Connect to an Azure Data Lake Storage account by using a Microsoft Entra service principal

  • Article

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

Dynamics 365 Customer Insights - Data provides an option to connect to an Azure Data Lake Storage account by using a Microsoft Entra service principal.

Automated tools that use Azure services must have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals. Use service principals to securely add or edit a Common Data Model folder as a data source or create or update an environment.

Prerequisites

  • The Data Lake Storage account has hierarchical namespace enabled.
  • Admin permissions for your Azure tenant, if you have to create a new service principal.

Create Microsoft Entra service principal for Customer Insights

Before creating a new service principal for Customer Insights, check whether it already exists in your organization. In most cases, it already exists.

Look for an existing service principal

  1. Go to the Azure admin portal and sign in to your organization.

  2. From Azure services, select Microsoft Entra.

  3. Under Manage, select Microsoft Application.

  4. Add a filter for Application ID start with 0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff or search for the name Dynamics 365 AI for Customer Insights.

  5. If you find a matching record, it means that the service principal already exists. Grant permissions for the service principal to access the storage account.

    Screenshot showing an existing service principal.

  6. If no results are returned, create a new service principal.

Create a new service principal

  1. Install the latest version of Microsoft Entra ID PowerShell for Graph. For more information, go to Install Microsoft Entra ID PowerShell for Graph.

    1. On your PC, press the Windows key on your keyboard and search for Windows PowerShell and select Run as administrator.

    2. In the PowerShell window that opens, enter Install-Module AzureAD.

  2. Create the service principal with the Microsoft Entra ID PowerShell module.

    1. In the PowerShell window, enter Connect-AzureAD -TenantId "[your Directory ID]" -AzureEnvironmentName Azure. Replace [your Directory ID] with the actual Directory ID of your Azure subscription where you want to create the service principal. The environment name parameter, AzureEnvironmentName, is optional.

    2. Enter New-AzureADServicePrincipal -AppId "0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff" -DisplayName "Dynamics 365 AI for Customer Insights". This command creates the service principal on the selected Azure subscription.

Grant permissions to the service principal to access the storage account

To grant permissions to the service principal for the storage account you want to use in Customer Insights - Data, one of the following roles must be assigned to the storage account or container:

Credential Requirements
Currently logged in user When connecting to the Azure Data Lake using the Azure subscription option:
  • Role: Storage Blob Data Reader, Storage Blob Contributor, or Storage Blob Owner.
  • Level: Permissions granted on the storage account or the container.

When connecting to the Azure Data Lake using the Azure resource option:
  • Role: Microsoft.Storage/storageAccounts/read action
  • Level: Permission granted on the storage account

AND
  • Role: Storage Blob Data Reader, Storage Blob Contributor, or Storage Blob Owner.
  • Level: Permissions granted on the storage account or the container.

Storage Blob Data Reader role is sufficient to read and ingest data to Customer Insights – Data. However, the Storage Blob Data Contributor or Owner role is required to edit the manifest files from within the data connection experience.
Customer Insights Service Principal -
Using Azure Data Lake Storage as a data source
 Option 1
  • Role: Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner.
  • Level: Permissions granted on the storage account.
Option 2 (without sharing Service Principal access to the storage account)
  • Role 1: Storage Blob Data Reader, Storage Blob Data Contributor, or Storage Blob Data Owner.
  • Level: Permissions granted on the container.
  • Role 2: Storage Blob Data Delegator.
  • Level: Permissions granted on the storage account.
Customer Insights Service Principal -
Using Azure Data Lake Storage as an output or destination
 Option 1
  • Role: Storage Blob Data Contributor or Storage Blob Owner.
  • Level: Permissions granted on the storage account.
Option 2 (without sharing Service Principal access to the storage account)
  • Role: Storage Blob Data Contributor or Storage Blob Owner.
  • Level: Permissions granted on the container.
  • Role 2: Storage Blob Delegator.
  • Level: Permissions granted on the storage account.

  1. Go to the Azure admin portal and sign in to your organization.

  2. Open the storage account you want the service principal to have access to.

  3. On the left pane, select Access control (IAM), and then select Add > Add role assignment.

    Screenshot showing the Azure portal while adding a role assignment.

  4. On the Add role assignment pane, set the following properties:

    • Role: Storage Blob Data Reader, Storage Blob Contributor, or Storage Blob Owner based on credentials listed above.
    • Assign access to: User, group, or service principal
    • Select members: Dynamics 365 AI for Customer Insights (the service principal you looked up earlier in this procedure)

  5. Select Review + assign.

It can take up to 15 minutes to propagate the changes.

Enter the Azure resource ID or the Azure subscription details in the storage account attachment to Customer Insights -Data

Attach a Data Lake Storage account in Customer Insights - Data to store output data or use it as a data source. Choose between a resource-based or a subscription-based approach and follow those steps.

Resource-based storage account connection

  1. Go to the Azure admin portal, sign in to your subscription, and open the storage account.

  2. On the left pane, go to Settings > Endpoints.

  3. Copy the storage account resource ID value.

  4. In Customer Insights - Data, insert the resource ID in the resource field displayed on the storage account connection screen.

    Enter the storage account resource ID information.

  5. Continue with the remaining steps to attach the storage account.

Subscription-based storage account connection

  1. Go to the Azure admin portal, sign in to your subscription, and open the storage account.

  2. On the left pane, go to Settings > Properties.

  3. Review the Subscription, Resource group, and the Name of the storage account to make sure you select the right values in Customer Insights - Data.

  4. In Customer Insights - Data, choose the values for the corresponding fields when attaching the storage account.

  5. Continue with the remaining steps to attach the storage account.