Supercharging Power Apps with Snowflake: A Step-by-Step Guide
Power Apps has changed how businesses build apps fast, low-code, and simple. But when you pair it with the enterprise strength of Snowflake, the possibilities multiply.
In my latest article, I walk through exactly how to:
Set up a secure connection with Azure AD (OAuth)
Configure Snowflake for smooth integration
Create virtual tables in Dataverse backed by Snowflake data
Build apps that can read and write directly to Snowflake.
💡 Why these matters:
Snowflake gives you scale and advanced analytics
Power Apps lets you turn ideas into apps quickly
Together, they enable data-driven apps built on your cloud warehouse
If you’re exploring ways to connect business apps with enterprise data, this step-by-step guide is for you.
Create a Snowflake OAuth Resource in Azure AD
The first step is to set up an Azure AD App Registration that will handle authentication between Power Apps and Snowflake.
Navigate to Azure AD, create a new app with these settings:
Name: Snowflake OAuth Resource
Account type: Single tenant
Redirect URI: Leave blank
Once details are filled click on Register.
Once the app is registered, expand Manage, click on Expose an API, and select Add next to Application ID URI.
Save the default value or use a unique URI of a domain registered with the tenant. Copy this value, save it for later use.
Click on App roles and select Create app role
Configure the scope a client can request a token for, meaning this should be an existing role in Snowflake. The value should be in the format session:role:<role-name>.
We are using a custom role 'ANALYST' as an example
Select Overview and click on Endpoints
Copy and save the OAuth 2.0 token endpoint (v2) for later use
Open the OpenID Connect metadata document in a browser tab and copy the value of jwks_uri
Make sure you collect these key values (you’ll need them later):
Application ID URI
OAuth 2.0 token endpoint v2
JWKs URI
Create a Snowflake OAuth Client App in Azure AD
Now that we’ve created the OAuth Resource App, the next step is to set up an OAuth Client App in Entra ID (Azure AD). This client represents the application that will request tokens from Azure AD to authenticate with Snowflake.
Navigate to Azure AD, create a new app with these settings:
Name: Snowflake OAuth Client
Account type: Single tenant
Redirect URI: Leave blank
Once the app is registered, in the Overview tab, copy the Application (client) ID for later use
Click on Certificates & secrets and then New client secret.
Write a Description, select an expiry duration, and then click Add.
Copy the Value of the newly created client secret, it will be used later.
Please note that the secret value will only be visible when you create the secret for the first time, if you access the secret later, the value will be masked.
Click API Permissions and then Add a Permission.
Select APIs my organization uses and search for the Snowflake OAuth Resource.
Tick the check box below permissions and click on Add permissions
Select Grant admin consent and then Yes
Confirm that you have the below values from this OAuth Client app registration step:
Application (client) ID (<Client_ID>)
Client secret (<Client_Secret>)
Request and decode the OAuth Access Token
Use this step to manually request a token from Entra. When using a 3rd party application as the client, this is typically not needed and a step the client application will perform transparently.
Request the OAuth Access Token
Open the Windows PowerShell and run below command created using above details:
curl -X POST `
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" `
--data-urlencode "client_id=<Client_ID>" `
--data-urlencode "client_secret=<Client_Secret>" `
--data-urlencode "grant_type=client_credentials" `
--data-urlencode "scope=<Scope>/.default" `
"<Token_Endpoint>"
Example:
curl.exe -X POST `
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" `
--data-urlencode "client_id= c5d18753-fdfa-4423-a606-3e1ac8035544" `
--data-urlencode "client_secret= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" `
--data-urlencode "grant_type=client_credentials" `
--data-urlencode "scope= api://5bd6de8c-dcf7-4b1f-969e-07bbea0b4f08/.default" `
"https://login.microsoftonline.com/90b05d6a-fcff-4db0-9040-eb3f72d9f2bc/oauth2/v2.0/token"
Execute the command in your terminal, a successful response would be like the below:
{
"token_type":"Bearer",
"expires_in":3599,
"ext_expires_in":3599,
"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsIm.......FTU5nctRpmaA"
}
Decode the OAuth Access Token
Copy the value of the access_token (from the previous step) and decode it on an online decoder of your choice (e.g. jwt.ms), it will provide the details present in the token.
https://sts.windows.net/4c481368-xxxx-xxxx-xxxx-3844f846d0ca/",
"oid": "3d63d2ef-abb5-4029-bea5-c72c0652895d",
"rh": "1.AYIAaBNITGZFAUGcDDhE-EbQyi7MprcWchxIhpzKmCKYJ8CCAACCAA.",
"roles": [
"session:role:ANALYST"
],
"sub": "3d63d2ef-abb5-4029-bea5-c72c0652895d",
"tid": "4c481368-xxxx-xxxx-xxxx-3844f846d0ca",
"uti": "LcudwZszi06vgEbDZmqUAA",
"ver": "1.0"
}.[Signature]
Make sure the following attributes from the decoded token match the configuration in Entra.
