Custom connector for OAuth2 flow on public dashboa...

chenne · ‎11-19-2024

Hi. We want to enable our customers to create Power BI dashboards using data fetched from our API. We want it to be as flexible as possible, so we have created a custom connector just to fetch an access token using OAuth2, and then this can be used in advanced queries to fetch various data, e.g. like:

let
    AccessToken = NameOfDataSource.GetAccessToken(),
    Source = Json.Document(Web.Contents("http://url.to.our.api/resource", [Headers=[Authorization = "Bearer " & AccessToken]])),
    #"Converted to Table" = Table.FromRecords({Source}),
    ...

where NameOfDataSource is the name of the data source for the connector. This works great for Power BI desktop, and when using a personal gateway. However, customers don't want to setup, maintain and operate personal gateways for this purpose. Some customers even have policies preventing them from doing so. So our question is - can we not setup a non-personal gateway with the connector, which all our customers can use? We've tried, but we're not able to use the non-personal gateway as data source when creating the dashboard in Power BI desktop. And if we start our using the a personal gateway in Power BI Desktop, we're not able to change this to the non-personal gateway in the web/service version. Is it something we're misunderstanding? And is there a better way to allow our customers to create public dashboards using advanced queries - with scheduled refresh, against our API, without putting credentials in clear text into the advanced queries themselves? Thanks for your help.

adallera · ‎11-19-2024

Hi again @FarhanJeelani

Thanks a lot for your comprehensive guide. Seems like everything is already set up correctly on our side, except point 5. - I cannot find where under the Tenant Settings in the PowerBI admin portal I can enable custom connectors. Has it been moved, or is it under a different name?

Thanks again,

Andrea

FarhanJeelani · ‎11-19-2024

Hi @chenne ,

Your use case for enabling flexible Power BI dashboards while adhering to OAuth2 and scheduled refresh constraints is common, but it involves a few critical considerations with the Power BI architecture:

Key Issues in Your Current Approach:
1. Personal vs. Non-Personal Gateway:
- Personal gateways are tied to the user's Power BI Desktop session and aren't meant for shared use or production workloads.
- Non-personal (standard) gateways are designed for organizational use, but they require careful configuration to work with custom connectors.

2. OAuth2 Authentication Challenges:
- Power BI's service environment (for scheduled refresh) doesn't inherently support token acquisition flows in custom connectors during refresh. You need to implement a mechanism to persist and refresh the access token securely.

3. Credential Management:
- Storing credentials in queries is insecure. Power BI’s gateway and custom connectors allow for secure credential storage and retrieval, which is preferred.

---

Proposed Solution:

1. Implement Gateway Support for Your Custom Connector:
- Ensure Your Connector Supports Gateway Compatibility:
- In the `DataSource.Kind` definition of your custom connector, make sure to include the `SupportsDirectQuery` and `Authentication` properties.
- Example:
m

[DataSource.Kind="YourConnector", Publish="YourConnector.Publish"]
shared YourConnector.Feed = (optional credentials as record) =>
let
... // Implementation of your connector
in
Source;

YourConnector = [
TestConnection = (dataSourcePath) => { "YourConnector.Feed", null },
Authentication = [OAuth2 = []],
Label = "Your Connector"
];

- Gateway Configuration:
- Install the on-premises data gateway (standard mode) for your organization.
- Add your custom connector to the gateway folder on the gateway server. This ensures that your connector is recognized during data source setup.
- Restart the gateway service to pick up the connector.

- Data Source Setup in Power BI Service:
- Go to the Power BI Service -> Manage Gateways -> Add Data Source.
- Choose your custom connector, and configure the credentials using the OAuth2 flow.

2. Implement Token Refresh Logic:
- Modify your custom connector to manage token refresh transparently.
- Use a function to check token expiry and refresh it as needed.
- Securely store tokens using Power BI's credentials store (encrypted).

3. Enable Scheduled Refresh with Gateway:
- Once the gateway and credentials are configured, users can create dashboards in Power BI Desktop and publish them to the Power BI Service.
- Scheduled refresh should work without requiring manual token updates or personal gateways.

Addressing Customer Concerns:
1. No Need for Personal Gateways:
- The non-personal gateway setup with your custom connector eliminates the need for users to set up their own gateways.

2. Secure Authentication:
- By leveraging OAuth2 and the gateway's secure credential storage, sensitive credentials aren’t exposed in the query.

3. Flexibility in Querying:
- With advanced queries enabled in the connector, customers can fetch and manipulate data flexibly.

---

Additional Recommendations:
- Consider Power BI’s REST API for Direct Integration:
- Instead of having users define advanced queries, consider pre-building datasets or templates that use your API.
- These templates can be distributed to customers, making integration even simpler.

- Leverage Power BI Embedded for Public Dashboards:
- For public dashboards, you could use Power BI Embedded, where your application manages the token generation and refresh securely.

By implementing these steps, you can provide a seamless, secure, and scalable solution for your customers. Let me know if you need further technical details on any of the steps!

Please mark this as solution if it hepls. Appreciate Kudos.

adallera · ‎11-19-2024

Hi Farhan,

replying here in stead of chenne. This is already like our implementation, the problem we have here is that for some reason the data source from the connector (when used from powerbi desktop) doesn't match up with the one set up on powerbi Service

I can test the OAuth2 connection on the "Test" connection on powerbi service, and it works just fine. When I use the same connector (copied as a .mez file in the powerbi desktop folder) from powerbi desktop it also works fine, and I can connect through OAuth2. But when I upload the report to powerbi service, the two connection do not match up.

