Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
kkitsara
Regular Visitor

PowerBI - Databricks SSO | Impersonation of report viewers with custom OIDC client

‎01-13-2025 02:47 AM

Hello,

 

We are working on integrating PowerBI with Databricks using SSO functionality.

Our Databricks is currently hosted on AWS and we use a custom OIDC solution for implementing Databricks SSO.

 

We want to query data from PowerBI to Databricks using OAuth to apply impersonation. 

I followed the below steps:

  1. On PowerBI Desktop selected Get Data and selected the connector Databricks.
  2. There after adding the Databricks hostname and SQL path, i selected OAuth as authentication and I successfully authenticated and viewed my table
  3. I selected DirectQuery as import method
  4. I published the report to PowerBI service
  5. Once published, I connected to PowerBI service and checked the report. The report was not working, as I had to setup the credentials
  6. I went to the settings of the semantic model and added a Connection Credentials with SSO (OIDC).
  7. Now the report works and I was able to create an App also, but it seems that all the viewers of the App/report are using my identity to login to Databricks, thus the row filters we have in Databricks for their identities are not working.

 

Is there any way to enforce the viewers of an App/Report to use their own identities to reach Databricks?

This is a crucial functionality, as at the moment we cannot apply row filtering on the table on Databricks level, as all the report viewers are using the identity of the report developer (even with DirectQuery and SSO). 

As it functions now, the SSO loses its purpose.

 

Regards,

Kostas

Labels:
Message 1 of 5
338 Views
4 REPLIES 4
FarhanJeelani
Super User
Super User

‎01-13-2025 04:01 AM

Hi @kkitsara ,

To address the issue, the core focus should be on configuring identity propagation correctly between Power BI and Databricks. Currently, it seems that the identity of the report developer is being used, which prevents row-level security (RLS) from being applied as intended. Here's how you can resolve this.

First, confirm that your Databricks connector in Power BI is configured for Single Sign-On (SSO) with your custom OIDC solution. This involves ensuring that the OIDC client used by Databricks can accept user-specific tokens from Power BI and pass those tokens along for identity verification. You need to verify that your OIDC setup allows the transmission of claims such as userPrincipalName or email, which can uniquely identify the users accessing the data.

In the Power BI Service, go to the settings for the dataset associated with your report. Under the dataset settings, ensure that the SSO option is enabled. This ensures that Power BI is set to pass user credentials to Databricks rather than using a static credential set. For this to work, the DirectQuery mode must be configured to use the viewer’s identity for querying the data source. Additionally, confirm that your Databricks workspace recognizes and processes the user identity passed via Power BI.

On the Databricks side, you need to implement row-level security (RLS) using user-specific attributes. For example, your table can include a column for username, and the SQL queries can filter rows using a function like current_user() or a similar attribute mapped from the user token. This ensures that only data corresponding to the logged-in user is accessible.

Testing is crucial. Use different user accounts to access the published report in Power BI Service and observe whether Databricks logs indicate the correct user identity for each query. If all queries appear to originate from the developer's identity, it points to an issue with identity propagation in the SSO configuration.

If your custom OIDC client doesn't support user impersonation natively, you might need an additional authentication layer. This can be a middleware service that maps Power BI user identities to Databricks-compatible tokens dynamically, ensuring proper impersonation.

By properly aligning Power BI’s dataset settings, Databricks authentication configuration, and RLS rules, you can enforce that each viewer uses their own identity to access the data, maintaining the integrity of row-level filtering.

 

Did I answer your question? Mark my post as a solution!

Message 2 of 5
301 Views
0
kkitsara
Regular Visitor
In response to FarhanJeelani

‎01-13-2025 09:56 AM

Hello @FarhanJeelani ,

Thanks a lot for your detailed explanation.

 

Our OIDC client is properly set on Databricks and RLS is also properly set. 

I would like to ask some more explanation for your point:

 

"In the Power BI Service, go to the settings for the dataset associated with your report. Under the dataset settings, ensure that the SSO option is enabled. This ensures that Power BI is set to pass user credentials to Databricks rather than using a static credential set."

 

Which are the steps to do this? I open my semantic model settings and I cannot find any SSO option. If it is not clear, please check my steps above for the process I followed to build this report.

 

If you refer to the connection settings, and in a button like the one in the below picture, then there is not this option available for Databricks Connector.

kkitsara_0-1736792197687.png

 

 

Regards,

Kostas

Message 3 of 5
286 Views
0
v-yajiewan-msft
Community Support
Community Support
In response to kkitsara

‎01-14-2025 12:19 AM

Hi @kkitsara , hello FarhanJeelani, thank you for your prompt reply!


Hope the below article is helpful to you:

Connect Power BI to Azure Databricks - Azure Databricks | Microsoft Learn

 

Best regards,

Joyce

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 5
252 Views
0
kkitsara
Regular Visitor
In response to v-yajiewan-msft

‎01-14-2025 12:23 AM

Hi @v-yajiewan-msft 

 

This article describes the same functionality but with Microsoft Entra ID enabled in Databricks.

As, I mention in my initial post, we are using a custom OIDC client as identity provider in Databricks and we cannot find a properly working SSO functionality for this. 

 

Regards,

Kostas

Message 5 of 5
241 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All