Trusting third-party connectors

Why do you need trusted third-party connectors?

In Power BI, we generally recommend keeping your 'Data extension security' level at the higher level, which prevents loading of code not certified by Microsoft. However, there may be many cases in which you want to load specific connectors--ones you've written, or ones provided to you by a consultant or vendor outside the Microsoft certification path.

The developer of a given connector can sign it with a certificate and provide you with the information you need to securely load it without lowering your security settings.

If you want to know more about the security settings, you can read about them here.

Using the registry to trust third-party connectors

Trusting third-party connectors in Power BI is done by listing the thumbprint of the certificate you want to trust in a specified registry value. If this thumbprint matches the thumbprint of the certificate on the connector you want to load, you will be able to load it in the ‘Recommended’ security level of Power BI.

The registry path is HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power BI Desktop. Make sure the path exists, or create it. We chose this location due to it being primarily controlled by IT policy, as well as requiring local machine administration access to edit.

Power BI Desktop Registry with no trusted third-party keys set

Add a new value under the path specified above. The type should be “Multi-String Value” (REG_MULTI_SZ), and it should be called “TrustedCertificateThumbprints”

Power BI Desktop Registry with an entry for trusted third-party connectors but no keys

Add the thumbprints of the certificates you want to trust. You can add multiple certificates by using “\0” as a delimiter, or in the registry editor, right click -> modify and put each thumbprint on a new line. Example thumbprint is taken from a self-signed certificate.

Power BI Desktop Registry with a trusted third-party key set

If you’ve followed the instructions properly, and have been given the proper thumbprint by your developer, you should now be able to securely trust connectors signed with the associated certificate.

How to Sign Connectors

If you have a connector you or a developer need to sign, you can read about it in the Power Query docs here.