I’m using Dataflow Gen 2 in Microsoft Fabric to ingest data from Salesforce via the Salesforce Objects connector, which is authenticated through an Organizational Account (OAuth 2.0). However, unlike Azure Synapse’s SalesforceV2 type, this connector doesn’t offer fields to input a client ID, client secret, or environment URL.

Here are the key concerns:

1. Reauthentication Requirement

Will reauthentication be required regularly (e.g., after access tokens expire), and how often will that occur? What factors contribute to the frequency of reauthentication?

With OAuth 2.0, the system typically provides an access token (short-lived, often around 1 hour) and a refresh token, which can last longer. Reauthentication is necessary when both expire. While Dataflow Gen 2 does not allow manual token management, it should handle refreshing access tokens automatically. The reauthentication frequency depends largely on:

  • Expiration of the refresh token, which typically lasts 90 days but can be shorter depending on the organization’s security policies.
  • Conditional Access Policies: If your organization enforces stricter access controls, reauthentication might occur more frequently.

2. Cons of Using an Organizational Account

What are the potential downsides of using an Organizational Account for this connection, particularly in a production setting where automation and stability are critical?

Potential drawbacks:

  • Security Risks: Using an Organizational Account grants broader access than needed, violating the principle of least privilege.
  • Management Complexity: Managing multiple Organizational Accounts for various processes can become cumbersome, leading to potential confusion and inconsistencies.
  • Stability Risks: If the Organizational Account gets locked, compromised, or its permissions are altered, it can interrupt your data flows unexpectedly, especially in production environments.

To mitigate these risks, I recommend using a service account (rather than individual accounts) to centralize and secure access.

3. Workaround for Client Credentials Flow

Is it possible to implement a client credentials flow (i.e., providing a client ID, client secret, and environment URL) to prevent frequent reauthentication, similar to Azure Synapse or Data Factory? If not, what options are available for maintaining a stable, long-term data connection from Salesforce?

Currently, there doesn’t appear to be support for client credentials flow in Dataflow Gen 2. You may want to reach out to Microsoft support for confirmation. As an alternative, you could explore:

  • Middleware Authentication Service: Set up a service to manage OAuth tokens, refresh them, and provide an API endpoint that Dataflow Gen 2 can call. This would ensure long-term stability and avoid reauthentication disruptions.

Related Posts
Who is Salesforce?
Salesforce

Who is Salesforce? Here is their story in their own words. From our inception, we've proudly embraced the identity of Read more

Salesforce Marketing Cloud Transactional Emails
Salesforce Marketing Cloud

Salesforce Marketing Cloud Transactional Emails are immediate, automated, non-promotional messages crucial to business operations and customer satisfaction, such as order Read more

Salesforce Unites Einstein Analytics with Financial CRM
Financial Services Sector

Salesforce has unveiled a comprehensive analytics solution tailored for wealth managers, home office professionals, and retail bankers, merging its Financial Read more

AI-Driven Propensity Scores
AI-driven propensity scores

AI plays a crucial role in propensity score estimation as it can discern underlying patterns between treatments and confounding variables Read more

Share