Connect to an Azure Data Lake Storage account by using an Azure service principal
This article discusses how to connect Dynamics 365 Customer Insights with an Azure Data Lake Storage account by using an Azure service principal instead of storage account keys.
Automated tools that use Azure services should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals. You can use service principals to securely add or edit a Common Data Model folder as a data source or create or update an environment.
Important
- The Data Lake Storage account that will use the service principal must be Gen2 and have hierarchical namespace enabled. Azure Data Lake Gen1 storage accounts are not supported.
- You need admin permissions for your Azure tenant to create a service principal.
Create an Azure service principal for Customer Insights
Before creating a new service principal for Customer Insights, check whether it already exists in your organization.
Look for an existing service principal
Go to the Azure admin portal and sign in to your organization.
From Azure services, select Azure Active Directory.
Under Manage, select Microsoft Application.
Add a filter for Application ID start with
0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fffor search for the nameDynamics 365 AI for Customer Insights.If you find a matching record, it means that the service principal already exists.
If no results are returned, you can create a new service principal. In most cases, it already exists and you only need to grant permissions for the service principal to access the storage account.
Grant permissions to the service principal to access the storage account
Go to the Azure portal to grant permissions to the service principal for the storage account you want to use in Customer Insights. One of the following roles must be assigned to the storage account or container:
| Credential | Requirements |
|---|---|
| Currently logged in user | Role: Storage Blob Data Reader, Storage Blob Contributor, or Storage Blob Owner. Level: Permissions can be granted on the storage account or the container. |
| Customer Insights Service Principal - Using Azure Data Lake Storage as a data source |
Option 1
|
| Customer Insights Service Principal - Using Azure Data Lake Storage as an output or destination |
Option 1
|
Go to the Azure admin portal and sign in to your organization.
Open the storage account you want the service principal for Customer Insights to have access to.
On the left pane, select Access control (IAM), and then select Add > Add role assignment.
On the Add role assignment pane, set the following properties:
- Role: Storage Blob Data Reader, Storage Blob Contributor, or Storage Blob Owner based on credentials listed above.
- Assign access to: User, group, or service principal
- Select members: Dynamics 365 AI for Customer Insights (the service principal you looked up earlier in this procedure)
Select Review + assign.
It can take up to 15 minutes to propagate the changes.
Enter the Azure resource ID or the Azure subscription details in the storage account attachment to Customer Insights
You can attach a Data Lake Storage account in Customer Insights to store output data or use it as a data source. This option lets you choose between a resource-based or a subscription-based approach. Depending on the approach you choose, follow the procedure in one of the following sections.
Resource-based storage account connection
Go to the Azure admin portal, sign in to your subscription, and open the storage account.
On the left pane, go to Settings > Endpoints.
Copy the storage account resource ID value.
In Customer Insights, insert the resource ID in the resource field displayed on the storage account connection screen.
Continue with the remaining steps in Customer Insights to attach the storage account.
Subscription-based storage account connection
Go to the Azure admin portal, sign in to your subscription, and open the storage account.
On the left pane, go to Settings > Properties.
Review the Subscription, Resource group, and the Name of the storage account to make sure you select the right values in Customer Insights.
In Customer Insights, choose the values for the corresponding fields when attaching the storage account.
Continue with the remaining steps in Customer Insights to attach the storage account.
Create a new service principal
Install the latest version of Azure Active Directory PowerShell for Graph. For more information, go to Install Azure Active Directory PowerShell for Graph.
On your PC, press the Windows key on your keyboard and search for Windows PowerShell and select Run as administrator.
In the PowerShell window that opens, enter
Install-Module AzureAD.
Create the service principal for Customer Insights with the Azure AD PowerShell module.
In the PowerShell window, enter
Connect-AzureAD -TenantId "[your Directory ID]" -AzureEnvironmentName Azure. Replace [your Directory ID] with the actual Directory ID of your Azure subscription where you want to create the service principal. The environment name parameter,AzureEnvironmentName, is optional.Enter
New-AzureADServicePrincipal -AppId "0bfc4568-a4ba-4c58-bd3e-5d3e76bd7fff" -DisplayName "Dynamics 365 AI for Customer Insights". This command creates the service principal for Customer Insights on the selected Azure subscription.
Feedback
Submit and view feedback for