New Passwordless Configuration: Configuring Single Sign‑On (SSO) from Power BI to Snowflake

Power BI and Snowflake administrators who want to remove static credentials and give users a friction‑free login experience backed by Microsoft Entra ID

tl;dr

This post is important because you need to prepare for strong-auth deadlines, where Snowflake will block single-factor password authentication in November 2025 (or possibly April 2026). The point is that this change is coming. The goal is to use External OAuth SSO to future-proof your deployment. I leave you with some best practices at the end as well, but I created this post because I had to set this up, and I couldn't find clear instructions across Microsoft and Snowflake.

Architecture at a Glance

Power BI Service requests a Microsoft Entra ID (formerly Azure AD) token for Snowflake.
The token travels in the connection string of the embedded Snowflake ODBC driver.
Snowflake validates the token against the External OAuth security integration you create in Step 3 and opens the user session with the mapped role.

Prerequisites

https://medium.com/media/0aea9eddfbfb3a09d590812b339db014/href

Tip: Keep the network policy under the 100 kB limit by scoping it to Power BI ranges only.

Get the Tenant ID in two ways, but the simpler way is to go to the top corner in your PowerBI and see “i” beside your tenant name. The other way is to go to the Azure portal.

Configure Snowflake

Sign in to the Snowflake web UI with a role that can create integrations.
Create the External OAuth security integration. Replace the placeholder values before running.

CREATE OR REPLACE SECURITY INTEGRATION powerbi
  TYPE = external_oauth
  ENABLED = true
  EXTERNAL_OAUTH_TYPE = azure
  EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/<TENANT_ID>/'
  EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.windows.net/common/discovery/keys'
  EXTERNAL_OAUTH_AUDIENCE_LIST = (
      'https://analysis.windows.net/powerbi/connector/Snowflake',
      'https://analysis.windows.net/powerbi/connector/snowflake')
  EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
  EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';

3. Verify :

DESC INTEGRATION powerbi;

(Recommended) R estrict which roles an OAuth token can assume :

-- (Recommended) Limit the roles that Power BI can activate on behalf of a user
ALTER SECURITY INTEGRATION powerbi
  SET EXTERNAL_OAUTH_ALLOWED_ROLES_LIST = (
      SYSADMIN,
      ANALYST,
      PROD_RL
  );

(Recommended) Lock Snowflake down to Power BI Region IPs

Snowflake network policies only accept IPv4 prefixes, so we filter the Service Tag list accordingly. I chose Canada Central as it is my region for this exercise. As of April 14, 2025, the Canada Central tag contains these Power BI ranges:

-- Define the IP list as a reusable network rule
CREATE OR REPLACE NETWORK RULE powerbi_ca_central_ips
  TYPE = 'IPV4'
  MODE = INGRESS
  VALUE_LIST = (
      '4.206.229.128/27',
      '20.48.196.232/29',
      '20.48.197.124/30',
      '20.48.202.16/29',
      '20.48.202.24/30',
      '52.228.81.160/31',
      '52.228.81.168/29',
      '52.228.81.176/28',
      '52.228.81.192/27'
  );

-- Reference the rule from a network policy
CREATE OR REPLACE NETWORK POLICY powerbi_ca_central
  ALLOWED_NETWORK_RULE_LIST = ('powerbi_ca_central_ips')
  BLOCKED_NETWORK_RULE_LIST = ();

-- Enforce the policy at the account level
ALTER ACCOUNT SET NETWORK_POLICY = powerbi_ca_central;

Update cadence: Microsoft refreshes Service Tags weekly. Automate a job that fetches the JSON, extracts the PowerBI.CanadaCentral block and diffs it against the current policy. Abort if the generated statement exceeds the 100 kB policy limit.

(Optional) Enable secondary roles

-- Permit viewers to adopt any secondary role they hold
ALTER SECURITY INTEGRATION powerbi
  SET EXTERNAL_OAUTH_ANY_ROLE_MODE = ENABLE;

Enable SSO in the Power BI Admin Portal

Sign in to Power BI with Fabric administrator credentials.
Open Settings → Admin portal → Tenant settings → Integration settings.
Expand Snowflake SSO , toggle Enabled , then select Apply.
Wait up to one hour for the change to propagate.

What it does: Grants consent for Power BI to embed user Entra tokens in the Snowflake connection string.

First‑time Connection from Power BI Desktop and Publishing the semantic model to Power BI Service

Get Data → Snowflake.
Enter the account URL (org‑account.azure.snowflakecomputing.com) and warehouse.
Select Microsoft Account and complete the login.
Build the report and publish it to the workspace you configured above.
Once the report is pushed to a workspace in Power BI, The publisher needs to go to settings within the semantic model, edit the Snowflake connection, and configure the connection as OAuth2, and sign in again

Switch an Existing Semantic Model to SSO

In the workspace, select More options ⋯ → Settings on your semantic model.
Under Data source credentials, choose Edit.

