Skip to main content

Announcing data gateway support for Single Sign-On (SSO) with Azure Active Directory

Headshot of article author Kay Unkroth

We are excited to announce General Availability (GA) for Single Sign-On (SSO) through the data gateway to cloud data sources that rely on Azure Active Directory (AAD)-based authentication. In addition to Kerberos-based and Security Assertion Markup Language (SAML)-based SSO to on-prem data sources, you can now get seamless AAD SSO connectivity to Azure-based data sources, such as Azure Synapse Analytics (SQL DW), Azure SQL, Azure Data Explorer, and Snowflake on Azure through an on-premises data gateway. This is particularly important if your users work with reports that require SSO connectivity in DirectQuery mode to data sources deployed in an Azure virtual network (Azure VNet). When you configure SSO for an applicable data source, queries execute under the AAD identity of the user that interacts with the Power BI report.

Azure VNets help to establish a private network in Azure. Among other things, you can isolate your Azure resources, such as your Azure-based data sources, from other Azure participants outside of your private network to increase security. However, enabling Power BI and other public cloud services to access your data sources in a VNet requires an on-premises data gateway or a VNet data gateway (currently in public preview).

VNet data gateway eliminates the need to deploy a dedicated virtual machine, which helps to reduce management overhead and total cost of ownership. This feature is currently in public preview for Power BI premium datasets.  Refer to What is a virtual network (VNet) data gateway (Preview)  to learn more about VNet gateways, supported data sources and its current limitations.

While we improve capabilities for VNet data gateways and bridge gaps, you can deploy an on-prem data gateway, as the following diagram depicts and configure AAD SSO for these data sources.

One important security-related aspect to call out is that the person installing a gateway(owner) has full control over their on-premises data gateways and is automatically a gateway admin. Although it is technically difficult, it is not impossible for a malicious gateway owner to intercept AAD SSO tokens as they flow through an on-premises data gateway (this is not a concern for VNet data gateways because they are maintained by Microsoft.) Because an on-premises data gateway owner could at least theoretically intercept AAD SSO tokens, Azure AD Single Sign-On is disabled by default for on-premises data gateways. A Power BI admin must enable the Azure AD Single Sign-On (SSO) for Gateway tenant setting in the Power BI admin portal, as in the following screenshot, before data sources can be enabled for AAD SSO on an on-premises data gateway (PBI Admin Docs Page Link). Make sure you restrict the ability to deploy on-premises data gateways in your organization to appropriate administrators before enabling the AAD SSO capability (Manage Gateway Installers).

And that’s it for a quick announcement of support for Single Sign-On (SSO) with Azure Active Directory through an on-premises data gateway. We hope that this capability enables you to extend the reach of your BI infrastructure to those Azure-based data sources within your VNets without losing the ability to delegate AAD user identities in DirectQuery mode. Please see this link for further information and stay tuned for new capabilities and extended support of Azure data sources through the VNet data gateway.