Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

0

Incorrect tenant used by dataflows for connecting to Azure Blob Storage

Hello,

 

We have a storage account in a tenant A. Our accounts are in a tenant B.

These accounts are guest accounts in tenant A with Storage Blob Data Reader role over the storage account.

 

We create a dataflow using an AzureBlobs source using this storage account and select "OAuth2" authentication.

We click "Connect", sign-in is triggered but in the tenant B.

 

Then we get the error message "The credentials provided for the AzureBlobs source are invalid. (Source at https://xxx.blob.core.windows.net/.)" 

 

This is expected as the sign-in should be done in tenant A, and not in tenant B.

This works correctly for datasets.

 

If we use an account from tenant A to connect, with same role over the storage account, the connection is successful.

 

Thank you for your help!

Status: Delivered

 

Kindly check the comments below,If in doubt, I'll reopen this thread.

Best regards.
Community Support Team_Caitlyn

Comments
v-xiaoyan-msft
Community Support
Status changed to: Investigating

Hi  @mikoify ,

 

It sounds like you are encountering an issue with authentication when attempting to access a storage account in tenant A using guest accounts from tenant B.

One possible solution is to try using a service principal to authenticate the dataflow instead of using guest accounts. Service principals are a type of identity that can be used to authenticate applications and services in Azure.

To create a service principal, you can follow these steps:

1. In the Azure portal, navigate to the Azure Active Directory (AAD) tenant where the storage account is located (tenant A).
2. Click on "App registrations" and then "New registration".
3. Give the service principal a name and select "Accounts in this organizational directory only" under "Supported account types".
4. Under "Redirect URI", select "Web" and enter a dummy URL (e.g. https://localhost).
5. Click "Register" to create the service principal.
6. Once the service principal is created, navigate to the storage account in the Azure portal and grant it the necessary permissions (e.g. Storage Blob Data Reader role).
7. In the dataflow, select "OAuth2" authentication and enter the client ID and client secret of the service principal.

 

Best regards.
Community Support Team_Caitlyn

v-xiaoyan-msft
Community Support
Status changed to: Delivered

 

Kindly check the comments below,If in doubt, I'll reopen this thread.

Best regards.
Community Support Team_Caitlyn

mikoify
Frequent Visitor

Hi,

 

We would dream of having the possibility you describe of being able to select OAuth2 and use client id and client secret. However where did you see this was possible during the configuration of an Azure Blob Storage source in a Dataflow? Can you do this on your side? Because we don't have that option.

 

This has been marked as delivered but the problem is exactly the same today: the authentication does not work for a guest account (please see the initial post which provides all the details and repro steps required).

 

Thank you.