aud = Application ID URI configured
roles = App role configured
Ex:
iss = https://sts.windows.net/90b05d6a-fcff-4db0-9040-eb3f72d9f2bc/
aud = api://5bd6de8c-dcf7-4b1f-969e-07bbea0b4f08
roles = session:role:ANALYST
Create an External OAuth Security Integration in Snowflake
Up to this point, all the configuration has been on the Azure AD side (Resource App and Client App). Now it’s time to bring Snowflake into the picture.
This step tells Snowflake to trust and accept the OAuth access tokens issued by Azure AD. Without this trust relationship, Snowflake won’t recognize or validate the tokens.
Create the Security Integration
From the above details fill the below details:
AZURE_ISSUER = iss value
AUDIENCE = aud value
AZURE_JWS_KEY_ENDPOINT = <JWKS_URI\> value from Create a Snowflake OAuth Resource in Azure AD step
Run the following SQL in Snowflake:
CREATE SECURITY INTEGRATION EXTERNAL_OAUTH_AZURE
TYPE = external_oauth
ENABLED = true
EXTERNAL_OAUTH_TYPE = azure
EXTERNAL_OAUTH_ISSUER = '<AZURE_AD_ISSUER>'
EXTERNAL_OAUTH_JWS_KEYS_URL = '<AZURE_AD_JWS_KEY_ENDPOINT>'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('<AUDIENCE>')
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';
Ex:
CREATE SECURITY INTEGRATION EXTERNAL_OAUTH_AZURE
TYPE = external_oauth
ENABLED = true
EXTERNAL_OAUTH_TYPE = azure
EXTERNAL_OAUTH_ISSUER = 'https://sts.windows.net/4c481368-xxxx-xxxx-xxxx-3844f846d0ca/'
EXTERNAL_OAUTH_AUDIENCE_LIST = ('api://b7a6cc2e-7216-481c-869c-ca98229827c0')
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://login.microsoftonline.com/4c481368-xxxx-xxxx-xxxx-3844f846d0ca/discovery/v2.0/keys'
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'sub'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name';
Verify the Access Token against the Security Integration
Now that the External OAuth Security Integration is set up in Snowflake, it’s time to confirm that Azure AD tokens are being validated correctly.
Use the function SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN(<token>) to confirm whether your token will be accepted by your Snowflake account or not.
Ex:
SELECT SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN('eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsIm.......FTU5nctRpmaA');
A successful validation would look like the below:
Token Validation finished.
{
"Validation Result":"Passed",
"Issuer":"https://sts.windows.net/4c481368-xxxx-xxxx-xxxx-3844f846d0ca/",
"Extracted User claim(s) from token":"3d63d2ef-abb5-4029-bea5-c72c0652895d"
}
Notice that the extracted user claim is not a username it’s an object ID from Azure AD. This ID uniquely identifies the OAuth Client App you registered in Step (Create a Snowflake OAuth Client App in Azure AD). Keep this value handy, as we’ll need it for the next step.
Create a System User in Snowflake
The last step is to create a dedicated system user in Snowflake to represent the client application (e.g., SnowSQL). Think of this as a service account that authenticates using OAuth.
Key considerations:
The LOGIN_NAME must exactly match the extracted claim from the token validation step.
The role defined in your decoded token (Step - Decode the OAuth Access Token) must be granted to this user. Ideally, set it as the DEFAULT_ROLE.
Ensure the role is not blocked in the EXTERNAL_OAUTH_BLOCKED_ROLES_LIST of your integration.
Example:
CREATE USER SNOWSQL_OAUTH_USER
LOGIN_NAME = '3d63d2ef-abb5-4029-bea5-c72c0652895d'
DISPLAY_NAME = 'SnowSQL OAuth User'
COMMENT = 'A system user for SnowSQL client to be used for OAuth based connectivity';
CREATE ROLE ANALYST;
GRANT ROLE ANALYST TO USER SNOWSQL_OAUTH_USER;
Connect to the Snowflake account using the Access Token
With all the configuration complete, your client application can now connect to Snowflake using the OAuth access token.
