Using a Service Account in Microsoft Fabric

Comments 0

Share to social media

Applications should never depend on user accounts for their own authentication. User accounts have unique security configurations, such as MFA and password expiration.

Applications can’t manage this kind of unique configuration. When the user changes the password, for example, the application may stop.

The solution for this is to give to the application their own identity. The application needs to be capable to use this kind of identity, which is called a Service Account.

Service Accounts support in Fabric

Cloud connections in Fabric support the usage of service accounts. After we publish our semantic models, we can link them with the cloud connections configured to use the service accounts.

When creating a new cloud connection, Service Account is one of the authentication options. When we choose this option, we need to fill in the Tenant Id, Service Principal Id and Service principal key.

A screenshot of a computer

Description automatically generated

Creating a Service Account

Fabric and Azure environment are related by the same security system: a single directory managing all the authentication.

In this directory, the process to create a service account is called App Registration: You will register an app in Azure Entra (former Azure Active Directory) and this app will become a user which can receive permissions.

1: Navigate to “App registrations”

In Azure Portal, App Registrations is inside the Entra ID feature (former Azure Active Directory). You can reach it by searching on the top search box, or going to Entra Id and finding it in the left menu.

2: Create a New App Registration

  • In the App registrations page, click on the “+ New registration” button at the top of the page.

A screenshot of a computer

Description automatically generated

3: Configure the App Registration

  • Name: Enter a name for your application. This name will help identify the app in your Azure portal.
  • Click “Register” to complete the registration.

A screenshot of a computer error

Description automatically generated

Step 4: Note Down Important Information

After the app registration is created, you will be redirected to the app’s Overview page. Note the following key information:

Application (client) ID: This is a unique identifier for your app.

Directory (tenant) ID: This is the unique identifier for your Azure AD tenant.

5: Generate a Client Secret

  • In the left menu, go to “Certificates & secrets”.
  • Under Client secrets, click “+ New client secret”.

A screenshot of a computer

Description automatically generated

  • Provide a description and select the expiration period for the secret.

A screenshot of a computer

Description automatically generated

  • Click “Add”.

A screenshot of a computer

Description automatically generated

Once created, copy the Value of the client secret immediately, as it will not be displayed again.

Service Account Configuration Values

After following the steps to create a service account, you have the Tenant Id, Service Principal Id and Service principal key for the service account.

When creating a Cloud Connection in Fabric, these are the values you need to fill.

Enabling Service Accounts usage in Fabric

Service Accounts in Fabric need to be enabled before they receive any permission.

For example, let’s imagine you would like to use a service account to connect to a lakehouse. The service account needs to receive access to the lakehouse. The first step is to enable service accounts to access Fabric resources.

If the service account will be used only for external connections, you may not need this, but usually you will need the service account to access Fabric resources as well.

In order to enable the access of the service account, you need to use Power BI/Fabric admin portal. Inside the admin portal, locate the Service principals can use Fabric APIs. This option needs to be enabled.

A screenshot of a computer

Description automatically generated

Setting Permissions to the Service Account

Defining the permissions to service accounts is like doing so for regular users. You can define it on workspace level or object level.

A screenshot of a computer

Description automatically generated

A screenshot of a computer

Description automatically generated

Summary

Service accounts improve the security and stability of Fabric environment, removing the dependencies with user accounts

Article tags

Load comments

About the author

Dennes Torres

See Profile

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com