Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Did you hear? There's a new SQL AI Developer certification (DP-800). Start preparing now and be one of the first to get certified. Register now

Reply
Neevitha
New Member

SharePoint Dataflow MFA/Conditional Access Issue After Re-authenticating Service Account

‎10-27-2025 02:12 AM

Background:

  • On 15th September, I made changes to a master ETL pipeline in Microsoft Fabric.

  • Changes were made to a Microsoft Fabric ETL pipeline that includes multiple source systems, some of which are SharePoint (Excel) files connected via dataflows.

  • Notification activity was configured for error reporting, and a column was intentionally removed to test error handling

What I Changed:

  1. Re-authenticated the notification connection.

  2. Removed a column to trigger a test error.

  3. Ran the full pipeline.

What Went Wrong:

  • The pipeline failed with errors related to:

    • Conditional Access Policy

    • Multi-Factor Authentication (MFA)

  • SharePoint dataflow connections were failing authentication.

What Fixed It:

  • Re-authenticating each failing dataflow using the service account resolved the issue.

  • The pipeline executed successfully afterward.

Questions

  1. Immediate Resolution after Re-authentication

    • Why did re-authenticating the dataflow connections instantly fix the issue?

    • Does Fabric cache tokens or connection sessions that might expire silently?

  2. MFA / Conditional Access Issues

    • Why were the connections initially blocked by MFA or Conditional Access?

    • How did re-authentication bypass these security checks?

  3. Additional Connections Behavior

    • Who creates the extra SharePoint connections with the SP- prefix?

    • Are they always system-generated during re-authentication?

    • Why do they appear lower in the connection list even if created later?

  4. Best Practices for Service Accounts

    • How can I ensure consistent and persistent connection behavior for service accounts across multiple dataflows?

Labels:
Message 1 of 3
703 Views
0
1 ACCEPTED SOLUTION
Vinodh247
Super User
Super User

‎10-28-2025 08:38 AM

Immediate Resolution

  • Maybe reauth fixed it because fabric refreshed the expired OAuth token.

  • Yes, fabric caches access tokens. When conditional access or MFA policies change, those cached tokens become invalid silently until you re-authenticate.

MFA/Conditional Access Issues

  • The initial block happened because the service account’s cached token did not satisfy updated cnditional access or MFA requirements.

  • Re-authentication forced a new compliant token flow, which met the policy requirements and succeeded.

Additional Connections (SP prefix)

  • The SP- connections are system-generated shadow connections created by Fabric when SharePoint connectors re-establish authentication.

  • They often appear lower in the list because Fabric sorts connections by creation timestamp but groups system-generated ones separately.

Best Practices for Service Accounts

  1. Use a dedicated, noninteractive service account excluded from MFA (via Conditional Access exceptions).

  2. Re-authenticate all Fabric dataflows after any password or policy change.

  3. Use organization-wide connections instead of per user connections where possible.

  4. Document and monitor connection expiry intervals; revalidate proactively every 90 days or per token policy.

  5. Keep Conditional Access policies aligned with automation accounts to avoid unexpected MFA prompts.

Hope this will help point you to the right direction.

Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
LI: https://www.linkedin.com/in/vinodh-kumar-173582132
Blog: vinsdata.in/blog

View solution in original post

Message 2 of 3
635 Views
2 REPLIES 2
Vinodh247
Super User
Super User

‎10-28-2025 08:38 AM

Immediate Resolution

  • Maybe reauth fixed it because fabric refreshed the expired OAuth token.

  • Yes, fabric caches access tokens. When conditional access or MFA policies change, those cached tokens become invalid silently until you re-authenticate.

MFA/Conditional Access Issues

  • The initial block happened because the service account’s cached token did not satisfy updated cnditional access or MFA requirements.

  • Re-authentication forced a new compliant token flow, which met the policy requirements and succeeded.

Additional Connections (SP prefix)

  • The SP- connections are system-generated shadow connections created by Fabric when SharePoint connectors re-establish authentication.

  • They often appear lower in the list because Fabric sorts connections by creation timestamp but groups system-generated ones separately.

Best Practices for Service Accounts

  1. Use a dedicated, noninteractive service account excluded from MFA (via Conditional Access exceptions).

  2. Re-authenticate all Fabric dataflows after any password or policy change.

  3. Use organization-wide connections instead of per user connections where possible.

  4. Document and monitor connection expiry intervals; revalidate proactively every 90 days or per token policy.

  5. Keep Conditional Access policies aligned with automation accounts to avoid unexpected MFA prompts.

Hope this will help point you to the right direction.

Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
LI: https://www.linkedin.com/in/vinodh-kumar-173582132
Blog: vinsdata.in/blog
Message 2 of 3
636 Views
Neevitha
New Member
In response to Vinodh247

‎11-03-2025 03:07 AM

Hi Vinodh,

Thanks so much for the clarification it really helps me understand how Fabric handles SP- connections and re-authentication.

I have a follow-up question:

  • If I re-authenticate the same dataflow multiple times (e.g., 3 times in a row), will Fabric create 3 separate SP- connections (SP1, SP2, SP3)?

  • Or does it reuse the existing SP- connection and just refresh the token?

Appreciate your insights!

 

Message 3 of 3
484 Views
0

Helpful resources

Announcements
April Fabric Update Carousel

Fabric Monthly Update - April 2026

Check out the April 2026 Fabric update to learn about new features.

Fabric SQL PBI Data Days

Data Days 2026 coming soon!

Sign up to receive a private message when registration opens and key events begin.

New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

View All