MetricSign
EN|NLRequest Access
Medium severitydata source

Power BI Refresh Error:
DF-SAPODP-StageStorageServicePrincipalCertNotSupport

What does this error mean?

The SAP ODP staging storage linked service is configured to use a service principal with certificate authentication, but the SAP ODP connector does not support certificate-based service principal authentication for staging storage. Only service principal with client secret, account key, SAS token, or managed identity are supported.

Common causes

  • 1The staging ADLS Gen2 or Blob linked service uses 'Service principal' authentication with 'Certificate' selected instead of 'Key'
  • 2A security policy mandated certificate-based service principals and the staging linked service was set up accordingly, not realizing the SAP ODP connector has a specific restriction
  • 3The staging linked service was copied from another linked service that uses certificate-based SP authentication

How to fix it

  1. 1In ADF Studio, open Manage > Linked services and open the staging linked service used by the SAP ODP source.
  2. 2Under Authentication method, if 'Service principal' is selected and 'Certificate' is the credential type, change it to 'Client secret' instead.
  3. 3Enter the client secret for the service principal (create a new one in Azure AD > App registrations > Certificates & secrets if needed).
  4. 4Alternatively, switch authentication to 'Account key' or 'Managed identity' — managed identity is the preferred option as it has no expiry.
  5. 5Click Test connection to confirm the updated credentials work, save the linked service, and retry the pipeline.

Frequently asked questions

Why doesn't the SAP ODP connector support certificate-based service principals for staging?

This is a known limitation of the ADF SAP ODP connector. The staging storage authentication for ODP uses a different code path than generic linked service auth. Use client secret or managed identity instead.

What is the recommended replacement for certificate-based SP auth?

Managed identity is the best replacement — no secrets or certificates to rotate. Assign the Storage Blob Data Contributor role to the ADF managed identity on the staging storage account.

Will this affect other pipelines using the same staging linked service?

Yes — any pipeline that uses the same staging linked service will fail for the same reason. Changing the auth method on the linked service fixes all of them at once.

Will downstream Power BI datasets be affected?

Yes — the pipeline cannot write staging data and fails without loading anything. The dependent dataset will show stale data until the linked service is corrected.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide

Other data source errors