Hi all,
I'm looking for guidance on how everyone is implementing scheduled refreshes within their PBI tenant, while also implementing MFA on their business users?
Our PBI tenant has hundreds of semantic models owned by 2-3 PBI developers/admins (including myself). As you know, enabling MFA on those developer accounts would cause scheduled refreshes to fail once the tokens expire after ~10 days. Because of this we chose to keep MFA disabled on these buisness accounts. The organization is understandably no longer comfortable with this approach, and we have been asked to migrate to a new approach.
I have not been able to find any meaningful documentation in terms of best practices for how to approach this, and notably, nothing really in these forums since 2021. The "conventional wisdom" appears to be one of the two methods:
- Use a Master User with MFA-disabled, that has limited access within the organization.
- Create a Service Principal to take-over ownership of the already implemented scheduled refreshes, authenticate to data sources using an On-Prem gateway. Do this using PowerShell.
Option 1 is likley a non-starter because you have to:
- Share the log-in for this Master User with several devlopers (not secure, even with a password manager)
- Still have an authorized user without MFA enabled. This is a regulation issue within our industry.
Option 2 looks promising and appears to be the conventional approach. I've watched straight-forward videos from creators like GuyInACube that walk through the process. However, while talking to MS Support, they pointed out that only SOME data sources are able to be authenticated using a Service Principal. Notably, a MySQL database is NOT, and it is our primary DB. Is that a moot point if you authenticate via the On-Prem Gateway (and just use the Service Principal to establish the connections to the gateway?).
Really curious how others are managing this. Any guidance would be greatly appreciated.
Theo
Other documentation I've reviewed:
https://community.fabric.microsoft.com/t5/Service/Does-MFA-influence-scheduled-refresh/m-p/2668497
Data Factory now supports SPNs