Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Learn from the best! Meet the four finalists headed to the FINALS of the Power BI Dataviz World Championships! Register now

Reply
db042190
Post Prodigy
Post Prodigy

hoping to get some clarity on service principal use in non expiring pbi behavior

‎09-02-2025 10:46 AM

Hi i just reread dinesh's excellent post at https://community.fabric.microsoft.com/t5/Service/2-of-3-steps-done-for-non-expiring-id-in-pbi/m-p/4... more closely.   Can he or the community shed a bit more light?   We have a non expiring AD id (i think what dinesh calls a managed or user acct) being used as creds to alleviate the normal credential expiration issues in pbi.   We want to take this to the next level so that upon report/dashboard republishing  by our users, existing connections (semantic model conns) dont get broken.

 

Is Dinesh saying our current non expiring AD ID cant be leveraged to do this (ie be a service principal also) in option 1 or 2?  Or it can   by simply adding a secret or cetificate to Azure?  If we arent interested in embedded or api, and we already have pro licenses and gateway admin cooperation, do we need anything else like Azure key vault (possibly at the cost schedule shown there)?  Do i understand that key vault's value is "safe keeping" but not exactly required to do all this?   I apologize, this became confusing to me and i'm trying to beter understand.

 

without embedded and api, options 1 and 2 seem identical to a company where every employee has pro anyway, and we have the cooperation of the gateway admins.

Labels:
Message 1 of 16
1,044 Views
0
1 ACCEPTED SOLUTION
v-agajavelly
Community Support
Community Support
In response to db042190

‎09-10-2025 09:21 PM

Hi @db042190 ,

We ran into this exact situation recently, so I wanted to share what we learned in case it helps others.

1.If I assign a secret or cert to a non-expiring Azure AD user, is it now a Service Principal?

Nope. A user account stays a user account even if you assign a secret or cert to it. A Service Principal (SP) is something different: it’s created through an App Registration in Azure AD (now Microsoft Entra ID). That SP is tied to an application identity, not a human user. So you can’t “convert” a user into an SP just by adding a secret.

If you want a true SP, you’ll need to.

  • Register a new app in Azure AD
  • Generate a client secret or certificate
  • Use that app’s identity (App ID + secret/cert) to authenticate

2.If we’re already using that user ID in Power BI dashboards, and we “make it an SP,” will republishing still work without breaking anything?

If you’re still using the same user account (not a real SP), and you just added a secret or cert to it, then yes your dashboards should continue to work as long as.

  • The user still has access to the datasets/workspaces
  • The credentials haven’t expired
  • Nothing else (like tenant settings or gateway configs) has changed

So in that case, your next republish should go through without needing to reset the connection or involve IT.

But, if you switch to a real SP (App Registration), then you’ll likely need to.

  • Update the data source credentials in Power BI
  • Possibly rebind the dataset or update the gateway connection
  • Make sure the SP has the right permissions

Final suggestion's from my end.

You're absolutely right that managing cert/secret expiration is a tradeoff. But if you stay ahead of it, it’s worth it for the smoother experience and better security. Just be clear on whether you're sticking with a user account or moving to a true SP because Power BI treats them very differently.

Regards,
Akhil.

View solution in original post

Message 11 of 16
707 Views
0
15 REPLIES 15
v-agajavelly
Community Support
Community Support

‎09-14-2025 11:35 PM

Hi @db042190 ,

Have you had a chance to review the suggestions shared earlier? If yes, please let us know your progress. If not, kindly share where you’re facing challenges we’re happy to assist you further.

Regards,
Akhil.

Message 15 of 16
627 Views
0
db042190
Post Prodigy
Post Prodigy
In response to v-agajavelly

‎09-29-2025 09:27 AM

still no response (afaik) to my 9/15 request for clarity.   