Set the Authentication method = OAuth2 (Microsoft Entra ID).
Check that end users use their own OAuth2 credentials when accessing this data source via DirectQuery.
Select Sign in and complete the Entra ID consent prompt.

From now on, every DirectQuery report built on this model opens with the viewer’s own Snowflake session.

Test the Flow

Refresh the report in the Power BI Service. It should load without credential prompts.
In Snowflake, run:

-- Replace TABLE name with right table
SELECT *
FROM TABLE (INFORMATION_SCHEMA.LOGIN_HISTORY( DATEADD('minutes',-10,CURRENT_TIMESTAMP()), CURRENT_TIMESTAMP() ) )
ORDER BY EVENT_TIMESTAMP DESC
LIMIT 10;

Ensure FIRST_AUTHENTICATION_FACTOR = 'OAUTH_ACCESS_TOKEN' and the user name matches the viewer.

Troubleshooting Quick Reference

https://medium.com/media/9f396187d03e73bdebbe81f8e2c659e1/href

Security Best Practices

Keep the integration enabled = true only while testing; disable or drop unused integrations.
Grant narrow default roles to report viewers.
Review network policies quarterly — Microsoft IP ranges change about once a month.
Rotate Snowflake users’ secondary roles via session policies instead of broad permanent grants.

Conclusion

You now have secure, token‑based SSO between Power BI and Snowflake. Users authenticate once with Microsoft Entra ID and land in Snowflake with the right role — no gateways, no stored passwords.

Next steps : automate the integration creation with Terraform or Azure DevOps and enforce network policies via the Snowflake API.

Bonus Content — Performance & Design Best Practices

Below is a curated set of optimisation tips from Snowflake’s engineering team that complement SSO and keep reports fast. For the full list, see Keith Smith’s article Snowflake and Power BI: Best Practices and Recent Improvements.

Keep the connector current

Power BI Service updates automatically, but Desktop and Data Gateway do not. Upgrade them to benefit from:

July 2023 — faster imports via SQLBindCol
December 2023 — cancelled visuals now cancel the Snowflake query
April 2024 — native support for Dynamic Tables

Choose the right storage mode

DirectQuery +SSO = each visual runs with the viewer’s Snowflake role.
Composite models let you import small dimensions while leaving fact tables in DirectQuery.

Model in Snowflake, not Power BI

Build star schemas or governed views inside Snowflake. Avoid Custom SQL in Power BI; use views or Dynamic Tables instead.

Exploit DirectQuery performance features

Horizontal Fusion and Query Parallelization (MaxParallelismPerQuery) cut round‑trips.
Limit visuals per page and enable Query Reduction so slicers send queries only on Apply.

Align regions & network paths

Keep your Power BI tenant or Premium capacity in the same Azure region as Snowflake. If you need Azure Private Link or run Snowflake on AWS, plan for an On‑prem or VNet Data Gateway.

Aggregations caveat

Automatic aggregations are not supported when SSO is enabled. Instead, create aggregate Dynamic Tables or materialized views in Snowflake.

I am Augusto Rosa, a Snowflake Data Superhero and Snowflake SME. I am also the Head of Data, Cloud, & Security Architecture at Archetype Consulting. You can follow me on LinkedIn.

Subscribe to my Medium blog https://blog.augustorosa.com and Archetype Consulting blogs https://blog.archetypeconsulting.com/ for the most interesting Data Engineering and Snowflake news.

References

Snowflake — Power BI SSO to Snowflake (https://docs.snowflake.com/en/user-guide/oauth-powerbi)
Microsoft Learn — Connect to Snowflake in the Power BI Service (https://learn.microsoft.com/power-bi/connect-data/service-connect-snowflake)
Keith Smith — Snowflake and Power BI: Best Practices and Recent Improvements (https://medium.com/snowflake/snowflake-and-power-bi-best-practices-and-recent-improvements-183e2d970c0c)
Snowflake — Power BI SSO to Snowflake (https://docs.snowflake.com/en/user-guide/oauth-powerbi)
Microsoft Learn — Connect to Snowflake in the Power BI Service (https://learn.microsoft.com/power-bi/connect-data/service-connect-snowflake)
Error when connecting Power BI Desktop via SSO to Snowflake: “We couldn’t authenticate with the credentials provided. Please try again” (https://community.snowflake.com/s/article/Error-when-We-couldn-t-authenticate-with-the-credentials-provided-Please-try-again)

augusto kiniama rosa @kiniama