Power BI Admin Authentication Configuration
To configure Power BI, We need to set the application in Azure Active Directory.
This application will be the communication point for the PowerBIAgent. All calls to the Microsoft APIs will be made on behalf of this application.
note
This guideline assumes that the user has a tenant in Azure. If the tenant is not present, please refer to How to set up an Azure tenant for steps to acquire a tenant.
important
Contact the Active Directory Administrator to perform the following steps as some of the actions will require administrator consent.
Power BI agent requires oAuth authentication for both admin and users.
There are 3 main steps to configure Power BI agent:
- Set up the Application in Azure
- Create the Application Secret
- Configure Permissions for the Application
Set up the Application in Azure#
Open the Azure portal > https://portal.azure.com
Go to Azure Active Directory > App registrations > New registration.
Azure new application registration
Set Name, Supported account types, and Redirect URI of the application:
Application Registration
note
The type should be Native and the Redirect URI must be formatted as https://servername:port/Redirect
- Click Register.
Note the Application (client) ID upon successfully registering the application.
Application registered
- Provide the Application (client) ID under the key userclientid in the configuration of SharePoint in BI Hub.
- Click on the newly created Application and go to Authentication.
Authentication
- Select the tokens to be issued at authorization endpoints and also choose the supported account types.
Authentication access tokens
Create the Application Secret#
Go to Azure Portal > Azure Active Directory > App registrations and click on your application.
Navigate to Certificates & Secrets and click on New Client secret to add a new key.
User client secret setup
Specify a Description and Expiry duration for client secret and click Add.
Client secret submission
The UserClient secret is added and the value is displayed. Provide this under the key "USERCLIENTSECRET" during the configuration of Sharepoint agent in BI Hub
Copy the Client secret ID
note
Copy the client secret value. You will not be able to retrieve it after you perform another operation or leave this blade. If failed to note down the value, please repeat the step Set up the application in Azure to create a new key.
Configure Permissions for the Application#
The application requires some permission-level actions on behalf of the user.
- Go to Azure portal > Azure Active Directory > App registrations.
- Click on your application and select API permissions.
- Click Add a permission.
- Map the permissions for the APIs referring to the table below for Microsoft Graph API, Windows Azure Active Directory API and Microsoft Power BI API.
| API | Permissions | Access Details |
|---|---|---|
| Microsoft Graph | Profile | View Users Basic Profile |
| View Users Email Address | ||
| Group.Read.All | Read All Groups | |
| User.Read.All | Read all users' full profile | |
| Microsoft Azure Active Directory | Directory.Read.All | Read Directory Data |
| Group.Read.All | Read All Groups | |
| User.Read.All | Read All Users' full profiles | |
| User.Read | Sign in and read user profile | |
| Directory.AccessAsUser.All | Access the directory as the signed-in user | |
| Power BI Service | Dashboard.Read.All | View All Dashboards |
| Dataset.Read.All | View all datasets | |
| Metadata.View_Any | View Content Properties | |
| Report.Read.All | View All Reports | |
| Group.Read.All | View All Groups | |
| Group.Read | View User's Group | |
| App.Read.All | View All PowerBI Apps | |
| Capacity.Read.All | View all capacities | |
| Tenant.Read.All | View All content in tenant | |
| Workspace.Read.All | View all workspaces |
- Click Save and then click Grant Permissions to delegate the permissions to the service account.
Permissions granted
The permissions must be given to the BI Hub Power BI Agent service account:
- Office 365 Global Administrator
- Power BI Service Administrator