Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To celebrate FabCon Vienna, we are offering 50% off select exams. Ends October 3rd. Request your discount now.

Reply
YashikaAgrawal
Helper V
Helper V

Power BI Service – OAuth2 Databricks Authentication Failing After Tenant Migration

‎09-15-2025 06:14 AM

Hi,

 

We are working on Power BI migration from INFY to TATA.
I have a user TATA.nato@tata.com.
a. Iam able to connect to Azure databricks using Power BI desktop in INFY tenant.

b. Iam logged in as TATA.nato@tata.com and switched to tenant INFY.
But when i come to Power BI service, its giving error when login with Oauth2.

Failed to update data source credentials: [Microsoft][ThriftExtension] (14) Unexpected response from server during a HTTP connection: Unauthorized/Forbidden error response returned, but no token expired message received.Hide details
Status code: 400

Any help would be appreciated.

 

Note:
Earlier i was able to connect with email id TATA.nato@TATA.onmicrosoft.com
Weeked they change the userid TATA.nato@TATA.com

 

Thank you.

Labels:
Message 1 of 2
129 Views
0
1 ACCEPTED SOLUTION
tayloramy
Memorable Member
Memorable Member

‎09-15-2025 06:33 AM

Hi @YashikaAgrawal

 

It's very likely the OAuth token that Power BI Service is presenting to Azure Databricks is for the wrong directory (INFY) or tied to your old UPN, so Databricks rejects it and you see the ThriftExtension(14) Unauthorized/Forbidden error. Two things changed in your scenario that commonly trigger this: (1) you're authenticating as a guest in a different tenant, and (2) your UPN changed from ...@TATA.onmicrosoft.com to ...@TATA.com, invalidating cached credentials. Power BI's Azure Databricks connector uses Entra ID (Azure AD) OAuth, and the token must be issued in the Databricks workspace's tenant and for a principal that has access to the SQL warehouse and Unity Catalog objects (connector overview, Power BI with Azure Databricks).

Try this quick fix path:

  1. Re-authenticate in the correct tenant (TATA) in Service
    Power BI Service -> Dataset -> Settings -> Data source credentials -> Edit credentials.
    Pick OAuth2 -> Organizational account, and when the Microsoft sign-in pops, switch directory to TATA before completing sign-in (an InPrivate/Incognito window often helps ensure the directory switch takes effect).
    Docs: switch organizations, Databricks connector auth types.
  2. Purge stale credentials tied to the old UPN
    In Desktop: File -> Options and settings -> Data source settings -> Global/Current file -> Clear Permissions for Azure Databricks, then republish.
    In Service: re-enter credentials on the dataset as above. UPN changes are known to break app sign-ins until you rebind creds (UPN change considerations).
  3. Verify access in Databricks
    Confirm the new user TATA.nato@tata.com exists in the TATA Databricks workspace and has:
    • CAN USE on the target SQL Warehouse, and
    • SELECT/USE on the relevant Unity Catalog objects.
    Reference: Unity Catalog privileges.
  4. If cross-tenant OAuth is still blocked
    Ask the Databricks account admin in TATA to ensure the Power BI partner OAuth app is enabled for the account (it is on by default, but some orgs disable it): enable/disable partner OAuth apps.
  5. More durable option for scheduled refresh: use a service principal (M2M OAuth) instead of a human UPN so tenant switches / UPN changes don't break refresh:
    Set up Databricks service principal + OAuth secret, grant it UC/warehouse permissions, then authenticate the dataset with it in Service. Docs: Configure service principals (M2M) for Power BI, Databricks OAuth M2M.

If you rebind the credentials in the TATA directory and confirm permissions, the 400/Unauthorized typically disappears.

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, please mark this as the solution.

View solution in original post

Message 2 of 2
111 Views
1 REPLY 1
tayloramy
Memorable Member
Memorable Member

‎09-15-2025 06:33 AM

Hi @YashikaAgrawal

 

It's very likely the OAuth token that Power BI Service is presenting to Azure Databricks is for the wrong directory (INFY) or tied to your old UPN, so Databricks rejects it and you see the ThriftExtension(14) Unauthorized/Forbidden error. Two things changed in your scenario that commonly trigger this: (1) you're authenticating as a guest in a different tenant, and (2) your UPN changed from ...@TATA.onmicrosoft.com to ...@TATA.com, invalidating cached credentials. Power BI's Azure Databricks connector uses Entra ID (Azure AD) OAuth, and the token must be issued in the Databricks workspace's tenant and for a principal that has access to the SQL warehouse and Unity Catalog objects (connector overview, Power BI with Azure Databricks).

Try this quick fix path:

  1. Re-authenticate in the correct tenant (TATA) in Service
    Power BI Service -> Dataset -> Settings -> Data source credentials -> Edit credentials.
    Pick OAuth2 -> Organizational account, and when the Microsoft sign-in pops, switch directory to TATA before completing sign-in (an InPrivate/Incognito window often helps ensure the directory switch takes effect).
    Docs: switch organizations, Databricks connector auth types.
  2. Purge stale credentials tied to the old UPN
    In Desktop: File -> Options and settings -> Data source settings -> Global/Current file -> Clear Permissions for Azure Databricks, then republish.
    In Service: re-enter credentials on the dataset as above. UPN changes are known to break app sign-ins until you rebind creds (UPN change considerations).
  3. Verify access in Databricks
    Confirm the new user TATA.nato@tata.com exists in the TATA Databricks workspace and has:
    • CAN USE on the target SQL Warehouse, and
    • SELECT/USE on the relevant Unity Catalog objects.
    Reference: Unity Catalog privileges.
  4. If cross-tenant OAuth is still blocked
    Ask the Databricks account admin in TATA to ensure the Power BI partner OAuth app is enabled for the account (it is on by default, but some orgs disable it): enable/disable partner OAuth apps.
  5. More durable option for scheduled refresh: use a service principal (M2M OAuth) instead of a human UPN so tenant switches / UPN changes don't break refresh:
    Set up Databricks service principal + OAuth secret, grant it UC/warehouse permissions, then authenticate the dataset with it in Service. Docs: Configure service principals (M2M) for Power BI, Databricks OAuth M2M.

If you rebind the credentials in the TATA directory and confirm permissions, the 400/Unauthorized typically disappears.

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, please mark this as the solution.

Message 2 of 2
112 Views

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All