I’m using Dataflow Gen 2 in Microsoft Fabric to ingest data from Salesforce via the Salesforce Objects connector, which is authenticated through an Organizational Account (OAuth 2.0). However, unlike Azure Synapse’s SalesforceV2 type, this connector doesn’t offer fields to input a client ID, client secret, or environment URL.

Thank you for reading this post, don't forget to subscribe!

Here are the key concerns:

1. Reauthentication Requirement

Will reauthentication be required regularly (e.g., after access tokens expire), and how often will that occur? What factors contribute to the frequency of reauthentication?

With OAuth 2.0, the system typically provides an access token (short-lived, often around 1 hour) and a refresh token, which can last longer. Reauthentication is necessary when both expire. While Dataflow Gen 2 does not allow manual token management, it should handle refreshing access tokens automatically. The reauthentication frequency depends largely on:

  • Expiration of the refresh token, which typically lasts 90 days but can be shorter depending on the organization’s security policies.
  • Conditional Access Policies: If your organization enforces stricter access controls, reauthentication might occur more frequently.

2. Cons of Using an Organizational Account

What are the potential downsides of using an Organizational Account for this connection, particularly in a production setting where automation and stability are critical?

Potential drawbacks:

  • Security Risks: Using an Organizational Account grants broader access than needed, violating the principle of least privilege.
  • Management Complexity: Managing multiple Organizational Accounts for various processes can become cumbersome, leading to potential confusion and inconsistencies.
  • Stability Risks: If the Organizational Account gets locked, compromised, or its permissions are altered, it can interrupt your data flows unexpectedly, especially in production environments.

To mitigate these risks, I recommend using a service account (rather than individual accounts) to centralize and secure access.

3. Workaround for Client Credentials Flow

Is it possible to implement a client credentials flow (i.e., providing a client ID, client secret, and environment URL) to prevent frequent reauthentication, similar to Azure Synapse or Data Factory? If not, what options are available for maintaining a stable, long-term data connection from Salesforce?

Currently, there doesn’t appear to be support for client credentials flow in Dataflow Gen 2. You may want to reach out to Microsoft support for confirmation. As an alternative, you could explore:

  • Middleware Authentication Service: Set up a service to manage OAuth tokens, refresh them, and provide an API endpoint that Dataflow Gen 2 can call. This would ensure long-term stability and avoid reauthentication disruptions.

Related Posts
Salesforce OEM AppExchange
Salesforce OEM AppExchange

Expanding its reach beyond CRM, Salesforce.com has launched a new service called AppExchange OEM Edition, aimed at non-CRM service providers. Read more

The Salesforce Story
The Salesforce Story

In Marc Benioff's own words How did salesforce.com grow from a start up in a rented apartment into the world's Read more

Salesforce Jigsaw
Salesforce Jigsaw

Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more

Health Cloud Brings Healthcare Transformation
Health Cloud Brings Healthcare Transformation

Following swiftly after last week's successful launch of Financial Services Cloud, Salesforce has announced the second installment in its series Read more

Share