Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
astone
Frequent Visitor

Data lake dataset refresh without authentication renewal

Hello,

 

I have multiple reports published to the PowerBI service using an Azure Data Lake instance as the data source. I have successfully setup scheduled refresh for these reports. However, every two weeks the OAuth credentials PowerBI uses to perform the refresh expire, and I must manually renew them. I believe the manual step is necessary because our organization has enabled multi-factor authentication for all active directory users.

 

What is the recommended approach to schedule refreshes without having to manually renew the authentication periodically? Do I need to have a special user setup without multi-factor? Is there a way to setup service-to-service authentication like with an Active Directory app service principal's secret or certificate instead of a user's credential?

 

2 REPLIES 2
v-sihou-msft
Employee
Employee

@astone

 

Sorry for my misunderstanding. Your Power bi account has enabled multi-factor authentication. But this is not for the Azure account you perform the schedule refresh. Right?

 

By default, the Refresh Token Max Inactive Time is 14 days. See: Configurable token lifetimes in Azure Active Directory (Public Preview)

 

You can use Multi-Factor for your Azure account. Or configure your current Azure account with maximum 90 days Refresh Token.

 

Regards,

I had been using my personal/administrative Azure Active Directory account credentials for the Power BI scheduled refreshes. That account had multi-factor authentication. I was experiencing the credentials expiring with that account.

I am now trying to use the credentials of a different user with more specialized permissions and Multi-Factory Authentication disabled. I'm hoping that this user's credentials won't expire, but I'm unclear if it will or not based on your post.

Is the refresh token a side effect of multi-factor authentication or do all OAuth credentials have this restriction?

I thought I had read somewhere that multi-factor authentication is what triggers the expiry, but it sounds now like I was wrong. Your link indicates that 'Multi-Factor Refresh Token Max Age' can be 'Until-revoked', and that single-factor and multi-factor can both be configured with the same expiry times. So that would seem to imply that multi-factor doesn't actually affect the credential expiry.

The refresh happens daily, so why would 'inactive time' apply? Wouldn't it be reset each time the refresh happens?


As you stated and as the link also states, the maximum inactive time is 90 days. If the daily refreshes do not reset the inactive time then I guess I must manually refresh credentials at least every 90 days. That's better than two weeks, but I would like to avoid the manual refresh altogether if possible.

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors