Summary
This article explains why Power BI Desktop fails to authenticate against Dremio using the ADBC (Arrow Flight SQL) connector when Dremio is deployed behind a load balancer with Microsoft Entra ID (Azure AD) SSO enabled. The connector defaults to reaching the OAuth token endpoint on port 9047, which is not exposed externally in load-balanced deployments where the externally reachable endpoint is typically port 443 on the load balancer. This article covers the root cause and the recommended workaround using the AuthorizationServerHost and AuthorizationServerPort parameters via Power BI Desktop's Advanced Editor (M-Query override).
Reported Issue
When attempting to connect Power BI Desktop to a Dremio instance deployed behind a load balancer with Entra ID SSO configured, the following error is returned:
ADBC: [FlightSQL] Post "https://<dremio_host>:9047/oauth/token": dial tcp <ip_address>:9047: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
The connection attempt times out because the ADBC connector is trying to reach the OAuth token endpoint directly on port 9047 of the backend Dremio host, which is not accessible from outside the network when Dremio is behind a load balancer. The load balancer exposes the service on port 443, not port 9047.
Overview
Dremio's ADBC connector for Power BI uses the Arrow Flight SQL protocol and requires an OAuth 2.0 token exchange as part of the authentication flow. When Entra ID (or another OIDC-conformant provider) is configured as the identity provider, Power BI Desktop hits Dremio's /oauth/token endpoint to exchange credentials for a Dremio session token before establishing the Flight SQL connection.
By default, the connector constructs this endpoint URL as https://<host>:9047/oauth/token using port 9047, which is Dremio's standard web UI and API port. In a typical on-premises or cloud-VM deployment where port 9047 is directly reachable, this works as expected.
However, when Dremio is deployed behind a load balancer, the load balancer typically terminates TLS and forwards traffic on a different internal port. Port 9047 is not exposed externally, and attempts to reach it time out. The externally reachable entry point for all Dremio traffic, including OAuth, is port 443 on the load balancer's hostname.
The ADBC connector provides two parameters; AuthorizationServerHost and AuthorizationServerPort as part of the 'M-Query language override specifically to handle this scenario. These allow you to override the host and port used for the OAuth token endpoint independently of the Flight SQL endpoint, pointing the connector at the correct external address for your deployment.
Relevant Versions Tools and Integrations
Power BI Desktop: All versions using the ADBC (Arrow Flight SQL) connector. This replaces the legacy ODBC connector. See the migration announcement for background.
Dremio: Any version with Entra ID (Azure AD) or OIDC SSO configured and deployed behind a load balancer or reverse proxy where port 9047 is not externally reachable.
Identity Provider: Microsoft Entra ID (Azure AD); the same issue and fix applies to any OIDC provider in a load-balanced deployment.
Affected connection type: ADBC / Arrow Flight SQL from Power BI Desktop.
Steps to Resolve
Use Power BI Desktop's Advanced Editor to supply the AuthorizationServerHost and AuthorizationServerPort parameters, directing the OAuth exchange to port 443 on your load balancer.
- Open Power BI Desktop.
- Go to Home → Transform data (click the button, not the drop-down). The Power Query Editor opens.
- In the Power Query Editor, go to Home → New Source → Blank Query.
- A new query called Query1 appears in the left panel.
- With Query1 selected, open Advanced Editor (from the Home tab or View tab).
- Replace the default code with the following, substituting your actual Dremio Flight SQL endpoint and load balancer hostname:
let
Source = DremioCloud.DatabasesByServerV370("adbc://<your_dremio_flight_sql_host>:32010", "Enabled-PEM", null, null, null, [AuthorizationServerHost="<your_load_balancer_hostname>", AuthorizationServerPort=443])
in
SourceExample (substituting real values):
let
Source = DremioCloud.DatabasesByServerV370("adbc://dremio.example.com:32010", "Enabled-PEM", null, null, null, [AuthorizationServerHost="dremio.example.com", AuthorizationServerPort=443])
in
Source- Confirm the bottom-left of the window shows a green tick with the message: "No syntax errors have been detected."
- Click Done.
- Click Edit Credentials and authenticate with your Entra ID credentials.
- Verify that you can successfully load or preview data from Dremio.
Common Challenges
Each Power BI Desktop user must apply this configuration independently. Because Power BI Desktop manages its own connection credentials per machine, every user who needs to add new Dremio data sources to a report must apply this M-Query override. This does not affect users who are simply refreshing existing reports that were already configured.
Parameters only need to be set once per new data source. You do not need to re-enter AuthorizationServerHost and AuthorizationServerPort for routine refreshes or day-to-day use. They are only required when initially adding a new Dremio table or dataset to a report.
The Advanced Editor is the only supported way to pass these parameters. There is no UI field in the standard Power BI connector dialog for these parameters. The M-Query Advanced Editor approach described above is the current recommended method for non-standard deployments.
Additional Resources
Dremio Announcement – Power BI Service connections migration from ODBC to ADBC: https://support.dremio.com/hc/en-us/articles/51909425120027-Announcement-Power-BI-Service-connections-migration-from-ODBC-to-ADBC
Dremio External Token Providers documentation: https://docs.dremio.com/current/security/authentication/application-authentication/external-token/
Dremio OAuth Token Exchange API Reference: https://docs.dremio.com/current/reference/api/oauth-token/#exchange-an-external-jwt
Configuring Dremio with Microsoft Entra ID (Azure AD): https://docs.dremio.com/current/security/authentication/identity-providers/oidc/