Snowflake enables Microsoft Power BI consumers for connecting to Snowflake using personality carrier qualifications and an OAuth 2

Snowflake enables Microsoft Power BI consumers for connecting to Snowflake using personality carrier qualifications and an OAuth 2

This topic talks of how to use Microsoft electricity BI to instantiate a Snowflake program and access Snowflake making use of solitary sign-on (SSO).


This feature removes the need for on-premises energy BI Gateway implementations since the Power BI service makes use of an inserted Snowflake drivers for connecting to Snowflake.

Standard Workflow?’A¶

(Optional) If the character supplier isn’t Azure advertisement, subsequently Azure advertising verifies an individual through SAML verification before signing the user into the Power BI services.

When the consumer connects to Snowflake, the ability BI service asks Azure advertisement so it can have a token for Snowflake.

The Power BI solution uses the embedded Snowflake motorist to deliver the Azure advertisement token to Snowflake included in the hookup sequence.

Snowflake validates the token, extracts the username through the token, maps they toward Snowflake individual, and helps to create a Snowflake session for all the Power BI provider making use of the customer’s standard character.


In Snowflake, if you are making use of circle Policies , you’ll let the Microsoft Azure IP assortment that features the Azure area where your own Snowflake profile is managed and any extra Azure parts as required.

Generate a system rules that will be particular to energy BI the Azure area where the Snowflake on Azure account is positioned, look the JSON install from Microsoft for the part.

Assuming the Snowflake on Azure levels is located in the Canada middle area, research the JSON grab for PowerBI.CanadaCentral . Find the internet protocol address range through the addressPrefixes list. Make use of these internet protocol address ranges to produce or revise a system rules in Snowflake.

If you use numerous Microsoft Azure service (e.g. Electricity BI, SCIM), get hold of your Azure manager to make sure that the right internet protocol address varies to guarantee the Snowflake circle policy contains the correct IP address extends to allow users to access Snowflake.

Automagically, the membership manager (in other words people making use of the ACCOUNTADMIN system part) and protection administrator (in other words customers utilizing the SECURITYADMIN program role) roles is obstructed from using Microsoft Power BI to instantiate a Snowflake session. When you have a business must allow these parts, plus protection teams is more comfortable with enabling they, be sure to contact Snowflake Support to need these roles be allowed for the profile.

Either the login_name , identity , and/or e-mail feature for all the individual in Snowflake must map towards the Azure post upn feature. If the login_name characteristic is not defined, then your processes non-payments to the title trait.


AWS PrivateLink and Azure Private website link tend to be recognized. In case it is important to make use of either of these two service to connect to Snowflake, use the on-premises portal to connect.

AWS PrivateLink and Azure personal connect are not supported. For all the Power BI services and Power BI pc, build a network coverage to allow the Azure dynamic directory site community IP address range. Note that system procedures need a 100,000 figure restrict for all the let internet protocol address addresses.

Snowflake attempts to validate Azure Active Directory through the Address price into the external_oauth_jws_keys_url home (revealed below) or through the let IP contact in circle rules, in the event the circle policy is available. Microsoft changes its tokens and techniques farmersonly every day. More resources for the Microsoft updates, discover breakdown of tokens in Azure Active directory site B2C.

Obtaining Started?’A¶

This area clarifies how to create an electrical BI security integration in Snowflake and ways to access Snowflake through Power BI.

Creating a Power BI Safety Integration?’A¶

This is not needed if you use the Power BI portal for electricity BI provider for connecting to Snowflake or are employing the Snowflake account for verification.

To make use of energy BI to access Snowflake information through SSO, it is crucial to generate a security integration for electricity BI using CREATE SECURITY INTEGRATION as shown below.

The security integration should have the best price when it comes to external_oauth_issuer factor. Section of this importance maps towards Azure advertising tenant. Available this benefits into the over element of their Power BI tenant.

If the business have an enhanced deployment of this electricity BI provider, after that consult your Azure advertisement administrator to obtain the proper property value the Azure offer tenant to make use of in constructing the Issuer Address.

For example, if the Azure AD tenant ID are a828b821-f44f-4698-85b2-3c6749302698 , subsequently build the AZURE_AD_ISSUER benefits similar to . It is vital to range from the onward slash (i.e. / ) at the conclusion of the worth.

After constructing the worth for AZURE_AD_ISSUER , implement the CREATE SECURITY INTEGRATION order. Definitely set the worthiness for external_oauth_audience_list safety integration factor correctly based on if or not your own Snowflake profile is situated in the Microsoft Azure federal government cloud part .

These advice also use the Any variety of part, that enables for role switching. For additional information, discover utilizing Any variety of part with energy BI SSO to Snowflake .

Lasă un răspuns