Configure Service Principal Auth for Microsoft Power BI

A Service Principal is an Azure application that is a member of a security group and acts on its behalf. It allows for automated tasks and resource access in Power BI without requiring user credentials.

  • Service Principal supports retrieving the following object types and creating lineage for them: WORKSPACE, DASHBOARD, TILE, REPORT (including RDLREPORT), SEMANTIC_MODEL.
  • Images can be collected for External Reports, but iframe embedding is not supported.

Table of contents:

  1. Create App in Azure
  2. Enter App Info
  3. Add Client Secret
  4. Create Security Group
  5. Add Azure App to Security Group
  6. Grant Permissions and Workspace Access for Azure Security Group in Power BI
    1. Allow Service Principals to Use Read-Only Power BI Admin APIs
    2. Allow Service Principals to use Fabric APIs
    3. Add Security Group to Workspace

1. Create App in Azure

Access Microsoft Azure Portal

  1. [App registrations]
  2. [+New registration]

2. Enter App Info

  1. Enter a descriptive App Name
  2. Supported account types: "Accounts in this organizational directory only (<directory name> only - Single tenant)"
  3. [Register]

3. Add Client Secret

Access Manage > Certificates & Secrets

  1. [+ New client secret]
  2. Description: Enter a name for the Client Secret
  3. [Add]
  4. Copy and save the Client Secret Value

4. Create Security Group

Access Microsoft Azure Portal

  1. Access Groups
  2. [New group]
  3. Group type: Security
  4. Enter a descriptive Group name
  5. Membership type: Assigned
  6. [Create]

5. Add Azure App to Security Group

  1. Access the previously created Security Group
  2. Access Manage > Members
  3. Enter the name of the created Azure app in search
  4. [Select]

6. Grant Permissions and Workspace Access for Azure Security Group in Power BI

Access Microsoft Power BI server > Settings > Admin Portal

6.1. Allow Service Principals to Use Read-Only Power BI Admin APIs

  1. Access Tenant settings
  2. Select Service principals can access read-only admin APIs
  3. [Enable]
  4. Apply to: Specific security groups
    • Select the previously created Azure security group
  5. [Apply]

6.2. Allow Service Principals to use Fabric APIs

  1. Select Service principals can use Fabric APIs
  2. [Enable]
  3. Apply to: The entire organization
    • Alternatively, select 'Apply to: Specific security groups' and grant access to the previously created Azure security group
  4. [Apply]

6.3. Add Security Group to Workspace

Access a Microsoft Power BI Workspace

NOTE: Adding security group to a Workspace may take up to 1 hour to apply.

  1. [Manage access]
  2. [+ Add people or groups]
  3. Select the previously created Azure security group
  4. Leave the default value 'Viewer'
  5. [Add]

Once Service Principal has been configured, proceed to create a Microsoft Power BI Cloud Data Source.