Message 16 of 16
512 Views
0
v-agajavelly
Community Support
Community Support

‎09-09-2025 09:34 PM

Hi @db042190 ,

Just checking back in did the details shared above help clarify your questions around Key Vault and service principal setup? Let us know if you were able to try this out or if you’re running into anything else, happy to help further.

Regards,
Akhil.

Message 13 of 16
734 Views
0
db042190
Post Prodigy
Post Prodigy
In response to v-agajavelly

‎09-10-2025 06:59 AM

looking at this now.    bear with me.

Message 14 of 16
722 Views
0
v-agajavelly
Community Support
Community Support

‎09-07-2025 11:33 PM

Hi @db042190 ,

Hey As asked from you,
1. Is Azure Key Vault required, or just recommended?

Azure Key Vault is not strictly required, but it is highly recommended. It offers secure storage of credentials like client secrets and enables automated certificate rotation. So while you could store secrets directly in Azure AD, leveraging Key Vault will improve security and manageability. bellow is the official document.
Azure Key Vault Overview - Azure Key Vault | Microsoft Learn
2. Are there additional steps after creating the SP?

Once the SP is created and given a secret or certificate.

  • Ensure the SP has been granted the necessary API permissions in Azure AD.
  • The SP must be assigned sufficient access to relevant Power BI workspaces or semantic models.
  • Optional but recommended: store the SP credentials in Azure Key Vault instead of hardcoding.

bellow is the official document.
Create Azure service principals using the Azure CLI | Microsoft Learn
Use Azure service principals with Azure PowerShell | Microsoft Learn


Please let us know if you have any other further queries on issue. happy to help you.

Regards,
Akhil.

Message 9 of 16
786 Views
0
db042190
Post Prodigy
Post Prodigy
In response to v-agajavelly

‎09-10-2025 07:15 AM

thx Akhil, i can only ask this in my own words before reading the docs ...1) after a cert or secret is assigned to a non expiring USERID in azure, is it (the userid) officially a service principal?,  2) if we dont use api's currently, and dont care about cli and powershell right now,  and that USERID is ALREADY the credential we use in a handful of pbi dashboards, and that userid was made an SP,  can we assume there are no more steps required before the next re publish by our user on one of those  dashboards works seamlessly without breaking the report? ie he doesnt have to contact IT to reset the connection.   ie the type (i think there are a few options ) of authorization used on such a dashboard need not change prior to the next re publish.  

 

we already get that there is maintenance going forward on expiring certs and / or secrets  in azure but we believe at the moment that is worth the price if we stay ahead of the game when it comes to a smoothe experience for our users going forward.

Message 10 of 16
719 Views
v-agajavelly
Community Support
Community Support
In response to db042190

‎09-10-2025 09:21 PM

Hi @db042190 ,

We ran into this exact situation recently, so I wanted to share what we learned in case it helps others.

1.If I assign a secret or cert to a non-expiring Azure AD user, is it now a Service Principal?

Nope. A user account stays a user account even if you assign a secret or cert to it. A Service Principal (SP) is something different: it’s created through an App Registration in Azure AD (now Microsoft Entra ID). That SP is tied to an application identity, not a human user. So you can’t “convert” a user into an SP just by adding a secret.

If you want a true SP, you’ll need to.

  • Register a new app in Azure AD
  • Generate a client secret or certificate
  • Use that app’s identity (App ID + secret/cert) to authenticate

2.If we’re already using that user ID in Power BI dashboards, and we “make it an SP,” will republishing still work without breaking anything?

If you’re still using the same user account (not a real SP), and you just added a secret or cert to it, then yes your dashboards should continue to work as long as.

  • The user still has access to the datasets/workspaces
  • The credentials haven’t expired
  • Nothing else (like tenant settings or gateway configs) has changed

So in that case, your next republish should go through without needing to reset the connection or involve IT.

But, if you switch to a real SP (App Registration), then you’ll likely need to.

  • Update the data source credentials in Power BI
  • Possibly rebind the dataset or update the gateway connection
  • Make sure the SP has the right permissions

Final suggestion's from my end.

