This topic represent the way you use Microsoft electricity BI to instantiate a Snowflake program and accessibility Snowflake making use of unmarried sign-on (SSO).
Overview?’A¶
This particular aspect gets rid of the need for on-premises Power BI Gateway implementations because the energy BI solution makes use of an inserted Snowflake drivers for connecting to Snowflake.
Standard Workflow?’A¶
(Optional) When 
the personality provider is not Azure AD, subsequently Azure post verifies an individual through SAML authentication before logging the user into the energy BI provider.
If the user connects to Snowflake, the energy BI solution requires Azure offer to give it a token for Snowflake.
The Power BI provider utilizes the embedded Snowflake drivers to deliver the Azure advertisement token to Snowflake within the connections string.
Snowflake validates the token, extracts the login name from token, maps they towards Snowflake user, and helps to create a Snowflake session for any energy BI solution with the user’s standard part.
Prerequisites?’A¶
In Snowflake, if you are using circle guidelines , you’ll permit the Microsoft Azure IP array that also includes the Azure part where their Snowflake profile are managed and any extra Azure regions as required.
To produce a network policy that is certain to Power BI when it comes down to Azure part where your own Snowflake on Azure profile is positioned, research the JSON grab from Microsoft for the part.
For example, if the Snowflake on Azure levels is situated in the Canada Central area, lookup the JSON get for PowerBI.CanadaCentral . Select the internet protocol address ranges through the addressPrefixes list. Use these internet protocol address range generate or modify a system coverage in Snowflake.
If you use multiple Microsoft Azure service (example. Energy BI, SCIM), contact your Azure administrator to confirm appropriate IP address extends to be sure the Snowflake community rules offers the appropriate internet protocol address varies allowing customers to view Snowflake.
Automagically, the account officer (i.e people because of the ACCOUNTADMIN program character) and protection officer (for example users making use of SECURITYADMIN program part) functions were blocked from using Microsoft electricity BI to instantiate a Snowflake program. When you have a small business need certainly to let these parts, and your protection employees was confident with enabling they, be sure to contact Snowflake Support to ask these roles feel allowed for the levels.
Either the login_name , term , and/or email characteristic for the individual in Snowflake must map with the Azure advertisement upn attribute. If login_name attribute isn’t explained, then the processes non-payments toward name characteristic.
Considerations?’A¶
AWS PrivateLink and Azure personal back link were recognized. If it’s important to need either of those two treatments to hook up to Snowflake, use the on-premises gateway for connecting.
AWS PrivateLink and Azure professional back link aren’t backed. The electricity BI Service and Power BI desktop computer, develop a network policy allowing the Azure Active Directory general public ip extends. Note that community plans have a 100,000 dynamics maximum when it comes to enabled IP addresses.
Snowflake attempts to validate Azure Active Directory through the Address price within the external_oauth_jws_keys_url homes (shown below) or through the enabled internet protocol address tackles in the system policy, if circle plan is present. Microsoft changes its tokens and secrets any a day. For more information on the Microsoft news, read breakdown of tokens in Azure dynamic index B2C.
Obtaining Started?’A¶
This section explains how to make a Power BI security integration in Snowflake and ways to accessibility Snowflake through Power BI.
Promoting a Power BI Security Integration?’A¶
This task is not needed if you use the ability BI portal for energy BI solution to connect to Snowflake or are using their Snowflake username and password for authentication.
To make use of Power BI to access Snowflake facts through SSO, it’s important to generate a security integration for Power BI making use of CREATE SECURITY INTEGRATION as found below.
The safety integration need to have the appropriate advantages for the external_oauth_issuer factor. Part of this advantages maps your Azure AD occupant. You’ll find this benefits for the About portion of the energy BI tenant.
If for example the business has an advanced implementation in the electricity BI services, after that consult your Azure AD administrator to get the correct property value the Azure AD renter to use in making the Issuer URL.
For example, if the Azure advertisement occupant ID is actually a828b821-f44f-4698-85b2-3c6749302698 , after that create the AZURE_AD_ISSUER value similar to . It is very important are the forward slash (for example. / ) at the conclusion of the value.
After making the worthiness for AZURE_AD_ISSUER , execute the GENERATE PROTECTION INTEGRATION demand. Make sure you ready the value the external_oauth_audience_list protection integration parameter properly predicated on whether your own Snowflake profile is situated in the Microsoft Azure authorities cloud region .
These instances also use the ANY role, allowing for part switching. For more information, see making use of Any variety of character with electricity BI SSO to Snowflake .
