Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
Anonymous
Not applicable

Use a Service Principal to deploy a PowerBI report against Databricks OAuth with Direct Query

I am using a Service Principal to deploy a PowerBI report with a DirectQuery dataset connected to a Databricks SQL endpoint. This is in a deployment pipeline. When the report is run, I want it to pass the current user credential through to Databricks (I have row-based security in play within Databricks, which is why I am using Direct Query)

 

I am seeing inconsistent behavior between when deploying with my service principal (which has all the required accesses - it can deploy the report), and when I deploy with a user account instead of the SP.

 

When I deploy the report with the Service Principal, I am getting a "missing credential" error message when trying to access the deployed report:

joon_0-1643722009200.png

 

When I query the dataset credentials using the PowerBI API just after deployment, the "useEndUserOAuth2Credentials" property on the dataset credential is false:

joon_2-1643723847221.png

 

If I then navigate to the dataset settings page, and take over the dataset with my interactive AAD user credential (i.e. not the service principal), the report works fine without me setting any OAuth settings - the default OAuth option after takeover is the "Report Viewers can only access this datasource with their own identities...", which is what I want. This is the dataset credentials after I've taken over the dataset.

joon_1-1643723642072.png

 

When I deploy with my user account, the report loads and works as expected. Qurying the dataset credentials shows that the useEndUserOAuth2Credentials is set to true. Here's the full Powershell session deploying the report and reading the dataset credential: 

joon_3-1643724369856.png

 

This looks like a bug in deploying with a Service Principal, but I would like to confirm that before logging a support ticket.

 

My questions are as follows:

  • In general, can I use a service principal to deploy a PowerBI Dataset, with DirectQuery, where the report viewers OAuth identities need to be used in the directquery?
  • If so, how? Is there an example?
  • Is this supported for Databricks?

 

5 REPLIES 5
Mihana
Microsoft Employee
Microsoft Employee

Please refer to this documentation and update the credential for DirectQuery.

Configure credentials programmatically for Power BI embedded analytics - Power BI | Microsoft Learn

data_turke
New Member

Was this issue resolved , am trying to peform the same without taking over dataset . please update

PeaBeeEye
Microsoft Employee
Microsoft Employee

Have you tried to update the data source via the REST API after publishing? 

 

Gateways - Update Datasource - REST API (Power BI Power BI REST APIs) | Microsoft Docs

Anonymous
Not applicable

I have tried that, it doesn't work (or at least I couldn't construct a message that would work).

 

When comparing the working dataset (deployed with a user account) and the broken one pre-takeover (deployed with a service principal), the differences are the CredentialType and CredentialDetails\useEndUserOAuth2Credentials properties. When I try and patch them in I get a PowerShell error:

joon_0-1643728038221.png

 

Tracing the error using Fiddler shows this error body (note that no type is mentioned):

"{"error":{"code":"InvalidRequest","message":"Property useEndUserOAuth2Credentials is only supported with credentials of type and datasource type of Extension"}}"

Anonymous
Not applicable

Hello

Did you set-up oauth app additionally? Or is it not required? Was the service principal issue resolved?

Helpful resources

Announcements
September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Top Solution Authors