Power BI Dataflow Fails to Connect to AAS Due to Firewall Restrictions

Question

Power BI Dataflow Fails to Connect to AAS Due to Firewall Restrictions

somyasri 0

We faced an issue where Power BI Dataflows were unable to connect to Azure Analysis Services when the firewall was enabled, showing a “credential is invalid” error. Please find the error below:

User's image

However, the same credentials work correctly when the firewall is disabled, and Power BI reports/Semantic Model connect successfully even with the firewall turned on. User's image

As per the above image PowerBi services shall be accessed when Firewall is enables but the DataFlow give error whereas the semantic models work fine.

Can someone suggest any resolution for the same

Nandan Hegde 36,396 Reputation points MVP Volunteer Moderator

2025-07-21T16:02:25.9833333+00:00

Can you please state the error message?
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-22T06:24:54.98+00:00
Hello @somyasri
Thanks for your question on the Microsoft Q&A portal!
Given the "Allow access from the Power BI Service" toggle is ON, we need to dig into the network topology more quickly.

Could you please confirm the exact Azure region where your Azure Analysis Services instance is hosted, and also the region where your Power BI tenant is located? This helps us understand if there are any cross-region connectivity issues?

Is your Azure Analysis Services instance deployed into an Azure Virtual Network (VNet), or is it directly accessible over the public internet? If it's in a VNet, are there any Network Security Groups (NSGs) applied to its subnet?"

As mentioned by Nandan Hegde, could you provide the full, exact error message (preferably a screenshot) from the Dataflow refresh history? While we see 'credential invalid,' there might be a more specific detail within the full error that helps pinpoint the underlying network blockage.
somyasri 0 Reputation points

2025-07-22T14:15:59.85+00:00

Hi @Pratyush Vashistha ,Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

how to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios?
somyasri 0 Reputation points

2025-07-22T15:35:40.8133333+00:00

Hi @Pratyush Vashistha ,

Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
somyasri 0 Reputation points

2025-07-22T15:38:01.3666667+00:00

Hi @Pratyush Vashistha ,

Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
somyasri 0 Reputation points

2025-07-22T15:42:22.27+00:00

Hi @Pratyush Vashistha ,Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-25T09:14:48.6733333+00:00

Hello somyasri,

I was wondering if you need further assistance on the same or whitelisting your IP resolved the issue?

Let me know your queries over the comments if you have any.

If our answer helped you then please accept the answer or upvote the same.

happy to help! Thanks
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-28T04:58:34.57+00:00

Hello somyasri,

I was wondering if you need further assistance on the same issue or the steps helped you in solving it?

Let me know your queries over the comments if you have any.

If our answer helped you then please accept the answer or upvote the same.

happy to help! Thanks
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-29T03:33:08.24+00:00

Hello somyasri!

Since we have not received any response from your side, we are assuming that the proposed solution worked for you. We are now closing this thread for now.

Please feel free to post in case of any further queries.

Good luck!

Thanks

Pratyush

2 answers

Your answer

Nandan Hegde 36,396 Reputation points MVP Volunteer Moderator

2025-07-21T16:02:25.9833333+00:00

Can you please state the error message?
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-22T06:24:54.98+00:00

Hello @somyasri
Thanks for your question on the Microsoft Q&A portal!
Given the "Allow access from the Power BI Service" toggle is ON, we need to dig into the network topology more quickly.

Could you please confirm the exact Azure region where your Azure Analysis Services instance is hosted, and also the region where your Power BI tenant is located? This helps us understand if there are any cross-region connectivity issues?

Is your Azure Analysis Services instance deployed into an Azure Virtual Network (VNet), or is it directly accessible over the public internet? If it's in a VNet, are there any Network Security Groups (NSGs) applied to its subnet?"

As mentioned by Nandan Hegde, could you provide the full, exact error message (preferably a screenshot) from the Dataflow refresh history? While we see 'credential invalid,' there might be a more specific detail within the full error that helps pinpoint the underlying network blockage.
somyasri 0 Reputation points

2025-07-22T14:15:59.85+00:00

Hi @Pratyush Vashistha ,Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

how to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios?
somyasri 0 Reputation points

2025-07-22T15:35:40.8133333+00:00

Hi @Pratyush Vashistha ,

Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
somyasri 0 Reputation points

2025-07-22T15:38:01.3666667+00:00

Hi @Pratyush Vashistha ,

Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
somyasri 0 Reputation points

2025-07-22T15:42:22.27+00:00

Hi @Pratyush Vashistha ,Thanks for your response.

