Skip to content

Granting Access

This article outlines the method to use service principal and application ID for Power BI embedded analytics, focusing on authentication using application ID and secret.

Step 1: Create an Azure AD app

Cloud: The Azure AD app should be aready configured. If you forgot the Name of the Azure AD App, you can navigate to the Module Setup page in Business central, to find out the Name.

OnPrem: Set up an Azure AD app via the Azure portal or PowerShell. Obtain the application ID and secret post creation. The process involves registering the app, setting up certificates and secrets, and recording the client ID and service principal details (if using PowerShell).

Step 2: Create an Azure AD security group

To grant the service principal access to Power BI content and APIs, create a security group in Azure AD and add the service principal to this group. This can be done manually in Azure or using PowerShell.

Info

If you want to enable service principal access for the entire organization, skip this step.

There are two ways to create an Azure AD security group:

  • Manually (in Azure)
  • Use PowerShell

Create a security group by using PowerShell

The following sample script creates a new security group. It also adds the service principal that you created earlier to the new security group.

  1. Before you run the script, replace <app-client-ID> with the client ID that you recorded earlier for your new app.
  2. After you run the script, make a note of the object ID of the new security group, which you can find in the script output.
Powershell
# Sign in as an admin.
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Get the service principal that you created earlier.
$servicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '<app-client-ID>'"

# Create an Azure AD security group.
$group = New-MgGroup -DisplayName "securitygroup1" -SecurityEnabled -MailEnabled:$False -MailNickName "notSet"
Write-Host "Object ID of new security group: " $($group.Id)

# Add the service principal to the group.
New-MgGroupMember -GroupId $($group.Id) -DirectoryObjectId $($servicePrincipal.Id)

Step 3: Enable Power BI Service Admin Settings

Power BI admin needs to enable settings allowing the Azure AD app to access Power BI content and APIs. This can be set up in the Power BI Admin portal, under the Tenant settings > Developer settings section.

For an Azure AD app to access the Power BI content and APIs, a Power BI admin needs to enable the following settings:

  • Embed content in apps
  • Allow service principals to use Power BI APIs

In the Power BI Admin portal, go to Tenant settings, and scroll down to Developer settings.

  1. Enable Embed content in apps either for the entire organization or for the specific security group you created in Azure AD.

  2. Enable Allow service principals to use Power BI APIs either for the entire organization or for the specific security group you created in Azure AD.

Important

  • Service principals have access to any tenant settings they're enabled for. Depending on your admin settings, this includes specific security groups or the entire organization.
  • To restrict service principal access to specific tenant settings, allow access only to specific security groups. Alternatively, you can create a dedicated security group for service principals, and exclude it from the desired tenant settings.

Step 4: Add the Service Principal to Your Workspace

Grant the Azure AD app access to Power BI workspace by adding the service principal or its security group to your workspace as a member or admin. This can be done manually, through PowerShell, or using the API.

There are three ways to add a service principal or its security group to your workspace:

  • Manually
  • Use PowerShell
  • Use the Groups - add group user API

Add a service principal or security group manually

  1. In the Power BI service, scroll to the workspace you want to enable access for. From its More menu, select Workspace access.
  2. In the Access pane, under Add admins, members, or contributors, add one of the following:
    1. Your service principal. The name of your service principal is the Display name of your Azure AD app, as it appears in your Azure AD app's overview tab.
    2. The security group that includes your service principal.
  3. On the dropdown menu, select Member or Admin.
  4. Select Add.

Add a service principal as a workspace member by using PowerShell

The following script adds a service principal as a workspace member. Before you run the script:

  1. Replace <service-principal-object-ID> with the object ID that you recorded earlier for your new service principal.
  2. Replace <workspace-name> with the name of the workspace that you'd like to give the service principal access to.
Powershell
# Sign in to Power BI.
Login-PowerBI

# Set up the service principal ID.
$SPObjectID = "<service-principal-object-ID>"

# Get the workspace.
$pbiWorkspace = Get-PowerBIWorkspace -Filter "name eq '<workspace-name>'"

# Add the service principal to the workspace.
Add-PowerBIWorkspaceUser -Id $($pbiWorkspace.Id) -AccessRight Member -PrincipalType App -Identifier $($SPObjectID)

Considerations & Limitations

  • "My Workspace" is unsupported with service principal.
  • Power BI admin rights are needed for enabling service principal in developer settings.
  • Limitations exist in API support and dataflow management.
  • Specific permissions are required for usage with Azure Analysis Services data source.