Configure Microsoft Power BI OAuth in Azure AD

This article describes how to configure OAuth for your Microsoft Power BI application in Azure AD.

Enabling OAuth has the following benefits compared with the Username/Password authentication model:

  • Ability to view content in iframes based on user account permissions rather than service account permissions
  • Available row-level security (RLS) without the need to use User Maps on MI side (you only have to enable RLS in Power BI)

Video Tutorial

Create an App for Use in Azure AD

1. Access Microsoft Azure Portal

  1. In Azure Portal, access App registrations
  2. [+ New registration]

2. Enter App Info

  1. Enter the App's Name
  2. Supported account types: "Accounts in this organizational directory only (<directory name> only - Single tenant)"
  3. Redirect URI: select Web, enter https://<MI hostname>.com/editor/service/validatepowerbioauth
  4. [Register]

3. Configure Authentication

  1. Access Authentication tab
  2. In the Implicit grant and hybrid flows section, activate Access tokens (used for implicit flows)
  3. [Save]

4. Add Office 365 Permissions

Note: Delegated permissions allow the application to access the API as the signed-in user.

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Office 365 Management APIs]
  4. [Delegated permissions]
  5. Enable the following permission:
    • Activity Feed:
      • ActivityFeed.Read - This permission enables OAuth
  6. [Add permissions]

5. Add Power BI Service Permissions

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Power BI Service]
  4. [Delegated permissions]
  5. Enable the following permissions to get a list of all Power BI Apps, Dashboards, Datasets, Reports, and Workspaces respectively:
    • App:
      • App.Read.All
    • Dashboard:
      • Dashboard.Read.All
    • Dataset:
      • Dataset.Read.All
    • Report:
      • Report.Read.All
    • Workspace:
      • Workspace.Read.All
  6. [Add permissions]
  1. [Grant admin consent for <directory name>]
  2. [Yes]

7. Add a Client Secret

Optionally, you can enable Client Secret.

  1. Access Certificates & Secrets tab
  2. [+ New Client Secret]
  3. [Add]
  4. Copy and save Client Secret Value

8. Copy Application ID

  1. Access Overview tab
  2. Copy Application (client) ID

Configure Power BI OAuth in Metric Insights

1. Create New Power BI Data Source:

Create new Data Source under Admin > Collection & Storage > Data Sources > [+ New Data Source] > Microsoft Power BI Cloud:

  1. Auth Type: "OAuth"
  2. Provide Application ID (see Step 8)
  3. Provide Client Secret if it has been generated (see Step 7)
  4. Enter the URL of your Microsoft Power BI server (this is the same URL that you see when accessing Microsoft Power BI via your web browser)
  5. [Get Token]
  6. Authenticate with Power BI Service account with access to necessary workspaces

For more details on creating a Microsoft Power BI Data Source, see Establish Connectivity to Microsoft Power BI.

2. Configure Report Type: Access Admin > Plugins > External Report Types

The list page containing all External Report Types available in the system opens.

Below the grid, click [+ New Data Source].

  1. Image Source Plugin: Microsoft Power BI Cloud
  2. Drill-Down Authentications: "Power BI OAuth"
  3. Enable Auto generate URL
  4. [Save]

3. Configure External Report Using New Report Type: [+ New] > External Report > Microsoft Power BI OAuth

Provide all the required External Report information. On the Configuration tab:

  1. Report Image: "On Demand: only when needed for distribution"
  2. Image type: "Collect with user's credentials (1 image per user, per view)"

For more details on creating Microsoft Power BI External Reports, see Create an External Report from Power BI.