Single Sign-On(SSO) has been available for DirectQuery-based reports in Power BI for a while,ย we are now enabling a similar feature for Refresh-based reports as well. Based on this new enhancement, the dataset owner’s security context- their User Principal name(UPN) will be used to refresh a dataset.
Note: This feature would be available only for the list of SSO data sources using Kerberos constrained delegation
Few areas where this would help:
- The refresh for a dataset would be based on permissions for the dataset owner on the underlying data source.
- When user passwords expire or change, there wouldn’t be a need for updating them as they aren’t stored in this case, .
Setup and Configuration
1. For this feature to work, you are first required to configure Kerberos constrained delegation.
2. After you complete the Kerberos configuration, use the **Manage Gateways** page in Power BI to create a new data source.
3. Then, under **Advanced Settings** , check the **Use SSO via Kerberos for DirectQuery And Import queries**ย option to enable SSO for Refresh based Reports.
The credentials are greyed out and the “Skip Test Connection” is automatically enabled once this option is selected.
Note: Data sources with **Use SSO via Kerberos for DirectQuery And Import queries**ย option cannot be used for Power BI refreshes requiring stored credentials. For DirectQuery-based Reports however, you could use either the **Use SSO via Kerberos for DirectQuery And Import queries**ย orย **Use SSO via Kerberos for DirectQuery queries**.
4. Click Add once all the required fields are filled in. Once created, only the data source name can be edited- none of the other fields are editable.
5. When you publish a Refresh based Power BI report, you can now map the dataset to this data source. Every refresh of the dataset would now use the dataset owner’s security context.
Please continue to send us feedback for what new capabilities youโd like to see in the future