Skip to content

Tag: Identity

Connect to Power BI dataflows and datasets using Power BI Desktop with multiple accounts

Published June 4, 2019
Image result for multiple accounts

Power BI datasets and dataflows are the two native data sources for Power BI reports. Connecting to a datasets allows a report to be built against an existing Power BI dataset in place, and dataflows represent a source of data that has had transformations applied to it. When connecting to Power BI dataflows, data is imported, into a data model but the connection to a Power BI dataset is a direct connection.

The two sources handle identity in drastically different ways, and this can lead to confusion when dealing with multiple accounts and tenants. This post is an attempt to help clarify this confusion

Connecting to a dataset

To connect to a Power BI dataset, select the “Get Data” button from the ribbon, select the “Power BI” tab, select Power BI dataset, and finally the “Connect” button.

Connecting to a Power BI dataset

Next, if a user is signed into Power BI Desktop a list of workspaces and their datasets are presented. If not, the user is prompted to sign in. The dataset can then be connected.

Selecting a Power BI dataset

The important thing to notice here is the list of workspaces itself. The list presented is a list of the workspaces available in the tenant belonging to the currently signed in user. It is the same list of workspaces that can be chosen as a publishing target. It should also be noted that the identity of the user is displayed in the upper right corner of the dialog box, and the identity can be changed directly from there.

Connecting to a dataset in a different tenant

The signed in user can be changed by selecting “Sign in” at the upper right of the Power BI Desktop client, or within the connection dialog itself. If the user signs into a different account (in a different tenant), a different list of workspaces and datasets will then be offered. The dataset source is hard linked to the currently signed in user. In this way, the Power BI dataset source behaves differently than all other data sources, which maintain connection credentials separately.

Connecting to a Dataflow

Connecting to a dataflow follows the same steps as a dataset, with the exception that the “Power BI dataflows” option is chosen.

Connecting to a Power BI datflow

At this point, a Power BI data connection dialog will be shown.

Signing in to a Power BI dataflow

There is only one authentication option because Power BI dataflows only support one authentication option.

Unlike datasets, dataflows are NOT linked to the currently signed in user. The connection is authenticated, not the current user. The “Sign In” button must be selected, and authentication completed to connect to a Power BI dataflow.

Once signed in, selecting the “Connect” button will display a list of workspaces that contain dataflows. Expanding the workspace and then the dataflow will expose a list of entities that can be imported into the Power BI data model.

Selecting a Power BI dataflow

The connection information for the dataflow is cached with Power BI Desktop, and subsequent connections to dataflows will not require the user to sign in. The same authentication credentials will be used.

it should be noted that unlike the dataset connection dialog, this one does not show the current credentials and does not allow those credentials to be changed. This makes the process of changing credentials to use dataflows in multiple tenant somewhat less than intuitive.

Connecting to a dataflow in a different tenant

With datasets, changing the currently signed in user will result in a different set of datasets being presented when the dataset option is chosen. This is different with dataflows. No matter what user is currently logged in, the cached credentials will be used.

This behaviour can be confusing when multiple tenants need to be accessed. With most other data sources, the cached credentials are linked with the specific data source. For example, when two different SQL databases are connected, Power BI caches two different sets of credentials.

To connect to dataflows in a different tenant, the current connection information needs to be cleared. This can be done with any data source, but it is particularly important to dataflows as it is the only way to switch connection credentials.

To clear the credentials for the dataset, select “File”, “Options and Settings” and the “Data Source Settings”. The Data source settings dialog will then be presented.

Power BI Data source settings
Clearing the credentials for a Power BI dataflow

Unlike most other data sources which can have multiple entries in the list, one for each unique data source, there will only be one source for dataflows. It is named “Power BI dataflows. For example, if the current instance of Power BI Desktop has authenticated to 3 different SQL servers, there will be three SQL Server connections in this list, but there will only be one for dataflows, no matter how many tenants that have been connected.

To switch tenants, the current credentials must be either cleared, or edited. The cached credentials can be fully removed by selecting “Clear Permissions” or they can be changed by selecting “Edit Permissions”. If cleared, the user will be prompted for credentials the next time the dataflow option is selected. If edited, the new credentials will be stored.

