Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

View all the Fabric Data Days sessions on demand. View schedule

Reply
aswathyjoe
Frequent Visitor

Best Practice for Scheduled Refresh Authentication in Power BI with Fabric Lakehouse SQL Endpoint

‎09-11-2025 05:21 PM

I'm a Power BI developer working with data stored in Microsoft Fabric Lakehouse. I connect to the Lakehouse using the SQL endpoint and publish my reports to the Power BI Service.

When setting up scheduled refreshes in the Power BI Service or connect to the cloud datasource in fabric, I'm unsure about the best practice for authentication:

  • Should I use a service account?
  • Or is it acceptable to use a personal company email account?

I want to ensure the setup is secure, scalable, and doesn't break if someone leaves the organization or changes roles.

 

Any guidance or documentation links would be greatly appreciated!

Labels:
Message 1 of 3
337 Views
0
1 ACCEPTED SOLUTION
VahidDM
Super User
Super User

‎09-11-2025 06:46 PM

@aswathyjoe 

Use a non-human identity. Don’t use your personal account.

Best practice

  • Service principal (preferred): Enable “Allow service principals to use Power BI APIs” and allow specific security groups. Give the SPN Read/Use SQL endpoint (or Viewer) on the Lakehouse item or workspace; grant it Build on the semantic model. Store its secret in the dataset/fabric connection (OAuth2 → Service principal). Rotate the secret regularly (ideally via Key Vault).

  • Service account (fallback): If SPN isn’t allowed, use a dedicated Entra user account (no MFA for refresh), licensed appropriately, and placed in a group. Never tie refresh to a personal user.

  • Least privilege: Only grant what’s needed (no Admin/Member if not required). Scope access at the workspace or item level; avoid giving tenant-wide rights.

  • Operational hygiene: Set dataset owners/contacts to a group, monitor refresh with alerts/audit logs, and document the identity used so offboarding doesn’t break refresh.

Short answer: Use a service principal for scheduled refresh to the Fabric Lakehouse SQL endpoint; avoid personal accounts.

View solution in original post

Message 2 of 3
295 Views
2 REPLIES 2
Anonymous
Not applicable

‎09-15-2025 12:25 AM

Hi @aswathyjoe,

Thanks for reaching out to the Microsoft fabric community forum. It looks like you are looking for guidance on what to choose when setting up your schedule refreshes in PBI Service. As @VahidDM has already responded to your query, kindly go through his response and check if your query is answered.

 

I would also take a moment to thank @VahidDM, for actively participating in the community forum and for the solutions you’ve been sharing in the community forum. Your contributions make a real difference.

 

If I misunderstand your needs or you still have problems on it, please feel free to let us know.  

Best Regards,
Hammad.

Message 3 of 3
209 Views
0
VahidDM
Super User
Super User

‎09-11-2025 06:46 PM

@aswathyjoe 

Use a non-human identity. Don’t use your personal account.

Best practice

  • Service principal (preferred): Enable “Allow service principals to use Power BI APIs” and allow specific security groups. Give the SPN Read/Use SQL endpoint (or Viewer) on the Lakehouse item or workspace; grant it Build on the semantic model. Store its secret in the dataset/fabric connection (OAuth2 → Service principal). Rotate the secret regularly (ideally via Key Vault).

  • Service account (fallback): If SPN isn’t allowed, use a dedicated Entra user account (no MFA for refresh), licensed appropriately, and placed in a group. Never tie refresh to a personal user.

  • Least privilege: Only grant what’s needed (no Admin/Member if not required). Scope access at the workspace or item level; avoid giving tenant-wide rights.

  • Operational hygiene: Set dataset owners/contacts to a group, monitor refresh with alerts/audit logs, and document the identity used so offboarding doesn’t break refresh.

Short answer: Use a service principal for scheduled refresh to the Fabric Lakehouse SQL endpoint; avoid personal accounts.

Message 2 of 3
296 Views

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Solution Authors
View All