Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
JakeHRogers
Frequent Visitor

Authenticate Semantic Model against Azure SQL Server using Workspace Identity

‎05-09-2025 05:38 AM

Hello,

 

Is it possible to authenticate a semantic model in a Pro workspace against an Azure SQL Server database using a Workspace Identity?

 

I have a Workspace Identity set up and want to change data credentials for my semantic model data sources (Azure SQL Server databases) to use the Workspace Identity instead of my own user credentials but not quite sure if it's possible or not as the only potentially relevant option I see is 'OAuth2', which requires an email address?

Thanks

Labels:
Message 1 of 4
356 Views
2 ACCEPTED SOLUTIONS
johnbasha33
Super User
Super User

‎05-09-2025 06:54 AM

Hi @JakeHRogers 

No, Workspace Identity cannot currently authenticate against Azure SQL databases directly.

As of now, Workspace Identity authentication in Power BI only supports:

  • Databricks (SQL & Lakehouse)

  • Azure Data Lake Storage Gen2

  • Fabric Lakehouses (internal)

Some Microsoft-hosted services like OneLake or Office365 scenarios

Why It Doesn't Work for Azure SQL:

  • Azure SQL requires either:

    • SQL Authentication (username/password)

    • Azure Active Directory (AAD) authentication, usually via OAuth2 (i.e., user or service principal).

When you try to set up OAuth2 in the Power BI Service for Azure SQL, it expects a user identity or a service principal, not the Workspace Identity.

What You Can Do Instead:

  1. Use a Service Principal (App Registration):

    • Register an Azure AD application.

    • Assign it to the Azure SQL database as an AAD user.

    • Grant it appropriate permissions.

    • In Power BI, use OAuth2 + Organizational account, and sign in using the Service Principal (with client ID/secret).

  2. Or use Managed Identity via Dataflow Gen2 (Fabric):

    • If you're working in Fabric and your model is built off a Dataflow Gen2 or Lakehouse, Workspace Identity can help upstream.

But you cannot directly connect your semantic model to Azure SQL via Workspace Identity at this time.

Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

View solution in original post

Message 2 of 4
322 Views
v-dineshya
Community Support
Community Support

‎05-11-2025 11:30 PM

Hi @JakeHRogers ,

Thank you for reaching out to the Microsoft Community Forum.

 

In addition to @johnbasha33 , I am adding some more points.

 

1.Microsoft does support authenticating semantic models (datasets) using Managed Identities, including Workspace Identity, but this is currently only available in Premium or Fabric capacities, not in Pro workspaces.

2.In your case, since you're using a Pro workspace, this feature is not yet supported. That’s why you’re only seeing the OAuth2 option, which requires a user principal (email address) and not a managed identity.

Note: OAuth2 with email: This method uses delegated user credentials and is the default for Pro workspaces.
Workspace Managed Identity: This is a system-assigned identity tied to the workspace. It can be used to authenticate to Azure SQL Server, but only in Premium/Fabric workspaces where the feature is enabled.

3.Power BI supports Managed Identity authentication (Workspace Identity) for Azure SQL Database and Azure SQL Managed Instance, but only when the workspace is hosted in a Power BI Premium or Premium Per User (PPU) capacity.

Note: The Workspace Managed Identity is granted access to the Azure SQL database (as an AAD user).

 

Please refer Microsoft articles and blogs.

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Support for Workspace Identity Authentication and Trusted Access to ADLS Gen2 in Semantic Models | M...

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines  | Microsoft ...

Securing Microsoft Fabric: Best Practices for User Authentication & Authorization

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

 

If my response has resolved your query, please mark it as the Accepted Solution to assist others. Additionally, a 'Kudos' would be appreciated if you found my response helpful.

Thank you

 

View solution in original post

Message 4 of 4
252 Views
0
3 REPLIES 3
v-dineshya
Community Support
Community Support

‎05-11-2025 11:30 PM

Hi @JakeHRogers ,

Thank you for reaching out to the Microsoft Community Forum.

