Configure Microsoft Power BI OAuth in Azure AD

This article describes how to configure OAuth for your Microsoft Power BI application in Azure AD.

Enabling OAuth has the following benefits compared with the Username/Password authentication model:

  • Ability to view content in iframes based on user account permissions rather than service account permissions
  • Available row-level security (RLS) without the need to use User Maps on MI side (you only have to enable RLS in Power BI)

Video Tutorial

Create an App for Use in Azure AD

1. Access Microsoft Azure Portal

  1. In Azure Portal, access App registrations
  2. [+ New registration]

2. Enter App Info

  1. Enter the App's Name
  2. Supported account types: "Accounts in this organizational directory only (<directory name> only - Single tenant)"
  3. Redirect URI: add https://<MI hostname>.com/editor/service/validatepowerbioauth
  4. [Register]

The App menu is opened.

3. Add Office 365 Permissions

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Office 365 Management APIs]
  4. [Delegated permissions]
  5. Enable the following permissions:
    • Activity Feed:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
    • ServiceHealth:
      • ServiceHealth.Read
  6. [Add permissions]

 

4. Add Power BI Service Permissions

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Power BI Service]
  4. [Delegated permissions]
  5. Enable the following permissions:
    • App:
      • App.Read.All
    • Dashboard:
      • Dashboard.Read.All
    • Dataset:
      • Dataset.Read.All
    • Report:
      • Report.Read.All
    • Workspace:
      • Workspace.Read.All
  6. [Add permissions]
  1. [Grant admin consent for <directory name>]
  2. [Yes]

6. Add a Client Secret

Optionally, you can enable Client Secret.

After the Client Secret has been generated, the Username/Password authorization will no longer work.

  1. Access Certificates & Secrets tab
  2. [+ New Client Secret]
  3. [Add]
  4. Copy and save Client Secret Value

7. Copy Application ID

  1. Access Overview tab
  2. Copy Application ID

Configure Power BI OAuth in Metric Insights

1. Create New Power BI Data Source:

Create new Data Source under Admin > Collection & Storage > Data Sources > [+ New Data Source] > Microsoft Power BI Cloud:

  1. Auth Type: "OAuth"
  2. Provide Application ID (see Step 8)
  3. Provide Client Secret if it has been generated (see Step 7)
  4. [Get Token]
  5. Authenticate with Power BI Service account with access to necessary workspaces

For more details on creating a Microsoft Power BI Data Source, see Establish Connectivity to Microsoft Power BI.

2. Configure Report Type: Access Admin > Plugins > External Report Types

The list page containing all External Report Types available in the system opens.

Below the grid, click [+ New Data Source].

  1. Image Source Plugin: Microsoft Power BI Cloud
  2. Drill-Down Authentications: "Power BI OAuth"
  3. Enable Auto generate URL
  4. [Save]

3. Configure External Report Using New Report Type: [+ New] > External Report > Microsoft Power BI OAuth

Provide all the required External Report information. On the Configuration tab:

  1. Report Image: "On Demand: only when needed for distribution"
  2. Image type: "Collect with user's credentials (1 image per user, per view)"

For more details on creating Microsoft Power BI External Reports, see Create an External Report from Power BI.