• If your requirement is “Tableau refreshes and access should not depend on any person”, then PAT for the SP (with rotation + least privilege) is typically the right approach.

• If your requirement is “each Tableau user should access data as themselves”, then OAuth (user identity) is the right approach.

OAuth in Tableau generally cannot “log in as a Service Principal” because OAuth is tied to a user authorization step; Service Principals are meant for headless flows, and Tableau’s OAuth UX doesn’t target that scenario. PAT is the standard workaround for SP/non-user accounts.