Reply
MorelG
Frequent Visitor

Semantic model ownership in a large organization

Dear community,

I have a question regarding the ownership of semantic models in a large organization. Currently, all our semantic models are owned by individual users, even those that are placed in "Production" workspaces.

Now, let's consider the following scenarios:

  1. When a user leaves the organization, the scheduled refreshes of their models start to fail.
  2. Cloud connections are mostly linked to the owner's personal account.

What is the recommended approach to avoid these kinds of situations?

2 ACCEPTED SOLUTIONS
sergej_og
Super User
Super User

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

View solution in original post

3CloudThomas
Super User
Super User

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

View solution in original post

6 REPLIES 6
3CloudThomas
Super User
Super User

This is a similar issue with large on-premises analysis service systems.

Do not have the ownership as a user.

Instead, create a 'service account' in Azure Active Directory (I think it is called Entra Id now) that an Power BI administrator has the password for. You need to assign a Power BI Pro license to this new user. Login to app.powerbi.com with the 'service account' credentials and Take Over by this user. Now, you need to have the 'service account' granted permissions to data sources in order to refresh the data.

If a normal user deployes a new model, it will overwrite the model but not the credentials.

 

Some poeple might say use a service principal, but service principals cannot be granted access to data sources, so you are still stuck with the same problem. Others might say to use credentials in a Data Gateway, still use a 'service account' for this.

What if you now have MFA, this limits the access of the service account to only one user, does anyone know of a solution for this? (or is this just job security)

We had some cases of "Microsoft Auth token refresh" which forced many of the model owners to refresh their credentials. I presume this would impact the service accounts too. Can such credential refresh be scrupted for all datsets owned by a user or service account?

The service account would have to have the MFA turned off. The IT Security or Infrastructure team would manage the credentials to insure no one uses the service account for anything else but the connection and semantic model ownership.

@3CloudThomas, @sergej_og, Thank you, guys! Both of your answers confirmed our thoughts. We now need to decide whether to create 'technical accounts' and determine how many of these accounts we need, considering the cost of the PRO license. Alternatively, we could continue using personal accounts as owners, but we would need to establish proper governance for individuals who leave the organization.

sergej_og
Super User
Super User

Give permissions to the affected workspace(s) to user remaining in the company.
That users can "take over" the semantic models and afterwards (hopefully) renew the personal user-based cloud connections without issues. To renew personal use-based auth they need access to the sources of course.
Depends on how you have designed your access policies.

Regards.

avatar user

Helpful resources

Announcements
March PBI video - carousel

Power BI Monthly Update - March 2025

Check out the March 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

Top Solution Authors (Last Month)
Top Kudoed Authors (Last Month)