You're absolutely right that managing cert/secret expiration is a tradeoff. But if you stay ahead of it, it’s worth it for the smoother experience and better security. Just be clear on whether you're sticking with a user account or moving to a true SP because Power BI treats them very differently.

Regards,
Akhil.

Message 11 of 16
708 Views
0
db042190
Post Prodigy
Post Prodigy
In response to v-agajavelly

‎09-15-2025 06:07 AM

thx Akhil,  regarding

 

db042190_0-1757941357847.png

 

it sounds like you are saying i dont need an sp to mitigate the conn breaking on next republish.  That a regular id with secret or cert would work just as well.    But isnt it true that if one of our users who isnt an admin republishes his own report that already uses that non sp that now has a cert or secret , that action will break the conn ?   That the only way for the conn not to break and for him to be allowed to republish without knowing the non sp pswd is that it has to an sp?     I'm doing my best, sorry. 

Message 12 of 16
617 Views
0
GilbertQ
Super User
Super User

‎09-02-2025 03:08 PM

Hi @db042190 

 

What I would recommend is that very soon all user accounts will need to have Multi Factor enabled. What this means is that when the token expires or has to be re-authenticated you will not only need the password but also the multi factor code. This has to be inputted.

 

While using a service principal it will not require multi factor and is the recommened path!





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 5 of 16
944 Views
0
db042190
Post Prodigy
Post Prodigy
In response to GilbertQ

‎09-02-2025 03:20 PM

thx Gilbertq.   Im not sure that addresses the question of republishing breaking conns etc on which non expiring ids are already being uised.   And whether non expiring ids can also be service principals.   But thank you.

Message 6 of 16
940 Views
0
GilbertQ
Super User
Super User
In response to db042190

‎09-02-2025 03:53 PM

Hi there,

 

As far as I'm aware, when republishing it should not break existing connections when using service principles. The other option is to test it out with an existing test model to make sure it works as expected.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 7 of 16
915 Views
0
db042190
Post Prodigy
Post Prodigy
In response to GilbertQ

‎09-04-2025 05:10 AM

Gilbertq, the question is whether the existing userid can simply be turned into a service principal by giving it a secret or certificate in azure.  We already know getting this right will prevent conns from breaking on republish.   The other 2 underlying questions atre 1) do we really need the vault feature too, 2) is there another step after the secret or cert is associated, maybe an atrtribute (auth type?) on the existing semantic model conns themselves, the conns that already use this non expiring id to generate pbi dashboards and reports.   the reason its not so simple and we cant simply "test" ,for us ,is that we have to get other people involved in doing this and cant send them on wild goose chases.   

Message 8 of 16
851 Views
0
collinq
Super User
Super User

‎09-02-2025 12:21 PM

Hi @db042190 ,

In the interest of getting the attention of @v-dineshya I have added them here! 

 




Did I answer your question? Mark my post as a solution!

Proud to be a Datanaut!
Private message me for consulting or training needs.




Message 2 of 16
990 Views
0
db042190
Post Prodigy
Post Prodigy
In response to collinq

‎09-02-2025 01:04 PM

thank you collinq.

Message 3 of 16
968 Views
0
db042190
Post Prodigy
Post Prodigy
In response to db042190

‎09-02-2025 03:25 PM

I'd like to clarify one other item.   Lets say the existing id can also be a service principal.   And mostly what needs to be done to do that is to add a secret or certificate to that id in azure.   Will those reports that already use our nonexpiring/elevated id magically just stop breaking conns when republished by our users?  or do we need to perhpas re enter the id and/or set a settings attribute (maybe type of auth) differently or maybe create a different conn?

Message 4 of 16
933 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

Share feedback directly with Fabric product managers, participate in targeted research studies and influence the Fabric roadmap.

February Power BI Update Carousel

Power BI Monthly Update - February 2026

Check out the February 2026 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All