Copied to Clipboard
This enables browser SSO into Snowflake via Azure AD
Step 2: Enable Automatic Provisioning with SCIM
2.1 Create functional Azure groups
Have the support/AD team create AD groups following a functional-role naming convention, for example:
DEVELOPER-SNOWFLAKE
ADMIN-SNOWFLAKE
SUPPORT-SNOWFLAKE
These group names will become Snowflake role names via SCIM and act as default roles.
Step 2.2: Create SCIM integration in Snowflake
Run as ACCOUNTADMIN:
CREATE ROLE IF NOT EXISTS AAD_PROVISIONER;
GRANT CREATE USER ON ACCOUNT TO ROLE AAD_PROVISIONER;
GRANT CREATE ROLE ON ACCOUNT TO ROLE AAD_PROVISIONER;
GRANT ROLE AAD_PROVISIONER TO ROLE ACCOUNTADMIN;
GRANT ROLE AAD_PROVISIONER TO ROLE SYSADMIN;
CREATE OR REPLACE SECURITY INTEGRATION AAD_PROVISIONING
TYPE = SCIM
SCIM_CLIENT = 'azure'
RUN_AS_ROLE = 'AAD_PROVISIONER';
Then generate the SCIM access token:
SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('AAD_PROVISIONING');
Notes:
- Token validity is 6 months; you must regenerate it periodically.
- Add monitoring/alerting to renew before expiry
Step 2.3 Share SCIM details with Azure team
Tenant URL:
https://.snowflakecomputing.com/scim/v2/
Secret Token: The SCIM access token generated above
They will configure the Snowflake enterprise app in Microsoft Entra ID (Azure AD) for automatic provisioning, following Microsoft’s "Configure Snowflake for automatic user provisioning with Microsoft Entra ID" tutorial.
Step 3. Configure SSO from Power BI to Snowflake
Step 3.1: Security Integration creation
CREATE OR REPLACE SECURITY INTEGRATION CM_SC_<ACCOUNT_LOCATOR>_SSO_POWERBI_SNFK
TYPE = EXTERNAL_OAUTH
ENABLED = TRUE
EXTERNAL_OAUTH_TYPE = AZURE
EXTERNAL_OAUTH_ISSUER = '<EntityID from Step 2 (https://sts.windows.net/.../)>'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.windows.net/common/discovery/keys'
EXTERNAL_OAUTH_AUDIENCE_LIST = (
'https://analysis.windows.net/powerbi/connector/Snowflake',
'https://analysis.windows.net/powerbi/connector/snowflake'
)
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'upn'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';
--UPN in Azure AD matches the login_name or email
ALTER SECURITY INTEGRATION CM_SC_<ACCOUNT_LOCATOR>_SSO_POWERBI_SNFK
SET EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE'; -- This allows additional roles
Step 3.2 Grant Snowflake access for Power BI users
Grant appropriate warehouse and database access to the Snowflake roles that are created.
GRANT USAGE ON WAREHOUSE <WAREHOUSENAME>
TO ROLE "DEVELOPER-SNOWFLAKE";
GRANT USAGE ON DATABASE <DATABASENAME>
TO ROLE "DEVELOPER-SNOWFLAKE";
GRANT USAGE ON SCHEMA <DATABASENAME.SCHEMANAME>
TO ROLE "DEVELOPER-SNOWFLAKE";
GRANT SELECT ON ALL TABLES IN SCHEMA <DATABASENAME.SCHEMANAME>
TO ROLE "DEVELOPER-SNOWFLAKE";
Step 3.3 Network policy and IP ranges
If you use Snowflake network policies, ensure the policy allows:
Power BI service IP ranges
Azure AD IP ranges
Microsoft publishes updated IP ranges here:
https://www.microsoft.com/en-us/download/details.aspx?id=56519
Step 4: Using it from Power BI
Once everything above is configured:
- In Power BI (Desktop or Service), use the Snowflake connector.
- Sign in with your Azure AD (organizational) account.
- The connector obtains an Azure AD token, which Snowflake validates via the EXTERNAL_OAUTH integration, mapping the upn claim to the Snowflake login_name.
Note:
If connecting using PowerBI Service, please use Server Name as all lower case, otherwise MS PBI interface gives weird errors.