Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To celebrate FabCon Vienna, we are offering 50% off select exams. Ends October 3rd. Request your discount now.

Reply
JakeHRogers
Frequent Visitor

Authenticate Semantic Model against Azure SQL Server using Workspace Identity

‎05-09-2025 05:38 AM

Hello,

 

Is it possible to authenticate a semantic model in a Pro workspace against an Azure SQL Server database using a Workspace Identity?

 

I have a Workspace Identity set up and want to change data credentials for my semantic model data sources (Azure SQL Server databases) to use the Workspace Identity instead of my own user credentials but not quite sure if it's possible or not as the only potentially relevant option I see is 'OAuth2', which requires an email address?

Thanks

Labels:
Message 1 of 4
793 Views
2 ACCEPTED SOLUTIONS
johnbasha33
Super User
Super User

‎05-09-2025 06:54 AM

Hi @JakeHRogers 

No, Workspace Identity cannot currently authenticate against Azure SQL databases directly.

As of now, Workspace Identity authentication in Power BI only supports:

  • Databricks (SQL & Lakehouse)

  • Azure Data Lake Storage Gen2

  • Fabric Lakehouses (internal)

Some Microsoft-hosted services like OneLake or Office365 scenarios

Why It Doesn't Work for Azure SQL:

  • Azure SQL requires either:

    • SQL Authentication (username/password)

    • Azure Active Directory (AAD) authentication, usually via OAuth2 (i.e., user or service principal).

When you try to set up OAuth2 in the Power BI Service for Azure SQL, it expects a user identity or a service principal, not the Workspace Identity.

What You Can Do Instead:

  1. Use a Service Principal (App Registration):

    • Register an Azure AD application.

    • Assign it to the Azure SQL database as an AAD user.

    • Grant it appropriate permissions.

    • In Power BI, use OAuth2 + Organizational account, and sign in using the Service Principal (with client ID/secret).

  2. Or use Managed Identity via Dataflow Gen2 (Fabric):

    • If you're working in Fabric and your model is built off a Dataflow Gen2 or Lakehouse, Workspace Identity can help upstream.

But you cannot directly connect your semantic model to Azure SQL via Workspace Identity at this time.

Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

View solution in original post

Message 2 of 4
759 Views
v-dineshya
Community Support
Community Support

‎05-11-2025 11:30 PM

Hi @JakeHRogers ,

Thank you for reaching out to the Microsoft Community Forum.

 

In addition to @johnbasha33 , I am adding some more points.

 

1.Microsoft does support authenticating semantic models (datasets) using Managed Identities, including Workspace Identity, but this is currently only available in Premium or Fabric capacities, not in Pro workspaces.

2.In your case, since you're using a Pro workspace, this feature is not yet supported. That’s why you’re only seeing the OAuth2 option, which requires a user principal (email address) and not a managed identity.

Note: OAuth2 with email: This method uses delegated user credentials and is the default for Pro workspaces.
Workspace Managed Identity: This is a system-assigned identity tied to the workspace. It can be used to authenticate to Azure SQL Server, but only in Premium/Fabric workspaces where the feature is enabled.

3.Power BI supports Managed Identity authentication (Workspace Identity) for Azure SQL Database and Azure SQL Managed Instance, but only when the workspace is hosted in a Power BI Premium or Premium Per User (PPU) capacity.

Note: The Workspace Managed Identity is granted access to the Azure SQL database (as an AAD user).

 

Please refer Microsoft articles and blogs.

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Support for Workspace Identity Authentication and Trusted Access to ADLS Gen2 in Semantic Models | M...

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines  | Microsoft ...

Securing Microsoft Fabric: Best Practices for User Authentication & Authorization

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

 

If my response has resolved your query, please mark it as the Accepted Solution to assist others. Additionally, a 'Kudos' would be appreciated if you found my response helpful.

