That Blue Cloud

Fabric Dataflows Now Support Service Principal Authentication

You can now use Azure AD (Microsoft Entra ID) Service Principals in Fabric Dataflows when connecting to various Azure and web resources, including Synapse Analytics, ADLS Gen2, Azure Blob Storage and Microsoft Dataverse.
Fabric Dataflows Now Support Service Principal Authentication
Fabric Dataflows Now Support Service Principal Authentication

One of the weak points of Fabric compared to Synapse Analytics is that it didn't support Service Principal or Managed Identity authentication when connecting to third-party sources.

Fabric now has the support for Service Principal authentication. You can now connect to an Azure resource using a Tenant ID, a Client ID, and the Service Principal Key (Client Secret). The following Azure resources are supported:

  • Azure Synapse Analytics
  • Azure SQL Database
  • Azure Data Lake Store Gen2 & Gen1
  • Azure Blob Storage
  • Web (through Web activity)
  • Microsoft Dataverse (and subsequently to Dynamics 365)
  • SharePoint Online

What does this mean for you?

Previously you needed to use your Organisation Account, which would act on your behalf to accomplish tasks within your specific Workspace permissions. Or, you needed to use alternative methods. Here are some example changes in your authentication experience:

  • Azure Blob Storage: Instead of account keys or SAS tokens, you can now use Azure AD auth, allowing RBAC model and Blob Data Reader/Contributor roles to be used.
  • ADLS Gen2: Same as blob storage, but now you can also apply POSIX rules to your Azure AD credential.
  • Azure SQL Database: Instead of a SQL user or the current user's Azure AD credentials, now you can use GRANTs on Azure AD Service Principals.

Here's a screenshot from Dataflows Gen2 for the Blob Storage connection that I captured:

Fabric Dataflow Gen2, connecting to a Azure Blob Storage using Service Principal Auth

Cross-tenant connectivity

Whilst this is exciting for better security, it also unlocks another possibility: Now, you can connect to Azure resources on other tenants using Azure AD authentication. Suppose you have a multi-tenant organisation or you're working with multiple clients. In that case, you can now connect to the resources under that tenant with the Tenant ID support of the Service Principal authentication type.

Here's the link for Microsoft's announcement for further details:

Service principal support to connect to data in Dataflow, Datamart, Dataset and Dataflow Gen 2 | Microsoft Fabric Blog | Microsoft Fabric
Today I am very excited to announce that Azure service principal has been added as an authentication type for a set of data sources that can be used in Dataset, Dataflow, Dataflow Gen2 and Datamart.  Azure service principal is a security identity that is application based and can be assigne…

What do you think about the expanded Azure AD support in Fabric? What other pain points that it will relieve in your organisation? Let us know in the comments.

Remember to subscribe to our TBC Weekly newsletter! You'll get a summary of the latest articles from us and the Fabric and Azure communities.

Harun Legoz

Harun Legoz

I’m a cloud solutions architect with a coffee obsession. Have been building apps and data platforms for over 18 years, I also blog on Azure & Microsoft Fabric. Feel free to say hi on Twitter/X!

That Blue Cloud

Design awesome data platforms using Microsoft Fabric

That Blue Cloud

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to That Blue Cloud.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.