Configure Microsoft Power BI OAuth in Azure AD

This article describes how to configure OAuth for your Microsoft Power BI application in Azure AD.

You’ll create a new application in Azure Active Directory with the required API permissions to access Power BI content, configure authentication settings including a redirect URI for Metric Insights, and generate credentials. These credentials will then be used to set up an OAuth-based Power BI data source in Metric Insights, enabling secure access to reports based on user-level permissions.

Enabling OAuth has the following benefits compared with the Username/Password authentication model:

  • Ability to view content in iframes based on user account permissions rather than service account permissions;
  • Available row-level security (RLS) without the need to use User Maps on MI side (you only have to enable RLS in Power BI).

Table of contents:

Video Tutorial

  1. Create an App for Use in Azure AD
    1. Access Microsoft Azure Portal
    2. Enter App Info
    3. Configure Authentication
    4. Add Office 365 Permissions
    5. Add Power BI Service Permissions
    6. Grant Admin Consent
    7. Add a Client Secret
    8. Copy Application ID
  2. Configure Power BI OAuth in Metric Insights
    1. Create New Power BI Data Source
    2. Configure Report Type: Access Admin > Plugins > External Report Types

Video Tutorial

Create an App for Use in Azure AD

1. Access Microsoft Azure Portal

  1. In Azure Portal, access App registrations
  2. [+ New registration]

2. Enter App Info

  1. Enter the App's Name
  2. Supported account types: "Accounts in this organizational directory only (<directory name> only - Single tenant)"
  3. Redirect URI: select Web, enter https://<MI hostname>/editor/service/validatepowerbioauth
  4. [Register]

3. Configure Authentication

  1. Access Authentication tab
  2. In the Implicit grant and hybrid flows section, activate Access tokens (used for implicit flows)
  3. [Save]

4. Add Office 365 Permissions

NOTE: Delegated permissions allow the application to access the API as the signed-in user.

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Office 365 Management APIs]
  4. [Delegated permissions]
  5. Enable the following permission:
    • Activity Feed:
      • ActivityFeed.Read - This permission enables OAuth
  6. [Add permissions]

5. Add Power BI Service Permissions

  1. Access API Permissions tab
  2. [+ Add a permission]
  3. [Power BI Service]
  4. [Delegated permissions]
  5. Enable the following permissions to get a list of all Power BI Apps, Dashboards, Semantic Models, Reports, and Workspaces respectively:
    • App:
      • App.Read.All
    • Dashboard:
      • Dashboard.Read.All
    • Dataset:
      • Dataset.Read.All
    • Report:
      • Report.Read.All
    • Workspace:
      • Workspace.Read.All
  6. [Add permissions]

After Office 365 and Power BI Service permissions have been added, grant admin consent for the requested permissions:

  1. [Grant admin consent for <directory name>]
  2. [Yes]

7. Add a Client Secret

  1. Access Certificates & Secrets tab
  2. [+ New Client Secret]
  3. [Add]
  4. Copy and save Client Secret Value

8. Copy Application ID

  1. Access Overview tab
  2. Copy Application (client) ID

Configure Power BI OAuth in Metric Insights

1. Create New Power BI Data Source

Create new Data Source under Admin > Collection & Storage > Data Sources > [+ New Data Source] > Microsoft Power BI Cloud:

  1. Auth Type: "OAuth"
  2. Provide Application ID (see Step 8)
  3. Provide Client Secret if it has been generated (see Step 7)
  4. Enter the URL of your Microsoft Power BI server (this is the same URL that you see when accessing Microsoft Power BI via your web browser)
  5. [Get Token]
  6. Authenticate with Power BI Service account with access to necessary workspaces

NOTE: For more details on creating a Microsoft Power BI Data Source, see Establish Connectivity to Microsoft Power BI.

2. Configure Report Type: Access Admin > Plugins > External Report Types

The list page containing all External Report Types available in the system opens.

Below the grid, click [+ New Data Source].

  1. Image Source Plugin: Microsoft Power BI Cloud
  2. Drill-Down Authentications: "Power BI OAuth"
  3. Enable Auto generate URL
  4. [Save]

After External Report Type for Microsoft Power BI OAuth has been configured, proceed with creating an External Report.

NOTE: See Create an External Report from Power BI for details.