Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
jwinchester_WS
Regular Visitor

Sharepoint Data Source - Service Principal authentication failing - Invalid connection credentials

‎12-11-2024 09:52 AM

Our BI team is trying to add a cloud connection in the PowerBI control center and is getting an error.  

The current working method is to use OAuth 2.0 and enter the developers credentials however this is not ideal for many reasons so they would like to use a Service Principal.  We set up an enterprise app in Azure and created a client secret. For testing purposes, we added Sites.FullControl.All  Application permissions and have granted Admin Consent.

We also enabled Service principals can use Fabric API's for the entire organization setting in PowerBI Admin Portal - Tenant Settings - Developer Settings

 

When we attempt to add the connection under Settings - Manage connections and Gateways - Connection, we get the following error - Unable to create connection for the following reason: Invalid connection credentials.

 

jwinchester_WS_0-1733938958814.png

 

Labels:
Message 1 of 6
292 Views
0
2 ACCEPTED SOLUTIONS
v-jingzhan-msft
Community Support
Community Support

‎12-11-2024 11:24 PM

Hi @jwinchester_WS 

 

I think you might lack a step to provide the service principal with specific permissions in the SharePoint site. Just like if a user wants to access a SharePoint site, they should be added as owner or member in the site. A service principal should be added to the SharePoint site and granted specific permissions too. 

 

However, service principals are typically used for app-only access rather than being added as site members or owners in the traditional sense. You could try the methods provided in these threads or blogs below to give it permission on the SharePoint site.

Service principal access to sharepoint online - Microsoft Q&A

How to connect SharePoint online using service principal? - Microsoft Q&A

Setting up SharePoint app-only principal with App Registration

 

(To be honest, I have tried some methods of them but still failed to authenticate with service principal. I don't have much experience with SharePoint, so I'm not sure if I have made some wrong operations or the approaches might be ineffective.)

 

I hope my direction would be correct. If not, please correct me. 

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

View solution in original post

Message 3 of 6
234 Views
0
FabianSchut
Solution Sage
Solution Sage
In response to v-jingzhan-msft

‎12-12-2024 12:55 AM

As far as I know, you should not have to give the service principal permissions in the Sharepoint site if you use Sites.FullControl.All. This should only be necessary when you use Sites.Selected. The steps to give the service principal access to a specific site can be found here: https://marczak.io/posts/2023/01/sharepoint-graph-and-azure-sp/

View solution in original post

Message 4 of 6
215 Views
5 REPLIES 5
nalinash
Frequent Visitor

‎12-11-2024 11:35 PM

Hi @jwinchester_WS 

 

I think you need to check application permissions first to ensure that the Service Principal has necessary permissions. As you had assigned Sites.FullControl.All . Would you like to double-check if this is sufficinet for your case. If you are accessing specific sites, you may need Sites.Read.All or Sites.ReadWrite.All permissions as well as it should be granted by Azure Active Directory Admin Center and verify the Admin Consent.

 

Second thing, you should provide the root url of your SharePoint Site like https://yourtenant.sharepoint.com/sites/your-site 

 

Best regards,

Ash

 

If this post helps you then please Accept it as Solution to help other members find it. Appreciate your Kudos!

Message 6 of 6
219 Views
0
v-jingzhan-msft
Community Support
Community Support

‎12-11-2024 11:24 PM

Hi @jwinchester_WS 

 

I think you might lack a step to provide the service principal with specific permissions in the SharePoint site. Just like if a user wants to access a SharePoint site, they should be added as owner or member in the site. A service principal should be added to the SharePoint site and granted specific permissions too. 

 

However, service principals are typically used for app-only access rather than being added as site members or owners in the traditional sense. You could try the methods provided in these threads or blogs below to give it permission on the SharePoint site.

Service principal access to sharepoint online - Microsoft Q&A

How to connect SharePoint online using service principal? - Microsoft Q&A

Setting up SharePoint app-only principal with App Registration

 

(To be honest, I have tried some methods of them but still failed to authenticate with service principal. I don't have much experience with SharePoint, so I'm not sure if I have made some wrong operations or the approaches might be ineffective.)

 

I hope my direction would be correct. If not, please correct me. 

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

Message 3 of 6
235 Views
0
FabianSchut
Solution Sage
Solution Sage
In response to v-jingzhan-msft

‎12-12-2024 12:55 AM

As far as I know, you should not have to give the service principal permissions in the Sharepoint site if you use Sites.FullControl.All. This should only be necessary when you use Sites.Selected. The steps to give the service principal access to a specific site can be found here: https://marczak.io/posts/2023/01/sharepoint-graph-and-azure-sp/

Message 4 of 6
216 Views
jwinchester_WS
Regular Visitor
In response to FabianSchut

‎12-12-2024 01:18 PM

Thanks for this great link.  This solves a few problems I have been having with managing permissions on SharePoint sites.

Message 5 of 6
161 Views
0
FabianSchut
Solution Sage
Solution Sage

‎12-11-2024 11:07 PM

Hi, based on the URL in the last screenshot, you do not create a connection for a Sharepoint site, but the whole Sharepoint tenant. Can you try to change the URL to the site you are trying to connect to? The URL should look something like this: https://TENANT_NAME.sharepoint.com/sites/SITE_NAME

Message 2 of 6
238 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All