USER MANUALS

Set Up Power BI

The following sections provide a step-by-step guide to configuring the Power BI Service environment and enabling API access for metadata ingestion. Follow the steps in the specified order, as each must be completed to fully set up the environment:

  1. Register a Client Application in Microsoft Entra ID

  2. Create a Security Group in Microsoft Entra ID

  3. Assign Security Group and Role to Power BI Workspaces

  4. Assign Workspaces to a Dedicated Capacity

  5. Configure the Power BI Authentication Method

Register a Client Application in Microsoft Entra ID

Important

To register an application in Microsoft Entra ID, you must have one of the following roles: Global Administrator, Application Administrator or Cloud Application Administrator. This will be required if the creation of registered applications is not enabled for the entire organization. If you do not have the required permissions, contact your administrator.

Initially, you must register a client application in Microsoft Entra ID. Follow the steps below to register your client application:

  1. In the Azure portal, select Microsoft Entra ID.

  2. From the navigation menu on the left side, select App registrations.

  3. Select New registration.

  4. Enter a name for your client application.

  5. Click Register.

  6. After registering a new application, you can find the application (client) ID and Directory (tenant) ID from the overview left menu option. Make a note of the values for use later.

  7. From the left menu option, click Certificates & secrets.

  8. Add a new client secret.

  9. After creating the secret, a value will be displayed. Copy and save it in a secure location, as it will be hidden once you leave the page.

Create a Security Group in Microsoft Entra ID

Important

You must have at least the Groups Administrator or User Administrator role assigned to create groups. Review the appropriate Microsoft Entra roles for managing groups.

To create a security group and add members follow these steps:

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity > Groups > All groups.

  3. Select New group.

  4. Select Security as Group type.

  5. Enter a Group name and (optionally) a Group description.

  6. Under the Members section, select the No members selected link.

  7. Based on the authentication method you want to configure, set up the following:

  8. Click the Select button at the bottom of the window.

  9. Click the Create button at the bottom of the window.

Assign Security Group and Role to Power BI Workspaces

Important

You must be at least a member of the Microsoft Power BI workspace where you want to add the security group in order to complete these steps.

There are three ways to add a security group to your workspace:

Follow these steps to assign a Microsoft Power BI workspace role to the security group:

  1. Navigate to the Microsoft Power BI homepage.

  2. In the left-hand navigation pane, click on Workspaces.

  3. Select the workspace you want to access from Data Catalog.

  4. Click the Manage Access button located above the table.

  5. In the Access pane, add the security group that was previously created.

  6. On the dropdown menu, select Member or Admin.

  7. Select Add.

Assign Workspaces to a Dedicated Capacity

It should be noted that users can see the report’s preview image in the Data Catalog only if its workspace is assigned to a dedicated capacity in Power BI.

Capacities represent a set of resources (storage, processor, and memory) used to host and deliver the Power BI content. Power BI embedded analytics offers two publishing solutions, while Microsoft Fabric provides a third. Each solution requires different SKUs:

Important

Before assigning a workspace to dedicated capacity, ensure that:

  • You have a Fabric Administrator or Capacity Administrator role.

  • You have at least a Member or Admin role in the workspace.

  • A dedicated capacity (Embedded, Premium or Fabric) has been provisioned in your organization.

To add a Power BI workspace to a dedicated capacity, you must follow these steps:

  1. Navigate to the Microsoft Power BI homepage.

  2. In the left-hand navigation pane, click on Workspaces.

  3. Select the workspace you want to access from Data Catalog.

  4. Click the Workspace settings button located above the table.

  5. On the License Info tab, select Edit and switch the license mode to Premium capacity, Embedded or Fabric capacity.

Configure the Power BI Authentication Method

Data Catalog supports the following authentication methods for metadata ingestion from Microsoft Power BI:

  • Username and Password Authentication: Also known as Delegated User Authentication, this authentication method relies on using a username (in the form of an email address) and a password provided by the user to access Power BI metadata through the API. The user must be part of Azure Active Directory (AAD) with a Power BI admin role.

  • Service Principal Authentication: The Service Principal authentication method allows you to interact with the Power BI API without requiring a specific user. It uses a Service Principal, which is an identity registered in Azure Active Directory (AAD) for an application rather than relying on a user’s username and password. The Service Principal must be registered in Azure AD with assigned Power BI permissions.

Username and Password Authentication

To configure the Username and Password authentication method, you must follow the steps outlined in the sections below:

  1. Assign Fabric Administrator Role in Microsoft 365

  2. Assign Power BI API Permissions for Delegated User

  3. Enable Tenant Settings for Delegated User

Assign Fabric Administrator Role in Microsoft 365

Important

You must have Microsoft 365 administrator privileges to complete these steps.