 

In addition to @johnbasha33 , I am adding some more points.

 

1.Microsoft does support authenticating semantic models (datasets) using Managed Identities, including Workspace Identity, but this is currently only available in Premium or Fabric capacities, not in Pro workspaces.

2.In your case, since you're using a Pro workspace, this feature is not yet supported. That’s why you’re only seeing the OAuth2 option, which requires a user principal (email address) and not a managed identity.

Note: OAuth2 with email: This method uses delegated user credentials and is the default for Pro workspaces.
Workspace Managed Identity: This is a system-assigned identity tied to the workspace. It can be used to authenticate to Azure SQL Server, but only in Premium/Fabric workspaces where the feature is enabled.

3.Power BI supports Managed Identity authentication (Workspace Identity) for Azure SQL Database and Azure SQL Managed Instance, but only when the workspace is hosted in a Power BI Premium or Premium Per User (PPU) capacity.

Note: The Workspace Managed Identity is granted access to the Azure SQL database (as an AAD user).

 

Please refer Microsoft articles and blogs.

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Support for Workspace Identity Authentication and Trusted Access to ADLS Gen2 in Semantic Models | M...

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines  | Microsoft ...

Securing Microsoft Fabric: Best Practices for User Authentication & Authorization

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

 

If my response has resolved your query, please mark it as the Accepted Solution to assist others. Additionally, a 'Kudos' would be appreciated if you found my response helpful.

Thank you

 

Message 4 of 4
253 Views
0
rohit1991
Super User
Super User

‎05-10-2025 04:41 AM

Hi @JakeHRogers ,

Yes, connecting to an unencrypted SQL database through an on-premises data gateway can be problematic, and what you're experiencing is consistent with current security requirements enforced by Microsoft. The gateway is designed to default to encrypted connections (using TLS/SSL) for data protection, and if your SQL Server doesn't support encryption or is configured to reject encrypted connections, the gateway connection attempt will typically fail—even if the credentials are correct.

 

While in the past there may have been unsupported workarounds through configuration changes, Microsoft now strongly recommends and essentially requires secure connections, especially in enterprise environments. Although there may not be a specific KB article that outright states unencrypted connections are blocked, official documentation and community discussions make it clear that encryption is the expected norm. The most reliable solution would be to enable encryption on your SQL Server instance, ideally with a trusted certificate, to ensure compatibility and maintain secure data transmission.

 


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 3 of 4
302 Views
0
johnbasha33
Super User
Super User

‎05-09-2025 06:54 AM

Hi @JakeHRogers 

No, Workspace Identity cannot currently authenticate against Azure SQL databases directly.

As of now, Workspace Identity authentication in Power BI only supports:

  • Databricks (SQL & Lakehouse)

  • Azure Data Lake Storage Gen2

  • Fabric Lakehouses (internal)

Some Microsoft-hosted services like OneLake or Office365 scenarios

Why It Doesn't Work for Azure SQL:

  • Azure SQL requires either:

    • SQL Authentication (username/password)

    • Azure Active Directory (AAD) authentication, usually via OAuth2 (i.e., user or service principal).

When you try to set up OAuth2 in the Power BI Service for Azure SQL, it expects a user identity or a service principal, not the Workspace Identity.

What You Can Do Instead:

  1. Use a Service Principal (App Registration):

    • Register an Azure AD application.

    • Assign it to the Azure SQL database as an AAD user.

    • Grant it appropriate permissions.

    • In Power BI, use OAuth2 + Organizational account, and sign in using the Service Principal (with client ID/secret).

  2. Or use Managed Identity via Dataflow Gen2 (Fabric):

    • If you're working in Fabric and your model is built off a Dataflow Gen2 or Lakehouse, Workspace Identity can help upstream.

But you cannot directly connect your semantic model to Azure SQL via Workspace Identity at this time.

Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

Message 2 of 4
323 Views

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All