Setting up authentication for Power BI, Azure Data Factory, and SharePoint Lists connectors

From Dataedo version 24.3, there are two methods to authenticate with Power BI, Azure Data Factory, and SharePoint Lists. The first method is Interactive mode, which requires user interaction each time a data source is imported. Because of this, import tasks using Interactive mode cannot be scheduled in Dataedo Scheduler. The second method is Service Principal, which uses a client secret from Azure Application Registration and does not require user interaction during import.

When using the Interactive authentication type without Advanced authentication settings, the only prerequisite is that the user you're connecting with has the appropriate permissions. However, when using the Interactive authentication type with Advanced authentication settings or the Service Principal authentication type, you must first have an Azure Application Registration created.

Interactive authentication type

In this authentication workflow, we use user impersonation against Azure Application Registration. In default mode, we use Dataedo’s Application Registration, but when clicking Advanced authentication settings, it is possible to provide connection details for your own Azure Application Registration.

Required permissions

Required permissions for Power BI

The user must have the following scopes:

• Report.Read.All
• Workspace.Read.All
• Dataset.Read.All
• Dataflow.Read.All
• Dashboard.Read.All

Additionally, the Tenant.Read.All scope is required to import usage statistics.

Required permissions for Azure Data Factory

The user must have the Data Factory Contributor role.

Required permissions for SharePoint Lists

The user must have the Sites.Read.All scope.

Interactive authentication using default settings

To use interactive authentication, the Authentication Type dropdown should be set to Interactive, and the Advanced authentication settings checkbox should be unchecked.

When you click Connect or select some details (workspace for Power BI, Site for SharePoint Lists, or Subscription/Resource Group/Factory for Azure Data Factory), your default browser will open with the Microsoft login screen. After successful login, you can close the browser and start the import.

In some cases, for first-time use, Azure Administrator consent is required. Administrator action will be needed as explained in Adding Azure Administrator consent to Azure Application Registration in this article.

Interactive authentication using advanced authentication settings

To use interactive authentication with advanced authentication settings, the Authentication Type dropdown should be set to Interactive, and the Advanced authentication settings checkbox should be checked. Then, enter your Application Registration Client Id in the Client Id textbox.

How to create Azure Application Registration and where to find the Client Id is explained in the Creating Azure Application Registration section below. If using non-default settings in Application Registration or an Azure Cloud Instance other than Azure Public, select proper values in the Authority, Cloud Instance, and Audience fields.

Creating Azure Application Registration

To create an Azure Application Registration:

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. From the toolbar on the App registrations page, click + New registration.
4. On the Register page, enter a Name for your client application, select supported account types, and set Redirect URI as Public client/native with http://localhost redirect URI.

5. Click Register.
6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field. This value needs to be pasted into the Client Id field in Dataedo.

Adding Azure Administrator consent to Azure Application Registration

In some Azure subscription configurations, Admin consent may be required for using Application Registration.

If the user encounters a screen like this, it means that requesting Admin consent is disabled for your Azure subscription:

To resolve this, the user must see a screen like this, where they can send a request for approval to the Azure Admin:

To enable Admin consent requests, the Azure Administrator needs to take the following steps in the Azure Portal:

1. Open Enterprise applications in the Azure portal.
2. In the left sidebar, go to Security and click on Consent and permissions.

3. Click Admin consent settings and select YES for Admin consent requests – Users can request admin consent to apps they are unable to consent to. Select one or more users, groups, or roles that can consent to applications.