This section describes how to edit the DSN configuration and then authenticate and connect to Microsoft Dataverse APIs.

DSN Configuration

You can use the Microsoft ODBC Data Source Administrator to edit the DSN configuration. Note that the installation process creates a both a user DSN and a system DSN, as described in Installing the Connector.

Note: The connector stores connection information in the Windows registry. To ensure that the connector can write to the registry, either run Power BI as an administrator or use a User DSN for your connection instead of a System DSN.

User DSN

Complete the following steps to edit the DSN configuration:

1. Select Start > Search, and enter ODBC Data Sources in the Search box.
2. Choose the version of the ODBC Administrator that corresponds to the bitness of your Power BI Desktop installation (32-bit or 64-bit).
3. Select the system data source and click Configure.
4. Edit the information on the Connection tab and click OK.

System DSN

Configure the system DSN the same way as the user DSN, except you will need to switch to the System DSN tab before performing Step 3.

If you're using Power BI's On-Premises Data Gateway with Standard mode, you must use the system DSN.

You must also specify a valid location for OAuthSettingsLocation (a path where OAuth credentials are locally stored to avoid repeated OAuth prompts).

This is because the Standard mode runs on service mode and can only access permitted locations, such as C:\Windows\ServiceProfiles\PBIEgwService\AppData\Local\Microsoft\On-premises data gateway.

Schema

Microsoft Dataverse supports two values for the Schema property, System and Entities.

• System: uses the Web API to query entities and tables directly.
• Entities: uses the EntityDefinitions entity set path to retrieve metadata about EntityMetadata entities and tables. This typically provides more user-friendly names, but requires additional metadata requests.

Connecting to Microsoft Dataverse

To authenticate to the Microsoft Dataverse source, begin by setting the OrganizationURL property to the URL of the organization you are connecting to.

For example: https://[organization].crm.dynamics.com.

Entra ID (Azure AD)

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

The connector supports authentication to Microsoft Dataverse through OAuth 2.0, using Entra ID. The specific OAuth behavior depends on the value of the AuthScheme connection property, which determines the authentication flow used.

The following table outlines the relationship between AuthScheme, OAuth grant types, and typical use cases:

AuthScheme	OAuth Grant Type	Use Case
AzureAD	Authorization Code	User login with browser interaction (desktop/web), or on a separate device in headless environments
AzureServicePrincipal	Client Credentials	Application-only access using client secret
AzureServicePrincipalCert	Client Credentials	Application-only access using certificate-based authentication
AzureMSI	Managed Identity	Azure-hosted apps/services using Azure's Managed Identity

Authorization Code Flow for Desktop Applications

This flow is designed for scenarios that require user login through a browser.

CData provides an embedded OAuth application that simplifies OAuth desktop authentication using the Authorization Code grant type. Alternatively, you can create a custom OAuth application. See Creating an Entra ID (Azure AD) Application for information about creating custom applications. The only difference between these two approaches is that custom applications require you to set two additional connection properties during configuration.

After setting the following connection properties, you are ready to connect:

• OAuthClientId: (custom applications only) Set this to the client Id in your application settings.
• OAuthClientSecret: (custom applications only) Set this to the client secret in your application settings.
• CallbackURL: Set this to the Redirect URL in your application settings.

When you connect, the connector opens the OAuth authorization endpoint in your default browser. Log in and grant permissions to the application.

Authorization Code Flow for Headless Machines

A headless machine is one that does not have a browser interface. Because OAuth requires user interaction in a browser, you must perform the authentication on another machine that has one. After completing the authentication, transfer the credentials to the headless machine.

There are two supported options:

1. Authenticate on another device and manually copy the verifier code.
2. Complete authentication on another machine and transfer the saved OAuth settings file.

After completing either option, configure the connector to automatically refresh the access token on the headless machine.

Option 1: Obtain and Exchange a Verifier Code

Use another machine with a browser to generate the OAuth verifier code.

On a device with a browser, choose one of the following methods:

• Embedded OAuth Application:

  The connector automatically generates and opens the OAuth authorization URL in your default browser. When the browser window appears, sign in with your Microsoft account and grant any requested permissions. After authentication, you are redirected to the callback URL, which includes a verifier code in the query string. Copy the value of the code parameter as this is your verifier code for the OAuthVerifier connection property.

