Help & Documentation
Open Support Ticket

Configure Microsoft Power BI OAuth in Azure AD

This article describes how to configure OAuth for your Microsoft Power BI application in Azure AD.

You’ll create a new application in Azure Active Directory with the required API permissions to access Power BI content, configure authentication settings including a redirect URI for Metric Insights, and generate credentials. In Power BI Service, assign the required permissions to the service account used for OAuth token retrieval. The Azure app credentials will then be used to set up an OAuth-based Power BI data source in Metric Insights, enabling secure access to reports based on user-level permissions.

Enabling OAuth has the following benefits compared with the Username/Password authentication model:

  • Ability to view content in iframes based on user account permissions rather than service account permissions;
  • Available row-level security (RLS) without the need to use User Maps on MI side (you only have to enable RLS in Power BI).

Table of contents:

Video Tutorial

  1. Create an App for Use in Azure AD
    1. Access Microsoft Azure Portal
    2. Enter App Info
    3. Configure Authentication
    4. Add Office 365 Permissions
    5. Add Power BI Service Permissions
    6. Grant Admin Consent
    7. Add a Client Secret
    8. Copy Application ID
  2. Grant Required Power BI Permissions to Service Account
    1. Enable Semantic Model Execute Queries REST API
    2. Grant Permissions to Read and Build Semantic Models
  3. Configure Power BI OAuth in Metric Insights
    1. Create New Power BI Data Source
    2. Configure Report Type: Access Admin > Plugins > External Report Types

Video Tutorial

Create an App for Use in Azure AD

1. Access Microsoft Azure Portal

  1. In Azure Portal, access App registrations
  2. [+ New registration]

2. Enter App Info

  1. Enter the App's Name
  2. Supported account types: "Accounts in this organizational directory only (<directory name> only - Single tenant)"
  3. Redirect URI: select Web, enter https://<MI hostname>/editor/service/validatepowerbioauth
  4. [Register]

3. Configure Authentication

  1. Access Authentication tab
  2. In the Implicit grant and hybrid flows section, activate Access tokens (used for implicit flows)
  3. [Save]

4. Add Office 365 Permissions

NOTE: Delegated permissions allow the application to access the API as the signed-in user.

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Office 365 Management APIs]
  4. [Delegated permissions]
  5. Enable the following permission:
    • Activity Feed:
      • ActivityFeed.Read - This permission enables OAuth
  6. [Add permissions]

5. Add Power BI Service Permissions

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Power BI Service]
  4. [Delegated permissions]
  5. Enable the following permissions to get a list of all Power BI Apps, Dashboards, Semantic Models, Reports, and Workspaces respectively:
    • App:
      • App.Read.All
    • Dashboard:
      • Dashboard.Read.All
    • Dataset:
      • Dataset.Read.All
    • Report:
      • Report.Read.All
    • Workspace:
      • Workspace.Read.All
  6. [Add permissions]

7. Add a Client Secret

  1. Access Certificates & Secrets tab
  2. [+ New Client Secret]
  3. [Add]
  4. Copy and save Client Secret Value

8. Copy Application ID

  1. Access Overview tab
  2. Copy Application (client) ID

Grant Required Power BI Permissions to Service Account

The service account used for OAuth token retrieval must have the appropriate Power BI API access and content permissions:

  1. Enable Semantic Model Execute Queries REST API
  2. Read and Build permissions to Semantic Models

1. Enable Semantic Model Execute Queries REST API

Access Settings > Admin Portal

  1. [Tenant Settings]
  2. Search for Semantic Model Execute Queries REST API
  3. [Enable]
  4. [Apply]

2. Grant Permissions to Read and Build Semantic Models

Open a Semantic Model

  1. [Manage permissions]
  2. Locate the service account user in the list, click [...]
  3. Ensure that the service account is a Workspace Viewer and has a build permission.

Alternatively, assign access via the Workspace menu:

  1. [Manage access]
  2. Locate the service account and assign the Member or Contributor role.

Configure Power BI OAuth in Metric Insights

1. Create New Power BI Data Source

Create new Data Source under Admin > Collection & Storage > Data Sources > [+ New Data Source] > Microsoft Power BI Cloud:

  1. Auth Type: "OAuth"
  2. Provide Application ID (see Step 8)
  3. Provide Client Secret if it has been generated (see Step 7)
  4. Enter the URL of your Microsoft Power BI server (this is the same URL that you see when accessing Microsoft Power BI via your web browser)
  5. [Get Token]
  6. Authenticate with the previously configured Power BI Service account with access to necessary workspaces

NOTE: For more details on creating a Microsoft Power BI Data Source, see Establish Connectivity to Microsoft Power BI.

2. Configure Report Type: Access Admin > Plugins > External Report Types

The list page containing all External Report Types available in the system opens.

Below the grid, click [+ New Data Source].

  1. Image Source Plugin: Microsoft Power BI Cloud
  2. Drill-Down Authentications: "Power BI OAuth"
  3. Enable Auto generate URL
  4. [Save]

After External Report Type for Microsoft Power BI OAuth has been configured, proceed with creating an External Report.

NOTE: See Create an External Report from Power BI for details.