Upon checking, I can confirm the following:

Our Power BI tenant region is United States

Our Azure Analysis Services instance is hosted in the North Europe region

To resolve the connection issue with Power BI Dataflows, we had to explicitly whitelist the IP ranges for PowerQueryOnline.WestUS in the Azure Analysis Services firewall.

This leads to our key question:

Why does whitelisting West US IPs resolve the issue when our Power BI tenant is in "United States" and the AAS instance is in North Europe?

How to ensure that we're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity, especially in cross-region scenarios.
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-25T09:14:48.6733333+00:00

Hello somyasri,

I was wondering if you need further assistance on the same or whitelisting your IP resolved the issue?

Let me know your queries over the comments if you have any.

If our answer helped you then please accept the answer or upvote the same.

happy to help! Thanks
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-28T04:58:34.57+00:00

Hello somyasri,

I was wondering if you need further assistance on the same issue or the steps helped you in solving it?

Let me know your queries over the comments if you have any.

If our answer helped you then please accept the answer or upvote the same.

happy to help! Thanks
Pratyush Vashistha 975 Reputation points Microsoft External Staff Moderator

2025-07-29T03:33:08.24+00:00

Hello somyasri!

Since we have not received any response from your side, we are assuming that the proposed solution worked for you. We are now closing this thread for now.

Please feel free to post in case of any further queries.

Good luck!

Thanks

Pratyush

Answer 1

Nandan Hegde 36,396 MVP Volunteer Moderator

You can whitelist the IP of Power Query Online that MSFT provides for the region in which the Dataflow is created in.

https://www.microsoft.com/en-us/download/details.aspx?id=56519

Answer 2

Hello somyasri!

Thanks for the update. That’s good that whitelisting PowerQueryOnline.WestUS IPs resolved the issue. It makes perfect sense why you'd have these questions.

To answer your following questions,

1. Why did whitelisting West US IPs solve it, when your tenant is in "United States" and AAS is in North Europe?

Think of it like this: Even though your Power BI is generally in the "United States" region, the specific engine that runs your Dataflow refreshes (Power Query Online) is a massive, distributed service. For connections heading outside the US, or simply due to how their internal network routes traffic for efficiency, your dataflow's outbound connection ended up physically exiting Microsoft's network through a datacentre in West US. It acts as a dedicated "exit point" for those types of connections.

2. How to ensure you're consistently whitelisting the correct IP ranges for reliable Dataflow connectivity?

The best way is to use Azure Service Tags. Microsoft manages these tags, so when their internal IPs change or new exit points appear, the tag updates automatically, and your firewall rules stay correct.

If your Azure Analysis Services is in a Virtual Network (VNet): This is ideal. Go to the Network Security Group (NSG) on the VNet subnet where AAS lives. Add an inbound rule that allows traffic from the PowerQueryOnline Service Tag on port 2382. This covers all the necessary IPs without you having to manually update them.
If your Azure Analysis Services is a Public Endpoint (not in a VNet): The AAS firewall itself doesn't directly use service tags for IP rules. In this case, you'll need to automate pulling the IP ranges associated with the PowerQueryOnline service tag (from Microsoft's public IP list) and use a script (like PowerShell or Azure CLI) to update your AAS firewall rules regularly. This ensures you always have the most current IPs without manual effort.

For more information, please refer the following links

Service Tags:

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

AAS FAQs:

https://learn.microsoft.com/en-us/analysis-services/azure-analysis-services/analysis-services-network-faq?view=sql-analysis-services-2025

I hope this helps. Let me know if you have any further questions or need additional assistance.

Also, if these answers your query, do click the "Accept the answer" which might be beneficial to other community members reading this thread.

Share via

Power BI Dataflow Fails to Connect to AAS Due to Firewall Restrictions

2 answers

Your answer