Recently I had the opportunity to investigate, setup and test the Azure Synapse Link For Dataverse. From Microsofts product page :-
“Azure Synapse Link for Dataverse enables you to get near real-time insights over your data in Microsoft Dataverse. With a tight seamless integration between Dataverse and Azure Synapse Analytics, Azure Synapse Link enables you to run analytics, business intelligence and machine learning scenarios on your data.”
In short, this facility allows me to export my data from Dataverse, to Data Lake (N.B Data Lake = Microsoft Blob Storage Account Gen 2 with Hierarchical Namespace enabled). You can also export to a Data Lake that is set as the primary storage on an Azure Synapse Workspace, in which case you will also get a Lake Database created with full mappings to all exported tables (worth doing in certain scenarios – but more on that to come)
As the Power Platform environments could be owned by another department, and not necessarily under the control of the owners of the target storage/workspace, I wanted a tool that others could use to both validate and setup the security requirements for this part of the deployment. I hadn’t really used Powershell before and thought this would be a good opportunity to start learning……
The prerequisites I need to cover for my scenario were, that the account deploying the link
- Must have Administrator access to the Power Platform environment where the link is to be setup.
- Must have Owner and Blob Storage Contributor role access on the ADLS Gen2 account.
- If deploying to a Synapse Workspace, must have a workspace and have System Administrator role access via the workspace.
I created a simple Powershell script to run these checks
./setup-dataverse-synapse-link-security.ps1 -user_name bob@somecompany.com -storage_account_name storageacc1 -synapse_workspace_name workspace1 -power_app_environment_name 40b1510f-7d85-427c-acdc-e1caaeabfd94| user_name | AD username of the account that will be setting up the link. (N.B not necessarily the logged on account). |
| storage_account_name | The name of the target storage account. |
| synapse_workspace_name | The name of the target synapse workspace. |
| power_app_environment_name | The ID of the Power Platform environment where the link will be setup. |
Points to note
- In my scenario, I already have Owner access to the resource group I am deploying to.
- My target is a Synapse Workspace.
Potential Improvements
- Rather than adding each account to the RBAC roles separately, use groups instead and check that the user is a member of those groups.
- Check the user has the necessary permissions to perform the setup tasks.
- Reference the Power Platform environment by name.
The script can be found here within powershell-tools.