To be a Microsoft Fabric admin for your organization, you must be in one of the following roles:

  • Power Platform administrator

  • Fabric administrator

Users in Fabric administrator and Power Platform administrator roles have full control over org-wide Microsoft Fabric settings and admin features, except for licensing. Once a user is assigned an admin role, they can access the admin portal. These admin roles are ideal for users who need access to the Fabric admin portal without also granting those users full Microsoft 365 administrative access.

To assign users to a Fabric Administrator role in the Microsoft 365 admin portal, follow these instructions:

  1. Navigate to the Microsoft 365 admin portal.

  2. In the Microsoft 365 admin center, select Users > Active users.

  3. Choose the user you want to make an admin (that is used to authenticate with the Username and Password method), and then select Manage roles.

  4. In the Manage admin roles form, click the Show all by category dropdown to expand it. Then, under the Collaboration category, choose the Fabric Administrator role.

  5. Select Save changes.

Assign Power BI API Permissions for Delegated User

Important

You must have one of the following roles to assign Power BI API Permissions: Global Administrator, Application Administrator or Cloud Application Administrator.

To assign Power BI API permissions for the Username and Password authentication method, you must follow these steps:

  1. Navigate to the Azure portal.

  2. Select App registrations.

  3. Search for the previously created application and select it.

  4. In the left pane of the app registration, under the Manage section, click API permissions.

  5. Under the Configured permissions heading, click the Add a permission button.

  6. In the In the Request API permissions menu, click to select Power BI Service.

  7. When asked to choose the type of permission required by the application, click on Delegated permissions.

  8. Grant the following Power BI Service permissions:

    • App.Read.All

    • Capacity.Read.All

    • Dashboard.Read.All

    • Dataflow.Read.All

    • Dataset.Read.All

    • Group.Read.All

    • Report.Read.All

    • Tenant.Read.All

    • Workspace.Read.All

  9. Similarly to the previous steps, grant the Microsoft Graph User.Read permission as a delegated permission.

  10. Set Admin consent required for Tenant.ReadAll permission to Yes.

Enable Tenant Settings for Delegated User

Important

You must have the Fabric Administrator role to perform these steps.

In the Power BI Admin portal, enable tenant settings for metadata scanning:

  1. In the left-hand menu pane, click on Tenant settings.

  2. Within the Admin API settings section, set up the following for the previously created security group:

    • Enable the Enhance admin APIs responses with detailed metadata option.

    • Enable the Enhance admin APIs responses with DAX and mashup expressions option.

  3. Within the Export and sharing settings section, enable the Export reports as image files option for the previously created security group.

Service Principal Authentication

To configure the Service Principal authentication method, you must follow the steps outlined in the sections below:

  1. Assign Power BI API Permissions for Service Principal

  2. Enable Tenant Settings for Service Principal

Assign Power BI API Permissions for Service Principal

Important

You must have one of the following roles to assign Power BI API Permissions: Global Administrator, Application Administrator or Cloud Application Administrator.

To assign Power BI API permissions for Service Principal, you must follow these steps:

  1. Navigate to the Azure portal.

  2. Select App registrations.

  3. Search for the previously created application and select it.

  4. In the left pane of the app registration, under the Manage section, click API permissions.

  5. Under the Configured permissions heading, click the Add a permission button.

  6. In the Request API permissions menu, click to select Microsoft Graph.

  7. When asked to choose the type of permission required by the application, click on Delegated permissions.

  8. Grant the Microsoft Graph User.Read permission.

Important

  • You cannot have any API permissions with Admin consent set to Yes.

  • Except for the Microsoft Graph User.Read permission, no other delegated permissions should be configured for the service principal, as they are not used and may cause errors when attempting to access the API.

Enable Tenant Settings for Service Principal

Important

You must have the Fabric Administrator role to perform these steps.

To enable the API settings in Power BI for Service Principal, you must follow these steps:

  1. Navigate to the Power BI Admin portal.

  2. In the left-hand menu pane, click on Tenant settings.

  3. Within the Developer settings section, enable the Service principals can use Fabric APIs option for the previously created security group.

  4. Within the Admin API settings section, set up the following for the previously created security group:

    • Enable the Enhance admin APIs responses with detailed metadata option.

    • Enable the Enhance admin APIs responses with DAX and mashup expressions option.

    • Enable the Allow service principals to use read-only Power BI admin APIs option.

  5. Within the Export and sharing settings section, enable the Export reports as image files option for the previously created security group.

Add feedback