Configuring Authorization for Microsoft Power BI
This topic describes configuring authorization of Power BI to Dremio with Azure Active Directory (Azure AD or AAD). With this authorization option, Dremio is able to handle secure user authorization with an identity provider (IdP) using JSON Web Tokens (JWTs).
- Microsoft Power BI Desktop (December 2021+), which includes Dremio as a Certified Connector
- Support key
Understanding Authentication Values
Dremio serves as a resource provider and authorization server when AAD is used as an authorization server for a client application. However, Azure AD may also serve as an external authorization server when configured in Dremio.
The following sections offer additional context regarding the values required to correctly enable this feature. Dremio specifically looks for the following JWT claims contained within
jwtClaims on OAuth tokens received from a token provider:
The authorization process for these tokens is as described below:
- An admin enables Azure AD as a token provider using Dremio's Power BI Authorization feature.
- A user connects to the client application, whereupon the user is sent to the external token provider.
- The token provider authorizes the user, obtains their consent, and returns an authorization code followed by a JWT to the client application.
- The client application exchanges the JWT for a Dremio token.
- The client application then uses the Dremio token to connect to the Dremio service.
- Dremio verifies the user using the token and grants access only to resources the user has permissions for.
Azure Active Directory Tenant ID
Azure AD utilizes a subscription-application trust relationship, which is used to authorize users with a service such as Power BI or Dremio. Each subscription assigns an organization a tenant ID, which is used to verify and validate users as trusted.
Dremio requires the following claim in associated tokens:Required claim
Instructions for how to find your tenant ID may be found here.
Configuring Azure Active Directory for Power BI
From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.
On the Settings page, click Support from the left-hand menu.
Under the Support Key section, enter
auth.external-token-providers.enabledin the search bar on the right and click Show.
Where the new support key appears at the top of the list of keys, click the Enable button.
Click BI Applications > Authorization from the left sidebar.
Select Enable single sign on for Power BI.
In the Azure Active Directory Tenant ID field, enter the tenant ID of your Azure AD account. Tenant IDs are described here.
In the User Claim Mapping or User Claim Mapping (Legacy) field, specify the key of the user claim that Dremio Cloud must look up to find the username of the user attempting to log in through an external token provider.
Only Java Web tokens (JWTs) are supported. The user claim in a JWT uniquely identifies the user.
The User Claim Mapping field is for use with Power BI November 2022 or later. When you use one of these versions of Power BI with Azure Active Directory, the user claim is
upn, which is a basic claim in v1.0 access tokens. If you are using a different external token provider and a user claim other than
upn, specify that user claim in the User Claim Mapping field.
The User Claim Mapping (Legacy) field is for use with Power BI October 2022 or earlier. When you use one of these versions of Power BI with Azure Active Directory, the user claim is
preferred_username, which is a payload claim in v2.0 access tokens. If you are using a different external token provider and a user claim other than
preferred_username, specify that user claim in the User Claim Mapping field.
- Click Save.
Disabling AAD for Power BI
Perform the following steps to disable the Power BI AAD configuration:
- From Dremio, click the Settings (gear) icon at the bottom-left corner of the screen. Click Settings from the menu.
- Click BI Applications > Authorization from the left sidebar.
- Deselect Enable single sign on for Power BI to disable the single sign-on service if it is checked.
- Click Save.