Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Anonymous
Not applicable

how to establish communication to Power BI service

My organization is considering using Power BI.  I have been asked to provide a list of steps that my security group will need to perform to establish connections to the Power BI service.  I have searched for details on this, but I haven't been able to find anything.

 

1)

When publishing a pbix file (typically from a server), the only target connection information I am prompted for is my Power BI Pro account.  I was expecting to provide far more details, such as a target IP and my tenant information  So, how does the pbix file know what Power BI tenant to go to?  And, how is an outbound connection created?

 

2)

When I refresh a dataset in the Power BI service that utilizes an on-prem data source, how is that communication channel established?  I understand that the Azure Service Bus (ASB) is involved, and that the ASB IPs should be whitelisted in my firewall.  But, how does the communication channel get established in the first place? 

4 REPLIES 4
Greg_Deckler
Super User
Super User

When you logon to Power BI, you are logging on to your Azure AD account in your tenant. Your Power BI tenant is associated with this tenant automatically via your Azure AD credentials.

 

For the second question, you probably want the Security whitepaper on this page:

https://docs.microsoft.com/en-us/power-bi/whitepapers

 


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!:
Mastering Power BI 2nd Edition

DAX is easy, CALCULATE makes DAX hard...
Anonymous
Not applicable

1)

When I install / access Power BI Desktop, I have to provide my Power BI (Azure AD) login credential.  No other information is supplied.  When I go to publish, I see that my work spaces are available to me.  So, by logging into Desktop, information from Power BI service (app.powerbi.com, some IP address) must have somehow been fetched.  In other words, it’s acting like an internet browser – it goes out to the Power BI service with my Power BI login, whereby the service authenticates my Power BI login to my Azure AD tenant and fetches necessary information from my Power BI subscription (e.g., workspace names) and returns them to the Desktop client.

 

After making the workspace selection in the Desktop client, the Desktop client must make a similar connection as described above, in that it goes out to the Power BI service (this time not only with my Power BI login, but also the selected workspace and the .pbix file), whereby the service authenticates my Power BI login to my Azure AD tenant and then lands the .pbix file into my O365 tenant (?) and my selected workspace.

 

So, effectively it’s like a very guided file upload from a computer to an internet site.  Is this an accurate description of the process?

 

2)

I read that white paper a while back.  It didn't seem to answer my question.  If my understanding is correct, publishing makes something like a Push request to the Power BI service.  Refreshing datasets is in the opposite direction, though.  That is, the Power BI service needs to make something like a Get call to my on-prem server IP address.  Information about my data source is stored in the Power BI service (in gateway management).  I understand that the on-prem gateway handles the decryption of encrypted credentials from an ASB request, and that Power BI can’t just punch into my server.  The on-prem gateway makes calls out to the ASB (some IP address).  How does the gateway know which query to fulfill from the ASB?  Since the only information I enter at gateway creation time is my Power BI login, is the gateway trying to match up to ASB queries by Power BI login ID?

 

 

By the way, I found the following posting very helpful:

https://community.powerbi.com/t5/Integrations-with-Files-and/Enterprise-Gateway-to-on-premise-SQL-Se...

Hi @Anonymous

For the first question, your understanding is correct.

For the second one, It is not complete of your understanding.

Indeed, the gateway needs power bi login id (Azure Active Directory (AAD)) as  authentication to communicate with Azure Service Bus.

For more details, i recommend you to read this article about how Gateway works when refreshing.

-> 

  1. A query will be created by the cloud service, along with the encrypted credentials for the on-premises data source, and sent to the queue for the gateway to process.
  2. The gateway cloud service will analyze the query and will push the request to the Azure Service Bus.
  3. The On-premises data gateway polls the Azure Service Bus for pending requests.
  4. The gateway gets the query, decrypts the credentials and connects to the data source(s) with those credentials.
  5. The gateway sends the query to the data source for execution.
  6. The results are sent from the data source, back to the gateway, and then onto the cloud service. The service then uses the results.

 

 

Best Regards

Maggie

Anonymous
Not applicable

@v-juanli-msft

 

How does the gateway "poll" the ASB?  Is this "polling" something like sending a Get statement to the ASB?  And, because the message queue in the ASB is dynamic, the gateway must poll the ASB at some frequency.  How frequently does the gateway poll the ASB?  Is that frequency configurable?

 

Lastly, once the gateway finds an associated ASB message and the ASB message is received by the gateway, how does the gateway know to decrypt and run the query?  Is it instructed to execute all queries / messages that are received?  Is there any risk of a malicious query being received?

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors
Top Kudoed Authors