Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)!
Last updated: 20-Jan-2025
[Azure] Service Principal (SPN)
- {def} a non-human, application-based security identity used by applications or automation tools to access specific Azure resources [1]
- can be assigned precise permissions, making them perfect for automated processes or background services
- allows to minimize the risks of human error and identity-based vulnerabilities
- supported in datasets, Gen1/Gen2 dataflows, datamarts [2]
- authentication type
- supported only by [2]
- Azure Data Lake Storage
- Azure Data Lake Storage Gen2
- Azure Blob Storage
- Azure Synapse Analytics
- Azure SQL Database
- Dataverse
- SharePoint online
- doesn’t support
- SQL data source with Direct Query in datasets [2]
- when registering a new application in Microsoft Entra ID, a SPN is automatically created for the app registration [4]
- the access to resources is restricted by the roles assigned to the SPN
- ⇒ gives control over which resources can be accessed and at which level [4]
- {recommendation} use SPN with automated tools [4]
- rather than allowing them to sign in with a user identity [4]
- {prerequisite} an active Microsoft Entra user account with sufficient permissions to
- register an application with the tenant [4]
- assign to the application a role in the Azure subscription [4]
- ⇐ requires Application.ReadWrite.All permission [4]
- extended to support Fabric Data Warehouses [1]
- {benefit} automation-friendly API Access
- allows to create, update, read, and delete Warehouse items via Fabric REST APIs using service principals [1]
- enables to automate repetitive tasks without relying on user credentials [1]
- e.g. provisioning or managing warehouses
- increases security by limiting human error
- the warehouses thus created, will be displayed in the Workspace list view in Fabric UI, with the Owner name of the SPN [1]
- applicable to users with administrator, member, or contributor workspace role [3]
- minimizes risk
- the warehouses created with delegated account or fixed identity (owner’s identity) will stop working when the owner leaves the organization [1]
- Fabric requires the user to login every 30 days to ensure a valid token is provided for security reasons [1]
- {benefit} seamless integration with Client Tools:
- tools like SSMS can connect to the Fabric DWH using SPN [1]
- SPN provides secure access for developers to
- run COPY INTO
- with and without firewall enabled storage [1]
- run any T-SQL query programmatically on a schedule with ADF pipelines [1]
- {benefit} granular access control
- Warehouses can be shared with an SPN through the Fabric portal [1]
- once shared, administrators can use T-SQL commands to assign specific permissions to SPN [1]
- allows to control precisely which data and operations an SPN has access to [1]
- GRANT SELECT ON <table name> TO <Service principal name>
- warehouses' ownership can be changed from an SPN to user, and vice-versa [3]
- {benefit} improved DevOps and CI/CD Integration
- SPN can be used to automate the deployment and management of DWH resources [1]
- ⇐ ensures faster, more reliable deployment processes while maintaining strong security postures [1]
- {limitation} default semantic models are not supported for SPN created warehouses [3]
- ⇒ features such as listing tables in dataset view, creating report from the default dataset don’t work [3]
- {limitation} SPN for SQL analytics endpoints is not currently supported
- {limitation} SPNs are currently not supported for COPY INTO error files [3]
- ⇐ Entra ID credentials are not supported as well [3]
- {limitation} SPNs are not supported for GIT APIs. SPN support exists only for Deployment pipeline APIs [3]
- monitoring tools
- [DMV] sys.dm_exec_sessions.login_name column [3]
- [Query Insights] queryinsights.exec_requests_history.login_name [3]
- Query activity
- submitter column in Fabric query activity [3]
- Capacity metrics app:
- compute usage for warehouse operations performed by SPN appears as the Client ID under the User column in Background operations drill through table [3]
References:
[1] Microsoft Fabric Updates Blog (2024) Service principal support for
Fabric Data Warehouse [link]
[2] Microsoft Fabric Learn (2024) Service principal support in Data Factory
[link]
[3] Microsoft Fabric Learn (2024) Service principal in Fabric Data Warehouse
[link]
[4] Microsoft Fabric Learn (2024) Register a Microsoft Entra app and create
a service principal [link]
[5] Microsoft Fabric Updates Blog (2024) Announcing Service Principal support for Fabric APIs [link]
Acronyms:
ADF - Azure Data Factory
API - Application Programming Interface
CI/CD - Continuous Integration/Continuous Deployment
DMV - Dynamic Management View
DWH - Data Warehouse
SPN - service principal
SSMS - SQL Server Management Studio
