Get Started
Get Started
Authenticating using Service Principal in Microsoft Fabric SQL Endpoint
Authenticating using Service Principal in Microsoft Fabric SQL Endpoint

Authenticating using Service Principal in Microsoft Fabric SQL Endpoint

July 22, 2024

Microsoft Fabric provides a SQL Endpoint for Lakehouse and Warehouse, enabling you to run SQL queries and stored procedures on your data. However, to execute SQL statements, the SQL Engine requires authentication to verify the principal’s permissions. Unlike SQL Server or Azure SQL DB, Microsoft Fabric does not support SQL Authentication. Instead, you must use either a Microsoft Entra ID user principal or a Microsoft Entra ID service principal.

When setting up automated refreshes or connecting third-party applications through the SQL Endpoint, it’s best to use a service account or service principal. Relying on a user’s account can lead to complications, such as:

Access changes: If a user’s permissions are modified, it may break existing applications.

Password changes: Depending on policies, a password update could disrupt application connections.

Microsoft Entra ID service principals simplify this process by providing a centralized way to manage secrets, monitor their expiration, and rotate them seamlessly. You can create a new secret while the old one is still active, ensuring no downtime during the transition.

In this blog, we’ll explore how to use Microsoft Entra ID service principals for authentication in Microsoft Fabric.

Creating service principal

To create a service principal, the first step is to register an application in Azure. Detailed steps for this process are available in the Microsoft documentation:

Register a Microsoft Entra app and create a service principal – Microsoft identity platform | Microsoft Learn

We recommend using Option #3, which involves creating a client secret. This approach works similarly to using a password for authentication and is straightforward to implement.

Once the service principal is created, you’ll need three key pieces of information to use it in applications that support service principals:

  1. Tenant ID
  2. Application/Client ID
  3. Client Secret

Providing access to service principal

To grant access to the service principal, you can share the Lakehouse or Warehouse with the service principal as shown below:

For more granular control, you can provide specific access to tables using a SQL statement like this:

GRANT SELECT ON [WH_Name].[dbo].[Table] TO [AzureServiceAccount];

Using service principal

To test whether the service principal is working correctly, you can use SQL Server Management Studio (SSMS). Simply change the Authentication type to ‘Microsoft Entra Service Principal’, then enter the Application/Client ID as the username and the Client Secret as the password.

If you’re integrating the service principal into a C# program, such as an ASP.NET website, you can connect to the SQL Endpoint using code similar to the following:

Conclusion

We’ve walked through how to create a service principal and use it to connect and run SQL statements in applications. As a best practice, it’s highly recommended to establish connections in your applications using a service principal. This approach ensures your applications remain independent of individual user accounts, reducing the risk of disruptions caused by access changes or password updates.

Govindarajan D

Data Architect

Govindarajan D is a seasoned Data Architect, leveraging expertise in exploring Microsoft technologies. With a passion for innovative solutions, Govindarajan is not only skilled in crafting robust data architecture but also holds the title of Microsoft Certified Trainer (MCT), ensuring cutting-edge knowledge transfer and continuous learning within the tech community.

In this article

Like what you see? Share with a friend.

Related Events

Khaled Chowdhury

Datacrafters | DatabricksDatacrafters | Microsoft FebricDatacrafters | AzureDatacrafters | power BI Services

Rubayat Yasmin

Microsoft-Certified-Power-BI-Data-Analyst-AssociateMicrosoft-Certified-Fabric-Analytics-Engineer-AssociateMicrosoft-Certified-Azure-Data-Engineer-AssociateMicrosoft-Certified-Azure-Solutions-Architect-Expert

Rami Elsharif, MBA

Microsoft-Certified-Power-BI-Data-Analyst-AssociateMicrosoft-Certified-Fabric-Analytics-Engineer-Associate

Govindarajan D

Microsoft-Certified-Power-BI-Data-Analyst-AssociateMicrosoft-Certified-Azure-Data-Engineer-AssociateMicrosoft-Certified-Azure-Administrator-AssociateMicrosoft-Certified-Azure-Solutions-Architect-ExpertDatabricks-Certified-Data-Engineer-ProfessionalLinux-EssentialsMicrosoft-Certified-Fabric-Analytics-Engineer-AssociateMicrosoft-Certified-Azure-Enterprise-Data-Analyst-AssociateDatabricks-Certified-Data-Engineer-AssociateMicrosoft-Certified-Trainer-MCTAzure-Databricks-Platform-Architect