Applications should never depend on user accounts for their own authentication. User accounts have unique security configurations, such as MFA and password expiration.
Applications can’t manage this kind of unique configuration. When the user changes the password, for example, the application may stop.
The solution for this is to give to the application their own identity. The application needs to be capable to use this kind of identity, which is called a Service Account.
Service Accounts support in Fabric
Cloud connections in Fabric support the usage of service accounts. After we publish our semantic models, we can link them with the cloud connections configured to use the service accounts.
When creating a new cloud connection, Service Account is one of the authentication options. When we choose this option, we need to fill in the Tenant Id, Service Principal Id and Service principal key.
Creating a Service Account
Fabric and Azure environment are related by the same security system: a single directory managing all the authentication.
In this directory, the process to create a service account is called App Registration: You will register an app in Azure Entra (former Azure Active Directory) and this app will become a user which can receive permissions.
1: Navigate to “App registrations”
In Azure Portal, App Registrations is inside the Entra ID feature (former Azure Active Directory). You can reach it by searching on the top search box, or going to Entra Id and finding it in the left menu.
2: Create a New App Registration
- In the App registrations page, click on the “+ New registration” button at the top of the page.
3: Configure the App Registration
- Name: Enter a name for your application. This name will help identify the app in your Azure portal.
- Click “Register” to complete the registration.
Step 4: Note Down Important Information
After the app registration is created, you will be redirected to the app’s Overview page. Note the following key information:
Application (client) ID: This is a unique identifier for your app.
Directory (tenant) ID: This is the unique identifier for your Azure AD tenant.
5: Generate a Client Secret
- In the left menu, go to “Certificates & secrets”.
- Under Client secrets, click “+ New client secret”.
- Provide a description and select the expiration period for the secret.
- Click “Add”.
Once created, copy the Value of the client secret immediately, as it will not be displayed again.
Service Account Configuration Values
After following the steps to create a service account, you have the Tenant Id, Service Principal Id and Service principal key for the service account.
When creating a Cloud Connection in Fabric, these are the values you need to fill.
Enabling Service Accounts usage in Fabric
Service Accounts in Fabric need to be enabled before they receive any permission.
For example, let’s imagine you would like to use a service account to connect to a lakehouse. The service account needs to receive access to the lakehouse. The first step is to enable service accounts to access Fabric resources.
If the service account will be used only for external connections, you may not need this, but usually you will need the service account to access Fabric resources as well.
In order to enable the access of the service account, you need to use Power BI/Fabric admin portal. Inside the admin portal, locate the Service principals can use Fabric APIs. This option needs to be enabled.
Setting Permissions to the Service Account
Defining the permissions to service accounts is like doing so for regular users. You can define it on workspace level or object level.
Summary
Service accounts improve the security and stability of Fabric environment, removing the dependencies with user accounts
Load comments