Azure Analysis Services
An Azure service that provides an enterprise-grade analytics engine.
469 questions
Data Connections - OAuth expires after 60 minutes?
Andrew Blyth
20
Reputation points
Hi - does anyone know why a Data Connection in Azure Analysis Services configured with OAuth2 expires after 60 minutes? Is there any way of extending the expiry time when you configure a connection???
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Smaran Thoomu 19,310 Reputation points Microsoft Vendor2025-01-09T16:01:27.2833333+00:00 Hi @Andrew Blyth
Welcome to Microsoft Q&A platform and thanks for posting your query here.It seems like you're facing an issue with a Data Connection in Azure Analysis Services configured with OAuth2, where the connection expires after 60 minutes.
The 60-minute expiration for OAuth tokens is a standard behavior designed to enhance security by limiting how long a token remains valid. For Azure Analysis Services, when using OAuth2, this behavior is controlled by the authentication and token lifecycle policies configured in Azure AD.
Unfortunately, there isn't a built-in way to extend the token's expiration time directly in Azure Analysis Services. However, there are a couple of approaches you could consider to manage this:
- Token Refresh Mechanism: Azure AD issues a refresh token along with the access token. The refresh token can be used to obtain a new access token once the old one expires. You might need to configure your application or process to use the refresh token automatically to maintain the connection.
- Service Principal Authentication: Instead of OAuth2 with user-based authentication, you could explore using a service principal for the data connection. This method often avoids the frequent expiration issue and is better suited for scenarios requiring long-running or unattended connections.
I hope this helps! Let me know if you have any further questions.
-
Andrew Blyth 20 Reputation points
2025-01-09T16:04:48.1433333+00:00 Is Service Principal Authentication possible with Azure Analysis Services? My understanding was that it was not. If it is, is there any particular nuance involved in getting it to work, like using the client id rather than the app registration name?
-
Smaran Thoomu 19,310 Reputation points Microsoft Vendor
2025-01-09T17:20:48.7533333+00:00 @Andrew Blyth Thanks for your follow-up question!
You are correct that Azure Analysis Services doesn't directly support Service Principal Authentication for data connections. I apologize for the confusion in my earlier response.
For Azure Analysis Services, OAuth2 with user-based authentication is the standard method, and this does lead to the 60-minute token expiration. Unfortunately, extending the expiration time directly is not possible within the service.
However, there is a token refresh mechanism that you can use. When Azure AD issues the access token, it also issues a refresh token. You can use this refresh token to automatically obtain a new access token when the original one expires, allowing the connection to stay active without interruption.
If you're looking to avoid the expiration issue for long-running or unattended connections, you might consider implementing a process to handle the token refresh automatically. Depending on your application, you could set up periodic token refreshes to ensure the connection remains active.
If this is a feature you believe would benefit your use case, I recommend submitting feedback to the Azure team. You can do this through the Azure Feedback Portal, where the team reviews user feedback for potential future updates to the service.
I hope this helps! Let me know if you have any further questions.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Andrew Blyth 20 Reputation points
2025-01-09T17:23:20.6233333+00:00 "you might consider implementing a process to handle the token refresh automatically" - How would I do that? I have no idea how one uses the refresh token or what technology you would use to leverage it. Any recommendations? Are we getting into C# territory?
-
Smaran Thoomu 19,310 Reputation points Microsoft Vendor
2025-01-09T17:41:07.7133333+00:00 Andrew Blyth Yes, to handle this, you could implement an automatic token refresh mechanism. This would typically involve using the refresh token to get a new access token when needed, which might require some coding (e.g., C# or Python).
-
Andrew Blyth 20 Reputation points
2025-01-09T17:43:21.91+00:00 I have experimented with a powershell script using MSGraph - would this work? I tried using Azure Powershell Get-AzAccessToken but that produced a token that didn't seem to work.
-
Smaran Thoomu 19,310 Reputation points Microsoft Vendor
2025-01-10T08:54:03.8533333+00:00 @Andrew Blyth Thanks for sharing your experience! While using a PowerShell script with MS Graph can work, Azure Analysis Services requires tokens with specific settings. The token from
Get-AzAccessTokenmight not include the right permissions, which is likely why it didn’t work.MS Graph is a good approach, but you may need to adjust the token settings. Tools like C# or Python can give more control over this process. If this continues to be an issue, I recommend submitting feedback through the Azure Feedback Portal.
I hope this helps! Let me know if you have any further questions.
-
Andrew Blyth 20 Reputation points
2025-01-10T09:03:05.76+00:00 Great thanks for your help if there's any detail information on what settings are required when getting a token, that would be useful. I will try Powershell approach first using the Graph API then move onto c# if that proves to be fruitless. Again, any information you have in this area would be appreciated.
-
Smaran Thoomu 19,310 Reputation points Microsoft Vendor
2025-01-10T09:48:15.6566667+00:00 Hi @Andrew Blyth
You’re very welcome! For tokens to work with Azure Analysis Services, they need the correct resource scope (usually the Azure Analysis Services resource URI). When using MS Graph or other tools, make sure to set this scope when creating the token.Starting with PowerShell and MS Graph sounds like a great plan! If you move to C#, tools like
Microsoft.Identity.Client(MSAL) can help with token generation.There isn’t much detailed documentation for this specific case, but you might find the Azure AD token guide useful.
Good luck, and feel free to share how it goes!
-
Andrew Blyth 20 Reputation points
2025-01-10T10:02:50.1133333+00:00 thanks. fingers crossed I can get this working. I would say it would be nice if the Azure Analysis Services product team (if there is one and they haven't been consumed by Fabric) could think about this scenario and make sure that Azure Analysis Services refreshes the token after expiry or changes the expiry duration (which I assume PowerBI/Fabric Cloud Service does already). I hate having to write bespoke code these days... we buy Microsoft products so we don't, generally.
-
Smaran Thoomu 19,310 Reputation points Microsoft Vendor
2025-01-10T10:25:18.6933333+00:00 @Andrew Blyth Thanks for sharing your thoughts! I completely understand where you’re coming from, having Azure Analysis Services handle token refreshes automatically or allowing configurable expiry durations would make things much easier. It’s a valid point, and I recommend sharing this directly with the product team through the Azure Feedback Portal.
Microsoft's shift toward products like Power BI and Fabric does seem to address some of these challenges, but I agree that having to write custom code for scenarios like this can be frustrating when the goal is to simplify workflows with the tools we buy.
Best of luck, and fingers crossed you get this working smoothly!
Sign in to comment
Sign in to answer