This article is a must-read if you manage data and analytics with Databricks on AWS, Power BI, and Microsoft Entra ID. Integrating Databricks on AWS with Power BI through Single Sign-On (SSO) using Microsoft Entra ID can streamline your data analytics workflow significantly. Leveraging SSO in Power BI enhances security, simplifies access management, and provides a more efficient, user-friendly experience. This comprehensive guide will walk you through the process of configuring the preview for SSO integration of Databricks on AWS, Power BI, and Microsoft Entra ID, and it includes guided demo content to help you follow along
There are three scenarios Direct Query will be more appropriate than Import mode.
You want to use a single access control mechanism across Databricks and Power BI, ie. Unity Catalog. As using Import mode, you will have to set up RLS in Power BI, you will end up with a dual access control mechanism in both Unity Catalog and Power BI, Direct Query mode does not require access control in Power BI and can utilize ACL in Unity Catalog (requires Entra ID as an identity provider and Azure Databricks connector).
Databricks launched the first Power BI connector, Azure Databricks, in 2020, enabling seamless connectivity for Azure Databricks users with Entra ID as their identity provider to Power BI. Since then, we have expanded support for additional cloud deployments and authentication options by introducing a second connector, Databricks in 2022, for Databricks users on AWS.
Since Azure's default OAuth mechanism is Entra ID, there is only one connector choice when using Azure Databricks - the Azure Databricks Connector. In this connector, username/password and personal access token authentications are identical to those of the Databricks connector, but the default OAuth mechanism is Entra ID.
For Databricks on AWS with Entra ID as an identity provider, you can use Azure Databricks connector or Databricks connector based on requirements. If you have a requirement to use the Direct Query Viewer Credential option (let Power BI pass end user identity down to Databricks and use Unity Catalog for access control of end users), you will need to use Azure Databricks connector. Otherwise, the recommendation is to use the Databricks connector due to the fact that you can control the OAuth application settings such as the access and refresh token lifetime TTL.
A private preview (documentation) is available allowing SSO to Power BI from Databricks on AWS using Microsoft Entra ID. This guide, written as of July 9, 2024, will walk you through the configuration process. As always refer to our documentation for more information on the level of support to expect for our various previews release types.
Before you configure SSO from Power BI from Databricks on AWS with Microsoft Entra ID, make sure you have the following:
The Microsoft Entra tenant ID must match the Power BI tenant ID. To find your Power BI tenant ID, see link. Your tenant ID is the value after ctid= in the tenant URL.
Note
If your workspace doesn’t meet the requirements, contact your Databricks representative to enroll your Microsoft Entra tenant in the Private Preview. You’ll have to provide your Microsoft Entra tenant ID and your Databricks account ID.
To enroll your Microsoft Entra tenant in the Private Preview, follow the steps in SSO to Databricks with Microsoft Entra ID (formerly Azure Active Directory), but don’t paste the OpenID Connect metadata document value into the OpenID issuer URL field. Instead, your OpenID issuer URL must include your Microsoft Entra tenant ID and end with a forward slash. The format must be exactly the following: https://sts.windows.net/<tenant-id>/
The below section provides a detailed step by step on the Self-serve enrollment steps above and shows how to configure settings in AWS Account Console and Azure Portal for Entra ID. Feel free to skip to the next section if you have already completed this.
Important Note: The following steps involve adjusting settings in the Single sign-on section of the Account Console. Prior to implementation, it is strongly recommended to test this in a sandbox environment. To avoid any potential issues with access to Databricks during single sign-on testing, it is suggested to keep the account console open in a separate browser window. You may also establish emergency access with security keys as a precaution against lockouts. Refer to the Configure emergency access section for instructions on how to set this up.
If the Test SSO validation step in SSO to Databricks with Microsoft Entra ID (formerly Azure Active Directory) fails, verify the following:
You might have to configure optional claims. To do this, follow https://learn.microsoft.com/entra/identity-platform/optional-claims. Make sure you have the email claim in both id token and access token.
If you want to validate and follow along with some demo content, we have provided a Github repo that you can sync to your Databricks workspace. It contains a Databricks Notebook and Power BI template file that will take you through an end to end demo. You need to have permissions to create catalogs, schemas, tables and groups in your Databricks environment.
You can now enable SSO so that when you publish a report to the Power BI service, users can access reports built using DirectQuery storage mode by passing their Microsoft Entra ID (formerly Azure Active Directory) credentials to Databricks. If you want to follow along with some demo content go to option 1 or if you want to see how to connect manually the proceed to option 2.
On your Windows Machine with Power BI Desktop installed, download the Power BI template file from the github repo (https://github.com/databricks-solutions/databricks-blogposts/tree/main/awsdb-pbi-sso) and open it. Populate the below parameters:
When creating a connection from Power BI Desktop, select the Azure Databricks connector. Although the connector name is Azure Databricks, it works with Databricks on AWS. Do not select the Databricks connector.
Populate your credentials to authenticate using Azure Active Directory (Entra ID).
Enable SSO access to the report and underlying data source.
Integrating Databricks on AWS with Power BI through Single Sign-On (SSO) using Microsoft Entra ID offers a robust solution for managing access to data in Databricks through Power BI seamlessly. By following the steps outlined in this guide, you can enhance security, simplify access management, and create a more efficient and unified data analytics workflow. The ability to leverage SSO in Power BI will streamline access control for your end-to-end data platform. This integration empowers your team to focus on deriving insights from data rather than managing two separate governance models in Databricks and Power BI. With the demo notebook and pbit file provided in the GitHub outlined in the Resources part of this guide below, you can recreate this SSO passthrough demo yourself easily and replicate it for your own access control use cases.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.