloud-storage\>.geocatalog.spatio.azure.com/api

    • Reference the Authentication settings made in previous step.

    • Add the ACS connection file that was created in previous step to the STAC connection.

    • Select OK.

    Screenshot showing how to create a STAC connection.

  2. Explore the STAC connection.

    Tip

    Learn more about the ArcGIS Explore STAC Pane.

    Screenshot showing the Explore STAC dialog box.

    • Search, fetch extensive STAC metadata, and view the browse images.

    • Add selected images to Map or Scene.

    Screenshot showing explore the STAC data window.

Related content