Thank you

 

View solution in original post

Message 4 of 4
689 Views
0
3 REPLIES 3
v-dineshya
Community Support
Community Support

‎05-11-2025 11:30 PM

Hi @JakeHRogers ,

Thank you for reaching out to the Microsoft Community Forum.

 

In addition to @johnbasha33 , I am adding some more points.

 

1.Microsoft does support authenticating semantic models (datasets) using Managed Identities, including Workspace Identity, but this is currently only available in Premium or Fabric capacities, not in Pro workspaces.

2.In your case, since you're using a Pro workspace, this feature is not yet supported. That’s why you’re only seeing the OAuth2 option, which requires a user principal (email address) and not a managed identity.

Note: OAuth2 with email: This method uses delegated user credentials and is the default for Pro workspaces.
Workspace Managed Identity: This is a system-assigned identity tied to the workspace. It can be used to authenticate to Azure SQL Server, but only in Premium/Fabric workspaces where the feature is enabled.

3.Power BI supports Managed Identity authentication (Workspace Identity) for Azure SQL Database and Azure SQL Managed Instance, but only when the workspace is hosted in a Power BI Premium or Premium Per User (PPU) capacity.

Note: The Workspace Managed Identity is granted access to the Azure SQL database (as an AAD user).

 

Please refer Microsoft articles and blogs.

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

Support for Workspace Identity Authentication and Trusted Access to ADLS Gen2 in Semantic Models | M...

Introducing Workspace Identity Authentication for OneLake Shortcuts and Data Pipelines  | Microsoft ...

Securing Microsoft Fabric: Best Practices for User Authentication & Authorization

Authenticate with Microsoft Fabric workspace identity - Microsoft Fabric | Microsoft Learn

 

If my response has resolved your query, please mark it as the Accepted Solution to assist others. Additionally, a 'Kudos' would be appreciated if you found my response helpful.

Thank you

 

Message 4 of 4
690 Views
0
rohit1991
Super User
Super User

‎05-10-2025 04:41 AM

Hi @JakeHRogers

 

Connecting to an unencrypted SQL database through the on-premises data gateway will usually fail because Microsoft enforces secure connections by default (TLS/SSL). If your SQL Server doesn’t support encryption or rejects encrypted connections, the gateway won’t connect even with valid credentials. In the past, some workarounds existed, but Microsoft now strongly recommends and effectively requires encrypted connections, especially in enterprise setups. The best solution is to enable encryption on your SQL Server, ideally with a trusted certificate, to ensure compatibility and secure data transmission.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 3 of 4
739 Views
0
johnbasha33
Super User
Super User

‎05-09-2025 06:54 AM

Hi @JakeHRogers 

No, Workspace Identity cannot currently authenticate against Azure SQL databases directly.

As of now, Workspace Identity authentication in Power BI only supports:

  • Databricks (SQL & Lakehouse)

  • Azure Data Lake Storage Gen2

  • Fabric Lakehouses (internal)

Some Microsoft-hosted services like OneLake or Office365 scenarios

Why It Doesn't Work for Azure SQL:

  • Azure SQL requires either:

    • SQL Authentication (username/password)

    • Azure Active Directory (AAD) authentication, usually via OAuth2 (i.e., user or service principal).

When you try to set up OAuth2 in the Power BI Service for Azure SQL, it expects a user identity or a service principal, not the Workspace Identity.

What You Can Do Instead:

  1. Use a Service Principal (App Registration):

    • Register an Azure AD application.

    • Assign it to the Azure SQL database as an AAD user.

    • Grant it appropriate permissions.

    • In Power BI, use OAuth2 + Organizational account, and sign in using the Service Principal (with client ID/secret).

  2. Or use Managed Identity via Dataflow Gen2 (Fabric):

    • If you're working in Fabric and your model is built off a Dataflow Gen2 or Lakehouse, Workspace Identity can help upstream.

But you cannot directly connect your semantic model to Azure SQL via Workspace Identity at this time.

Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!

Message 2 of 4
760 Views

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All