Conclusions, and recommendations

It is possible to work with multiple tenants for both connected datasets and dataflows. However, the methods for doing so are completely different for either option. This can obviously lead to some confusion.

It is my opinion that this behaviour should be changed, and that the behaviour or connected datasets is the more intuitive. If the credentials for the currently logged in user were user for both types of connection, it would be much more intuitive, and also easier to user for report designers.

1 Comment

Connection Limitations using BCS With SharePoint Foundation and a Workaround

Published August 26, 2010

When SharePoint 2010 was publicly revealed at the SharePoint conference in October 2009, one of the biggest “wow” announcement was the fact that Business Connectivity Services (BCS) would now be included with SharePoint Foundation (the free version of SharePoint). The feature set that BCS not only replaced, but significantly enhanced was know as Business Data Connectivity (BDC), and in the 2007 version, it was only available with the Enterprise SKU. From Enterprise to Free? It seemed too good to be true. Unfortunately in a few cases, it is.

BCS is surfaced to users primarily as External Lists, which essentially makes back end data look to SharePoint users (and some services) like simple SharePoint list data. An external list uses external content types, which are created using SharePoint Designer 2010.

The first step in creating an external content type is creating a data connection. The data connection can connect to one of three back end sources; a .NET Type, a SQL Server connection, or a WCF Service. A .NET Type can behave however the developer wants it to, but both the SQL server connection and the WCF type run into the same issue very quickly – identity.

These connection don’t use the typical connection strings that most people are used to with Excel or .NET. You specify a server and a database, but  your identity options are limited to the 3 choices shown below:

image

The default option “Connect with User’s Identity” will use the identity of the user at run time to connect to the source data. However,if the source data is on a different server than the one hosting SharePoint,we run immediately into the “double hop” problem. Essentially the server can’t just forward the user’s credentials on to another server at run time. If your organization is using Kerberos, this isn’t a problem for you (which is good, because you probably have many others…), but if not, then your only option is impersonation.

Impersonation is essentially telling the server to use a specific set of credentials (some proxy account) whenever it connects to the back end systems. Typical data connection strings that embed a user ID and password are an example of this. Storing credentials directly in strings is a huge security risk, and SharePoint 2010 has a very good secure store service that will manage these proxy accounts in a highly secure manner. BCS data sources are designed to take advantage of this service, and selecting either of the two impersonation options above will prompt for the Secure Store Application ID to use. Great solution right?

The problem is, SharePoint Foundation doesn’t include the Secure Store Service.

That means that if you’re not using Kerberos, and your data is on a different server, your BCS options are very limited when using SharePoint Foundation. You’re either going to have to write a .NET data type, or pony up the $$ for a SharePoint standard licence if you want to use the BCS features.

I will mention one quick sort of “low rent” approach that may circumvent the need for BCS. The data view web part has been a nice way to show related data or external data in SharePoint going back to SharePoint 2003. What many don’t know is that it’s actually bidirectional, which means that you can do the standard CrUD  operations.

It’s actually very easy to use. Using SharePoint designer, first move to the Data Sources node and create a new data source. These sources will allow standard connection strings, so impersonation becomes possible (if less secure – make sure that you use least privilege accounts!). Then create a new web part page. Move to the Insert tab and select the drop down tab below the Data View button, and select your data source.

image

You will immediately be presented with a read only grid of the data. The ribbon should now also be displaying the Data View Tools tab group, with the Options tab selected. From that tab select the inline editing drop down, and choose the CrUD options that you want used.

image

There are many options around formatting, what columns are displayed, paging etc. that you can play with, but at this point you’re ready to go.

Finally, if you want a good comparison of what features are included in which editions of SharePoint, you’ll find it here

UPDATE – Sept 23 2010

As I’ve just learned, Search Server Express 2010 (SSE) comes with the Secure Store Service. SSE 2010 is a free add on to SharePoint Foundation. So if you’re in this situation, go grab it and install it. That will solve the problem.

3 Comments