Accessing Private Azure Blob Storage in Power BI with AAD and RBAC Instead of SAS Tokens

Question

I'm working on integrating Azure Blob Storage with Power BI to display HTML content stored in a blob within my Power BI dashboard. The blob is hosted in an Azure Storage Account set to a private access level. While I can access this blob directly when logged into my Azure account, I encounter access issues when trying to display its content in both Power BI Desktop and the Power BI Service.

I have designed a table that includes destinations and the corresponding Blob URLs for HTML content. The visualization contains a destination filter. My goal is that when a user selects a destination from this filter, the HTML content associated with the chosen destination will be displayed on the dashboard.

Here's what I'm trying to achieve:

Display HTML content from a private blob in Azure Blob Storage on a Power BI dashboard. Use AAD and RBAC for authentication and authorization, avoiding SAS tokens. Ensure that Power BI Desktop and Power BI Service users can view the content based on their assigned roles. Questions:

How can I configure AAD and RBAC to allow Power BI to access and display content from a private Azure Blob Storage? What specific roles or permissions are required for Power BI users to access the blob content without making the blob public or using SAS tokens? Are there any specific configurations needed on the Power BI side to support AAD authentication for accessing Azure Blob Storage? Any guidance or insights on setting this up would be greatly appreciated. Thank you!

PS: I don't want to load the blob (html content) through Get data in my dashboard, but I want to directly use the Blob URL of the content.

The common solution involving Shared Access Signatures (SAS) tokens is known to me, but for security and management reasons, I prefer not to use SAS tokens for this scenario. Instead, I'm interested in leveraging Azure Active Directory (AAD) and Role-Based Access Control (RBAC) to manage access. I aim to assign appropriate roles to Power BI dashboard users to facilitate access without compromising the private nature of the blob storage.

Answer 1

PS: I don't want to load the blob (HTML content) through Get data in my dashboard, but I want to directly use the Blob URL of the content.

If you need to use the Azure Active Directory and RBAC to manage access the azure blob storage, you can follow the steps below.

First, create an app registration and assign Storage Blob Data Contributor role (read, write, delete, etc.) to access the blob storage.

You can generate the bearer token using the Python code below.

Code:

from azure.identity import ClientSecretCredential

tenant_id = "xxxxx"
client_id = "xxxx"
client_secret = "xxxxxx"

credential = ClientSecretCredential(tenant_id, client_id, client_secret)
access_token = credential.get_token("https://storage.azure.com/.default").token
a1=f"Bearer {access_token}"
print(a1)

Output:

Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InEtMjNmYWxldlpoaEQzaG05Q1Fia1A1TVF5VSIsImtpZCI6InEtMjNmYWxldlpoaEQzaG05Q1Fia1A1TVF5VSJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMjI2Y2Y5OTgtZxxx

Now, use the above access token and x-ms-version=2020-04-08 in headers in the Web request in PowerBI to access the blob URI.

PowerBI:

Output:

Reference:

Assign an Azure role for access to blob data - Azure Storage | Microsoft Learn