Connecting to Azure Synapse Analytics Using Service Principal
To connect to Azure Synapse Analytics using Service Principal authentication, you'll need an application (client) ID and secret from Azure App registration. This setup requires specific configurations and might need assistance from your organization's Azure or Network administrator.
Setting up Service Principal in Azure Portal
1. Access App Registrations
- Sign in to the Azure portal
- Navigate to the "App registrations" section
2. Create New Registration
- Select "New registration"
- Provide a name for the application (we recommend using "Dataedo Integration")
- Under "Supported account types", choose "Accounts in this organizational directory only" (single tenant)
- Select "Register"
3. Collect Application Information
Once registration is complete, note down these essential values:
- Application (client) ID
- Directory (tenant) ID
You'll need these values when configuring your Dataedo connection.
4. Create Client Secret
- In the left menu, select "Certificates & secrets"
- Click "New client secret"
- Enter a meaningful description
- Choose an expiration period
Note: Remember that if you set an expiration date, you'll need to generate a new secret before it expires to maintain your Dataedo integration.
- Select "Add"
- Important: Make sure to copy the secret value immediately, as it won't be visible once you leave this page
Granting Database Access
After collecting the required credentials, follow these steps to set up database access:
1. Configure Database Permissions
- Connect to your Azure Synapse Analytics workspace using an administrative account
- Execute the following T-SQL command:
CREATE USER [Dataedo Integration] FROM EXTERNAL PROVIDER;Note: Replace "Dataedo Integration" with the exact name you used during App registration.
2. Assign Synapse RBAC Role
To grant the service principal access to Synapse resources:
-
Access Synapse Studio
- Open Azure Synapse Studio
- Sign in to your workspace
-
Navigate to Access Control
- Select the Manage tab from the left navigation
- Under Security, click Access control
-
Add Role Assignment
- Click + Add at the top of the Access control page
- In the "Add role assignment" panel, configure:
- Scope: Select "Workspace"
- Role: Choose "Synapse Artifact User"
- Select user: Search for and select your service principal name ("Dataedo Integration")
- Click Apply to save the changes
About the Synapse Artifact User Role: This role provides read access to published code artifacts and their outputs. While it allows creation of new artifacts, it cannot publish changes or execute code without additional permissions.
3. Configure Dataedo Connection
To set up Azure Synapse Analytics connection in Dataedo:
-
Create New Documentation
- Open Dataedo
- Click "Add documentation"
- Select "Database connection"
- Choose "Azure Synapse Analytics" as your DBMS type
-
Configure Connection Details
-
Server Details
- Server name: Enter the full server address (e.g.,
workspace-name.sql.azuresynapse.net) - Port:
1433(default) or your custom port - Database name: Select from dropdown or type manually
- Server name: Enter the full server address (e.g.,
-
Authentication Settings
- Authentication type: Select "Azure Active Directory - Service Principal"
- User: Paste the Application (client) ID from Azure Portal
- Password: Paste the client secret value
-
-
Verify Connection
- Click "Connect" to validate your settings
- If successful, the import will start
- If unsuccessful, verify your credentials and network connectivity
Troubleshooting: Ensure all values are copied exactly as shown in Azure Portal. Common issues include trailing spaces or incorrect character cases in the credentials.
For more details about connection security and Azure AD integration, see Azure Synapse Analytics documentation.