• Custom OAuth Application: Manually configure the following connection properties:
  • InitiateOAuth: Set to OFF.
  • OAuthClientId: Set to the client ID assigned to your registered application.
  • OAuthClientSecret: Set to the client secret assigned to your registered application.

  Then call the GetOAuthAuthorizationUrl stored procedure with the appropriate CallbackURL. Open the URL returned by the procedure in your browser, log in, and grant permissions to the application. You are redirected to the callback URL, which includes the verifier code in the query string. Copy the value of the code parameter as this is your verifier code.

Next: Exchange the Verifier Code for tokens

On the headless machine, set the following connection properties to exchange the verifier code for access and refresh tokens:

• InitiateOAuth: Set to REFRESH.
• OAuthVerifier: Set to the verifier code you obtained above.
• OAuthClientId: (custom applications only) Set to your registered client ID.
• OAuthClientSecret: (custom applications only) Set to your registered client secret.
• OAuthSettingsLocation: Set to the file path where the driver should store the token values.

After this exchange completes and the settings file is generated, reconfigure your connection as follows:

• InitiateOAuth: Set to REFRESH.
• OAuthClientId: (custom applications only) Set to your registered client ID.
• OAuthClientSecret: (custom applications only) Set to your registered client secret.
• OAuthSettingsLocation: Set to the location of the saved settings file. Ensure it is readable and writable by the connector so that tokens can be refreshed automatically.

Option 2: Transfer OAuth Settings

In this method, you complete the full OAuth flow on a browser-enabled machine, then transfer the resulting settings file to the headless machine.

1. On the browser-enabled machine, set up the connection as described under Desktop Applications.
2. After authentication, the connector saves the encrypted token values to the file specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.
3. Test the connection to confirm the file works as expected, then copy the file to the headless machine.

On the headless machine, configure the connection as follows:

• InitiateOAuth: Set to REFRESH.
• OAuthClientId: (custom applications only) Set to your registered client ID.
• OAuthClientSecret: (custom applications only) Set to your registered client secret.
• OAuthSettingsLocation: Set to the path of the copied OAuth settings file. Ensure the file grants read/write permissions to the connector.

Client Credentials

Client credentials refers to a flow in OAuth where there is no direct user authentication taking place. Instead, credentials are created for just the app itself. All tasks taken by the application are done without a default user context. This makes the authentication flow a bit different from standard.

Client OAuth Flow

All permissions related to the client oauth flow require admin consent. This means the app embedded with the CData Power BI Connector for Microsoft Dataverse cannot be used in the client oauth flow. You must create your own OAuth app in order to use client credentials. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions - Delegated and Application permissions. The permissions used during client credential authentication are under Application Permissions. Select the applicable permissions you require for your integration.

You are ready to connect after setting one of the below connection properties groups depending on the authentication type.

1. Client Secret
   • AuthScheme Set this to AzureServicePrincipal.
   • InitiateOAuth: Set this to GETANDREFRESH. You can cuse InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
   • AzureTenant: Set this to the tenant you wish to connet to.
   • OAuthClientId: Set this to the Client Id in your app settings.
   • OAuthClientSecret: Set this to the Client Secret in your app settings.
2. Certificate
   • AuthScheme Set this to AzureServicePrincipalCert.
   • InitiateOAuth: Set this to GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
   • AzureTenant: Set this to the tenant you wish to connect to.
   • OAuthClientId: Set this to the Client Id in your app settings.
   • OAuthJWTCert: Set this to the JWT Certificate store.
   • OAuthJWTCertType: Set this to the type of the certificate store specified by OAuthJWTCert.

Authentication with client credentials will take place automatically like any other connection, except there will be no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections will take place and be handled internally.

Azure Service Principal

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

Azure Service Principal is role-based application-based authentication. This means that authentication is done per application, rather than per user. All tasks taken on by the application are executed without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

For information about how to set up Azure Service Principal authentication, see Creating a Service Principal App in Entra ID (AzureAD).

Managed Service Identity (MSI)

If you are running Microsoft Dataverse on an Azure VM and want to automatically obtain Managed Service Identity (MSI) credentials to connect, set AuthScheme to AzureMSI.

User-Managed Identities

To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's client_id.

If your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.