Powershell command:
snowsql -a <snowflake-accountname> -u ‘sub-value’ -r <snowflake-role from above> –authenticator oauth –token <token from above>
Ex:
snowsql -a BAUVIIM-IW47538 -u ‘fd53bb78-c56d-4180-972e-5765d0e6ac69’ -r ANALYST --authenticator oauth --token "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkpZaEFjVFBNWl9MWDZEQmxPV1E3SG4wTmVYRSIsImtpZCI6Ikp....."
A successful login looks like this:
* SnowSQL * v1.2.29
Type SQL statements or !help
3d63d2ef-abb5-4029-bea5-c72c0652895df#(no warehouse)@(no database).(no schema)>SELECT CURRENT_ROLE();
+----------------+
| CURRENT_ROLE() |
|----------------|
| ANALYST |
+----------------+
1 Row(s) produced. Time Elapsed: 0.084s
3d63d2ef-abb5-4029-bea5-c72c0652895d#(no warehouse)@(no database).(no schema)>
⚠️ A few important notes:
You must use the LOGIN_NAME when establishing the connection.
By default, Azure AD access tokens expire after one hour. If your token expires, repeat Step 3 to generate a fresh token.
When connecting on Windows, always enclose both the login name and the token in double quotes.
Note: This final step proves that your OAuth integration is working end-to-end. With the connection established, you now have a secure, passwordless way for apps and clients to authenticate into Snowflake—fully governed by Azure AD and Snowflake roles.
Setup the Connector in Power Apps or Power Automate
With the OAuth integration in place, the final step is to bring everything together inside Power Apps (or Power Automate). This will let you directly connect to your Snowflake data.
Configure the Connector
Ex:
Snowflake SaaS URL: BAUVIIM-IW47538.snowflakecomputing.com
Snowflake database: NARSIMHA_DB
Warehouse name: NARSIMHA_WH
Role: ANALYST
Schema: NARSIMHA_SCHEMA
Tenant: 90b05d6a-xxxx-xxxx-xxxx-xxxxxxd9f2bc
Client ID: c5d18753-fdfa-4423-a606-3e1ac8035544
Client Secret: WLN8Q~xxxxxxxxxxxxxxxxxxxxxx
Resource URL api://xxxxxxxx-xxxx-4b1f-969e-07bbea0b4f08
Click Create and verify that the connection is established successfully.
Before you proceed with the table creation in Power Apps, make sure to define the primary key in Snowflake table.
ALTER TABLE CUSTOMER_PRESEGMENT
ADD CONSTRAINT CUSTOMER_PRESEGMENT_pk PRIMARY KEY (ID);
Build a Power App Backed by Snowflake Data
After you have configured Power Apps Connector to Snowflake, go to Power Apps
- Click Tables -> Create Virtual Table
Select the connection created and click next
The list of tables from Snowflake will be visible and select and click next.
Keep the same table name or choose your own name. Make sure to select the primary key as same as defined in Snowflake.
Click finish and wait for the Dataverse table to be created.
Build an App
Create a Canvas or Model-Driven App and connect the Dataverse table created. Then perform the CRUD operations and verify the same in Snowflake.
I am creating a Canvas app here
Click Apps, click [Start with a page design]
Select a Dataverse table, and search CUSTOMER_PRESEGMENT and click Create App
Give a name and save the app.
Click the Play button.
Test Create, Update, and Delete Operations
With the integration live, it’s time to validate that data changes flow both ways between your Power Apps canvas app and Snowflake.
From Power Apps to Snowflake
Open your canvas app connected to the CUSTOMER_PRESEGMENT virtual table.
Perform basic operations such as: Create, Update and Delete
Switch over to Snowflake and query the same table. You should see the changes reflected immediately, confirming that Power Apps is successfully writing back to Snowflake.
From Snowflake to Power Apps
In Snowflake, directly run SQL commands on the CUSTOMER_PRESEGMENT table to:
Return to your canvas app in Power Apps and refresh the data. You should now see the updates applied inside the app.
Conclusion Connecting Microsoft Power Apps with Snowflake through Azure AD OAuth unlocks a new level of enterprise app development. With this setup, you can:
Build secure, scalable apps without handling credentials directly
Empower business users to perform CRUD operations while keeping Snowflake as the single source of truth
Govern access through Azure AD roles and Snowflake permissions
Conclusion
Connecting Microsoft Power Apps with Snowflake through Azure AD OAuth unlocks a new level of enterprise app development. With this setup, you can:
Build secure, scalable apps without handling credentials directly
Empower business users to perform CRUD operations while keeping Snowflake as the single source of truth
Govern access through Azure AD roles and Snowflake permissions
This integration bridges the gap between low-code app innovation and enterprise-grade data platforms. Whether you’re modernizing internal apps or enabling analytics-driven decision making, this approach ensures security, scalability, and simplicity.