Anything we can do to fix that?

Thanks!

FarhanJeelani · ‎11-19-2024

Hi @adallera ,

The issue you are facing occurs when there is a mismatch between the OAuth2 authentication setup for Power BI Desktop and Power BI Service. Here's how you can troubleshoot and resolve it:

---

1. Verify the Data Source Credentials in Power BI Service
- Go to the Power BI Service and navigate to:
- Settings → Datasets → Select your dataset.
- Under Data source credentials, ensure that the OAuth2 authentication method is selected.
- If the credentials aren't properly set, re-enter them and test the connection.

---

2. Ensure the Data Connector (.mez) Is Installed in Power BI Gateway
- When using a custom connector (e.g., `.mez` file), it needs to be installed on the on-premises data gateway that Power BI Service relies on for scheduled refreshes.
- Steps:
- Place the `.mez` file in the `Custom Connectors` folder on the gateway machine:

C:\Users\<User>\Documents\Power BI Desktop\Custom Connectors

- Restart the gateway service after copying the file.

---

3. Match OAuth2 Setup Between Desktop and Service
- Issue: Power BI Desktop and Power BI Service use different environments for OAuth2 token retrieval.
- Solution: Use the same OAuth2 client ID, client secret, and token endpoint for both environments. Verify:
- The OAuth2 configuration used in the `.mez` file matches the configuration in Power BI Service.
- Both setups point to the same tenant or authentication provider (e.g., Azure AD, custom OAuth2 server).

---

4. Gateway Configuration for Custom Connectors
- If the Power BI Service relies on a gateway:
- Ensure the gateway is configured to use OAuth2 for this data source.
- In the Manage Gateways section:
- Select the gateway.
- Under the Data Source Settings, select your data source.
- Enter the credentials using OAuth2.

---

5. Enable Custom Connectors in Power BI Service
- Custom connectors are disabled by default in Power BI Service.
- To enable them:
1. Log in to the Power BI Admin Portal.
2. Under Tenant Settings, locate Custom Data Connectors.
3. Enable the setting and apply it to the appropriate security groups.

---

6. Check Authentication Scope
- Ensure the OAuth2 tokens generated by Power BI Desktop and Power BI Service have the same permissions and scopes.
- For example:
- Desktop: It works because it uses your signed-in user context.
- Service: It may fail if the token retrieved by the service lacks sufficient permissions (e.g., missing API scopes or resource access).

Solution: Adjust the OAuth2 token permissions in the authentication provider to ensure parity between the two environments.

---

7. Enable Tracing in Power BI Desktop
- Enable diagnostics to check for detailed errors when connecting via OAuth2:
1. Go to File → Options → Diagnostics.
2. Enable Tracing.
3. Retry connecting to the data source.
- Check the trace log for discrepancies in the OAuth2 setup.

---

8. Test Connection in Power BI Service
- After uploading the report to Power BI Service:
- Go to Datasets → Refresh History.
- Check the refresh failure logs for specific errors (e.g., token errors, permission issues, or mismatched endpoint URLs).

---

9. Common OAuth2 Issues and Fixes
- Token Expiry: Ensure the OAuth2 token doesn't expire too quickly. For Power BI Service, use a refresh token or configure the token endpoint to issue long-lived tokens.
- **Redirect URI Mismatch:** Verify that the redirect URI for OAuth2 matches the one expected by Power BI Service.
- Desktop: Usually `urn:ietf:wg:oauth:2.0:oob`.
- Service: Usually a specific URI like `https://app.powerbi.com`.

---

10. Last Resort: Recreate the Data Source
- If none of the above resolves the issue, try these steps:
1. Delete the dataset and data source configuration in Power BI Service.
2. Reconnect the data source in Power BI Desktop and re-upload the report.
3. Reconfigure the credentials in Power BI Service.

---

If the issue persists, share the exact error message or details from the refresh history in Power BI Service. That will help narrow down the root cause further.

abliz · ‎01-17-2025

Hello @FarhanJeelani ,

We have finally managed to set up on-premise Gateway and resolve the issue with the mismatch between PowerBI Desktop and PowerBI Service reports, thanks to your troubleshooting advice. It works now, so we can refresh data manually and configure scheduled refresh.

The next issue at hand is that the on-premise Gateway is only accessible from within our organization, so we can't provide an OAuth2 solution for our clients -- who would want to access **our** data source in **their** PowerBI Service reports -- by simply sharing a pre-configured Gateway with them. They would have to configure their own Gateway with the Custom Connector (i.e. .mez file) that we provide them. Is that right?

Can this be solved by using a VNet Gateway instead of on-premise Gateway for the purpose of providing OAuth2 authentication for our clients in their reports?

SaiTejaTalasila · ‎01-17-2025

Hi @chenne ,

A VNet Gateway is not suitable for your scenario due to its focus on Azure Virtual Networks and lack of support for custom connectors or OAuth2 token management.

The most appropriate solutions are:

Certified Custom Connector (best long-term approach).

On-Premises Data Gateway for immediate support of your custom connector.

Preprocessed Data in Azure or APIM for simplified data access.

Thanks,

Sai Teja

Custom connector for OAuth2 flow on public dashboard

Helpful resources

Power BI Monthly Update - November 2025

Fabric Data Days

FabCon Atlanta 2026

FabCon is coming to Atlanta

Custom connector for OAuth2 flow on public dashboard

Helpful resources

Power BI Monthly Update - November 2025

Fabric Data Days

FabCon Atlanta 2026