how to set a service principal as the authentication method in a fabric connection.
introduction.
When using a Fabric artifact as a source in Power BI Desktop, it is currently only possible to set a service principal as the underlaying authentication method when choosing the SQL endpoint of a Lakehouse. The same is observable, when trying to create a connection in Fabric. At time of writing this blog article, for the Fabric artifacts Warehouse, Lakehouse (not via the SQL endpoint) and KQL Database, it is only possible to set OAuth2 as the method of authentication.
For import mode models, my “go to” authentication method usually is a service principal. This way, we are not using a user’s credentials to fetch tokens in order to access the source. Earlier, in order to use a service principal for authentication, we had to make a service principal taking over the semantic model. In Fabric, however, you can utilise a service principal for authentication purposes just by specifying it in the connection – at least for some sources. Bear in mind, service principals come with a maintenance cost. In a perfect world, you would want to roll service principal secrets on a regular base.
I got the idea for this blog article from the Fabric community. Feel free to reach out to me, if you got any questions about the community – it’s an inclusive place where Fabricans try to help each other.
prerequisites.
1. A Fabric capacity and workspace
2. A semantic model deployed to Fabric
1. What’s the goal?
The goal is to be able to use a Service Principal as the Authentication method in a Fabric connection, in our case we try to connect a Power BI semantic model to a Fabric Lakehouse.
2. Create a service principal in Azure
First, we need to create a service principal in Azure. For this, go into the Azure Portal and create a new app registration. Note, there is no need to setup any scopes/API permissions.
In the connection, we need to specify the tenant ID, the service principal ID and the service principal key. The Tenant ID (or Directory ID) can be found in the Overview tab of your service principal. The Service principal ID equals the Application or Client ID that is displayed on the same screen:
The Service principal key is a secret you need to create under Certificates & secrets:
3. Set up Fabric to use service principal
Before we can use the service principal, we need to tell Fabric to allow the service principals to use Power BI APIs, otherwise we are not able to add them to the workspace. You can find this setting in the Admin portal. You probably do not want to toggle this setting on for the entire organization and instead use specific security groups:
Afterwards you can add the service principal to the workspace. For me, it worked already with the viewer role. If this doesn’t work for you, you might wanna elevate to contributor.
If we do not give access to the service principal on the workspace, you might receive the below error, when trying to create the new connection:
Next, we can navigate to Manage connections and gateways:
Now, add a new connection
Fill in the fields accordingly. For connection type, choose SQL Server.
You can copy the SQL connection string from the submenu (click on the three points next to your SQL analytics endpoint):
Lastly, assign the newly created connection to your semantic model:
4. Showtime
Let’s test our connection by starting a refresh and checking the history. Hopefully, it’ll look like this for you, too:
end.
This is it! Now you have a service principal that is being used for authenticating your Power BI semantic models to your Fabric Lakehouse.