Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
caffineaddict19
Frequent Visitor

How to call API requiring mTLS + client credential authentication?

‎12-13-2024 07:06 AM

Hi, 

 

I am looking for a way to call an API requiring mTLS + client credential and use this data source for scheduled refresh from PowerBI Service. Do I need a proxy api to present the client certificate or can I do it from within a custom connector/On Prem gateway?

 

Thanks

Labels:
Message 1 of 4
984 Views
0
1 ACCEPTED SOLUTION
FarhanJeelani
Super User
Super User

‎12-14-2024 03:59 AM

Hi @caffineaddict19 ,

To call an API requiring mTLS (mutual TLS) + client credentials authentication and set it up for scheduled refresh in Power BI Service, here’s a breakdown:

1. Using a Custom Connector (Preferred Method)

  • Create a custom Power BI connector using the Power Query SDK in Visual Studio.
  • Configure the custom connector to handle mTLS by embedding the client certificate into the connector. This requires:
    • Installing the certificate on the machine running Power BI Desktop.
    • Adding the necessary code in the connector to present the certificate when calling the API.
  • Deploy the custom connector to the On-Premises Data Gateway and enable it for Power BI Service refresh.

Key Points:

  • Ensure the custom connector handles both mTLS and token retrieval using client credentials flow.
  • Certificates need to be installed and managed securely on the gateway machine.

2. Using a Proxy API (Simpler Alternative)

  • Set up a proxy API that manages mTLS and client credential authentication.
  • The proxy acts as an intermediary: Power BI connects to the proxy (which doesn’t require mTLS), and the proxy handles authentication with the target API.
  • Use a custom connector or DirectQuery in Power BI to call the proxy API.
  • This reduces complexity in Power BI but requires maintaining the proxy.

Key Points:

  • Ensure the proxy is secure and properly authenticated.
  • Might be more manageable if the API setup or certificate rotation is complex.

3. Choosing Between the Two

  • Use a custom connector if you want to avoid the overhead of managing a proxy.
  • Use a proxy API if the mTLS setup is complex or if multiple services need to consume the same data.

4. On-Premises Data Gateway

  • Required for both methods if using a custom connector or accessing on-prem data sources.
  • Ensure the gateway supports the custom connector and is configured for scheduled refresh.

Conclusion

If you can manage mTLS and client credential flow in a custom connector, that’s the ideal solution for direct integration. However, a proxy API simplifies the setup at the cost of adding an intermediary. Both methods work with Power BI Service scheduled refresh when properly configured.

 

Please mark this as solution if it helps. Appreciate Kudos

View solution in original post

Message 2 of 4
915 Views
3 REPLIES 3
caffineaddict19
Frequent Visitor

‎12-16-2024 06:12 AM

Hi, I will look into the first option. When embedding the certificate, does that mean compiling the certificate along with the rest of the files into the .mez file? From my understanding, .mez file is a compressed folder of all the files to build the connector. If so, can I come up with a powershell script to automate the process of embedding certificates to connectors? We want to distribute the custom connector to our clients and each will host the On-prem gateway + custom connector from their machines. 

Message 4 of 4
859 Views
0
FarhanJeelani
Super User
Super User

‎12-14-2024 03:59 AM

Hi @caffineaddict19 ,

To call an API requiring mTLS (mutual TLS) + client credentials authentication and set it up for scheduled refresh in Power BI Service, here’s a breakdown:

1. Using a Custom Connector (Preferred Method)

  • Create a custom Power BI connector using the Power Query SDK in Visual Studio.
  • Configure the custom connector to handle mTLS by embedding the client certificate into the connector. This requires:
    • Installing the certificate on the machine running Power BI Desktop.
    • Adding the necessary code in the connector to present the certificate when calling the API.
  • Deploy the custom connector to the On-Premises Data Gateway and enable it for Power BI Service refresh.

Key Points:

  • Ensure the custom connector handles both mTLS and token retrieval using client credentials flow.
  • Certificates need to be installed and managed securely on the gateway machine.

2. Using a Proxy API (Simpler Alternative)

  • Set up a proxy API that manages mTLS and client credential authentication.
  • The proxy acts as an intermediary: Power BI connects to the proxy (which doesn’t require mTLS), and the proxy handles authentication with the target API.
  • Use a custom connector or DirectQuery in Power BI to call the proxy API.
  • This reduces complexity in Power BI but requires maintaining the proxy.

Key Points:

  • Ensure the proxy is secure and properly authenticated.
  • Might be more manageable if the API setup or certificate rotation is complex.

3. Choosing Between the Two

  • Use a custom connector if you want to avoid the overhead of managing a proxy.
  • Use a proxy API if the mTLS setup is complex or if multiple services need to consume the same data.

4. On-Premises Data Gateway

  • Required for both methods if using a custom connector or accessing on-prem data sources.
  • Ensure the gateway supports the custom connector and is configured for scheduled refresh.

Conclusion

If you can manage mTLS and client credential flow in a custom connector, that’s the ideal solution for direct integration. However, a proxy API simplifies the setup at the cost of adding an intermediary. Both methods work with Power BI Service scheduled refresh when properly configured.

 

Please mark this as solution if it helps. Appreciate Kudos

Message 2 of 4
916 Views
caffineaddict19
Frequent Visitor
In response to FarhanJeelani

‎03-11-2025 07:44 AM

Update: I was able to perform mTLS within customconnector/On-prem gateway. One of the paremeter called client certificate inside Web.Contents takes a thumprint of certificates stored inside the Windows Certificate Store. This certificate is presented to the server from client machine and can perform mTLS

Message 3 of 4
528 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All