Microsoft Entra ID single sign-on for the Starburst connector in Power BI (Preview)

When enabling Microsoft Entra ID single sign-on (SSo) for Starburst (Preview) report viewers querying semantic models in DirectQuery mode authenticate to Starburst with their own Entra ID identity, to Starburst's access policies — including row-level and column-level security rules — are evaluated against the actual end user rather than a fixed connection account.

 

Two connectors, one to use

The Starburst connectors are built and maintained by Starburst. Two Starburst entries appear in the Power BI Get Data list. The original Starburst connector remains available for existing reports, but the new SSO experience ships in the Starburst secured by Entra ID connector — pick this one for any new report where you want Entra identities to flow end-to-end, as in the following screenshot.

 

The Starburst secured by Entra ID connector listed in the Power BI Get Data dialog.

Figure: The Starburst secured by Entra ID connector.

 

How it works

The Starburst secured by Entra ID connector supports both Import and DirectQuery semantic models through the on-premises data gateway. However, Entra ID SSO is only relevant for DirectQuery mode. When a viewer opens a report, the underlying DirectQuery semantic model forwards the user's Entra ID token to the gateway, the gateway passes it through to Starburst, and Starburst validates it directly with Entra ID. Starburst then applies its own authorization policies to the authenticated user.

 

Enabling it

Enabling Entra ID SSO for Starburst takes two tenant-level settings plus one setting in the data connector configuration. Both tenant settings live in the Power BI admin portal and require tenant admin rights.

 

First, turn on Enable Starburst SSO. This tenant setting controls whether the Use SSO via Azure AD for DirectQuery queries checkbox appears in the Single sign-on settings for the Starburst secured by Entra ID connection kind.

Second, turn on Microsoft Entra single sign-on for data gateway. This setting is the prerequisite for any Entra ID-based SSO through a data gateway. Without it, the Starburst-specific SSO checkbox stays disabled.

 

Tenant settings in the Power BI admin portal for enabling Entra ID SSO with Starburst.

Figure: Tenant settings for Entra ID SSO with Starburst.

 

Once both tenant settings are on, you can configure the Starburst data source and select Use SSO via Azure AD for DirectQuery queries. From that point on, any DirectQuery semantic model bound to this data connection forwards each user’s Entra ID token to Starburst.

 

The Use SSO via Azure AD for DirectQuery queries checkbox in the Starburst data source settings.

Figure: Use SSO via Azure AD for DirectQuery queries.

 

When to use it

Choose Entra ID SSO whenever you want Starburst's data access policies to apply to the report users in DirectQuery mode rather than a fixed data connection account or when audit or compliance rules prohibit using a single connection credential for all users for data access. If you're already using the original Starburst connector and it meets your needs, you don't have to migrate — existing semantic models continue to refresh as they do today. Switch to the Starburst secured by Entra ID connector if you need Entra ID SSO.

Comments

Popular posts from this blog

Exception deserializing the package "The process cannot access the file because it is being used by another process."

SSRS INTERVIEW QUESTIONS

Failed to execute the package or element. Build errors were encountered