Oliver Black on 11 Apr 2024 16:40:32
Currently generic OAuth passthrough is possible with custom connectors for Power BI Desktop. Currently custom connectors can also support PowerBI Web through a Power BI Gateway.
However, a Power BI Gateway connector does not support generic OAuth passthrough, instead relying on the report developers credentials, or service users credentials. For systems with complex user specific permissions, in our case Restricted Views in Palantir Foundry/AIP, this is insufficient, as it would require one service credential to be provisioned per user. This is not scalable or feasible.
It is possible to set a connector to use Entra ID OAuth passthrough, but to enable this you have to disable generic OAuth passthrough in the desktop. Enterprise customers, even those with heavy Azure investments, have a variety of IDPs, and not just AzureAD, so preventing some customers from using PowerBI Desktop OAuth at all, and presenting an inconsistent experience to different customers based on IDP selection is not an acceptable compromise.
This ultimately leaves user with a choice, get the excellent walkup usability of PowerBI Web, or get access to the data they need to write their report in PowerBI Desktop. We know of users at several large customers who are unable to use either PowerBI and/or Palantir Foundry/AIP due to this limitation.
We'd be happy to connect you directly with our PowerBI connector engineering team to talk through the detail of the issue and the ask.
- Comments (1)
RE: Power BI Web Connectors Generic OAuth Passthrough
Entra ID OAuth passthrough docs: https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-overview#interact-with-reports-that-rely-on-ssoThe ask is to extend this feature to any OAuth in Web/Gateway, as it is for desktop.Palantir Foundry/AIP restricted view docs: https://www.palantir.com/docs/foundry/security/restricted-views/