DEV Community

Krishna Tangudu
Krishna Tangudu

Posted on

Setting up Snowflake–Power BI Connectivity with Azure AD SSO and Auto-Provisioning

#snowflake #powerplatform #fabric #microsoft

Overview:

This post walks through how to enable end-to-end SSO from Power BI to Snowflake using Azure AD, while automatically provisioning users and roles via SCIM. It’s designed for enterprise BI scenarios where analysts connect with DirectQuery or scheduled refresh and you want their Azure AD identity and group membership to control Snowflake access without manual user administration.

Step 1. Configure SSO to Snowflake with Azure AD

Step 1.1: Register Snowflake in Azure AD
Ask your Azure team to register the Snowflake application in Azure AD using these values (replace with your account locator):

Identifier (Entity ID):
https://<account_locator>.snowflakecomputing.com/

Reply URL:
https://<account_locator>.snowflakecomputing.com/fed/login

Sign On URL:
https://<account_locator>.snowflakecomputing.com/

Sign Out URL:
https://<account_locator>.snowflakecomputing.com/fed/logout
Enter fullscreen mode Exit fullscreen mode

Step 1.2: Collect SAML metadata from Azure AD

EntityID in the form: https://sts.windows.net// → use as SAML2_ISSUER

Location in the form: https://login.microsoftonline.com//saml2 → use as SAML2_SSO_URL

X509Certificate → use as SAML2_X509_CERT

SAML2_PROVIDER → set to CUSTOM when Azure AD is the IdP

Step 1.3: Create the SAML2 integration in Snowflake

Run as ACCOUNTADMIN:

USE ROLE ACCOUNTADMIN;

CREATE SECURITY INTEGRATION <AZURE_AD_SSO_NAME>
  TYPE = SAML2
  ENABLED = TRUE
  SAML2_ISSUER = '<EntityID from metadata>'
  SAML2_SSO_URL = '<Location from metadata>'
  SAML2_PROVIDER = 'CUSTOM'
  SAML2_X509_CERT = '<X509 certificate>'
  SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = 'AzureADSSO'
  SAML2_ENABLE_SP_INITIATED = TRUE;
Enter fullscreen mode Exit fullscreen mode

This enables browser SSO into Snowflake via Azure AD

Step 2: Enable Automatic Provisioning with SCIM

2.1 Create functional Azure groups
Have the support/AD team create AD groups following a functional-role naming convention, for example:

DEVELOPER-SNOWFLAKE
ADMIN-SNOWFLAKE
SUPPORT-SNOWFLAKE

These group names will become Snowflake role names via SCIM and act as default roles.

Step 2.2: Create SCIM integration in Snowflake

Run as ACCOUNTADMIN:

CREATE ROLE IF NOT EXISTS AAD_PROVISIONER;

GRANT CREATE USER ON ACCOUNT TO ROLE AAD_PROVISIONER;
GRANT CREATE ROLE ON ACCOUNT TO ROLE AAD_PROVISIONER;

GRANT ROLE AAD_PROVISIONER TO ROLE ACCOUNTADMIN;
GRANT ROLE AAD_PROVISIONER TO ROLE SYSADMIN;

CREATE OR REPLACE SECURITY INTEGRATION AAD_PROVISIONING
  TYPE = SCIM
  SCIM_CLIENT = 'azure'
  RUN_AS_ROLE = 'AAD_PROVISIONER';
Enter fullscreen mode Exit fullscreen mode

Then generate the SCIM access token:

SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('AAD_PROVISIONING');
Enter fullscreen mode Exit fullscreen mode

Notes:

  • Token validity is 6 months; you must regenerate it periodically.
  • Add monitoring/alerting to renew before expiry

Step 2.3 Share SCIM details with Azure team

Tenant URL:
https://.snowflakecomputing.com/scim/v2/

Secret Token: The SCIM access token generated above

They will configure the Snowflake enterprise app in Microsoft Entra ID (Azure AD) for automatic provisioning, following Microsoft’s “Configure Snowflake for automatic user provisioning with Microsoft Entra ID” tutorial.

Step 3. Configure SSO from Power BI to Snowflake

Step 3.1: Security Integration creation

CREATE OR REPLACE SECURITY INTEGRATION CM_SC_<ACCOUNT_LOCATOR>_SSO_POWERBI_SNFK
  TYPE = EXTERNAL_OAUTH
  ENABLED = TRUE
  EXTERNAL_OAUTH_TYPE = AZURE
  EXTERNAL_OAUTH_ISSUER = '<EntityID from Step 2 (https://sts.windows.net/.../)>'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.windows.net/common/discovery/keys'
  EXTERNAL_OAUTH_AUDIENCE_LIST = (
    'https://analysis.windows.net/powerbi/connector/Snowflake',
    'https://analysis.windows.net/powerbi/connector/snowflake'
  )
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';
--UPN in Azure AD matches the login_name or email

ALTER SECURITY INTEGRATION CM_SC_<ACCOUNT_LOCATOR>_SSO_POWERBI_SNFK
  SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE'; -- This allows additional roles
Enter fullscreen mode Exit fullscreen mode

Step 3.2 Grant Snowflake access for Power BI users
Grant appropriate warehouse and database access to the Snowflake roles that are created.

GRANT USAGE ON WAREHOUSE <WAREHOUSENAME>
  TO ROLE "DEVELOPER-SNOWFLAKE";

GRANT USAGE ON DATABASE <DATABASENAME>
  TO ROLE "DEVELOPER-SNOWFLAKE";

GRANT USAGE ON SCHEMA <DATABASENAME.SCHEMANAME>
  TO ROLE "DEVELOPER-SNOWFLAKE";

GRANT SELECT ON ALL TABLES IN SCHEMA <DATABASENAME.SCHEMANAME>
  TO ROLE "DEVELOPER-SNOWFLAKE";
Enter fullscreen mode Exit fullscreen mode

Step 3.3 Network policy and IP ranges

If you use Snowflake network policies, ensure the policy allows:

Power BI service IP ranges
Azure AD IP ranges
Microsoft publishes updated IP ranges here:
https://www.microsoft.com/en-us/download/details.aspx?id=56519

Step 4: Using it from Power BI

Once everything above is configured:

  • In Power BI (Desktop or Service), use the Snowflake connector.
  • Sign in with your Azure AD (organizational) account.
  • The connector obtains an Azure AD token, which Snowflake validates via the EXTERNAL_OAUTH integration, mapping the upn claim to the Snowflake login_name.

Note:
If connecting using PowerBI Service, please use Server Name as all lower case, otherwise MS PBI interface gives weird errors.

Top comments (0)