How to configure Service Principal authentication ...

amaaiia · ‎06-30-2025

Hi,

I have a dataflow gen2 working which uses Warehouse connection (with OAUth2.0 authentication).

I've seen that it's possible to authenticate with Service Principal, so I'm trying to change it to sp. This is dataflow query using Warehouse connection:

Where first step Source is:

And second Navigation 1:

The sp I've configured is in a security group which has Contributor role in that workspace starting with 0b...

However, when I change de connection to Service Principal, the dataflow fails..

Where does de sp need no have acces to so the authentication can success??

v-achippa · ‎07-01-2025

Hi @amaaiia,

Thank you for reaching out to Microsoft Fabric Community.

The Service Principal or the security group it belongs to must be explicitly granted access to the Warehouse in Microsoft Fabric. The Contributor role on the workspace does not automatically grant SP access to the underlying Warehouse object for query execution.

Go to the Warehouse settings in Microsoft Fabric, click Manage Access and assign the SP group the Member or Admin role directly on the Warehouse.

Once done re test the connection in Dataflow Gen2 and it should work successfully with the Service Principal authentication.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thanks and regards,

Anjan Kumar Chippa

amaaiia · ‎07-01-2025

Where is that in the documentation?

Workspace roles affects to items in the workspace. And why member? Member is the same as Contributor but with the possibility of resharing... It doesn't make sense. According to official documentation, workspace role is enough (Service Principals in Fabric Data Warehouse - Microsoft Fabric | Microsoft Learn)

Anyway, as expected, it's not working.

v-achippa · ‎07-07-2025

Hi @amaaiia,

Yes, the documentation mentions that assigning the Service Principal a Contributor role at the workspace level should be sufficient.

But in practice we have observed that even with proper workspace level Contributor roles, Dataflows Gen2 using the Fabric.Warehouse() connector still fail with SP authentication, unless the SP (or its security group) is also explicitly granted access at the Warehouse level as well.

This behaviour is not clearly documented yet, but it aligns with internal testing and multiple cases seen in the community and support channels. It is likely related to how Dataflow Gen2 executes queries through the warehouse connector, which still checks Warehouse level permissions even when workspace level permissions exist.

If this post helps, then please consider Accepting as solution to help the other members find it more quickly, don't forget to give a "Kudos" – I’d truly appreciate it!

Thanks and regards,

Anjan Kumar Chippa

v-achippa · ‎07-10-2025

Hi @amaaiia,

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution I have provided for the issue worked? or let us know if you need any further assistance.

Thanks and regards,

Anjan Kumar Chippa

v-achippa · ‎07-14-2025

Hi @amaaiia,

We wanted to kindly follow up to check if the solution I have provided for the issue worked?

Thanks and regards,

Anjan Kumar Chippa

v-achippa · ‎07-17-2025

Hi @amaaiia,

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution I have provided for the issue worked?

Thanks and regards,

Anjan Kumar Chippa

How to configure Service Principal authentication for Warehouse connection?

Helpful resources

Fabric Community Update - July 2025

Fabric Monthly Update - June 2025

Party with Power BI’s own Guy in a Cube

How to configure Service Principal authentication for Warehouse connection?

Helpful resources

Fabric Community Update - July 2025

Fabric Monthly Update - June 2025