Contents x
      Power BI Prerequisites
      • 17 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Power BI Prerequisites

      • Updated on 17 Sep 2024
      • 3 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Following is a set of requirements and instructions to support SaaS Authorization Management for Power BI.

      Microsoft Entra ID (formerly Azure AD)

      Ensure that you have a Microsoft Entra ID Tenant connected to Power BI, a Service Principal Application, and a Client ID and Client Secret as defined in the App definition.

      To Create and Connect an Application in Microsoft Entra ID

      1. In Microsoft Entra ID, create a new Application with Workspace.Read.All API Permissions.
      2. In the Application's API permissions, grant approval for Group.Read.All or GroupMember.Read.All.
      3. Create a security group named "PowerBIOrchestration" and connect it to the Service Principal Application.

      Modifying Existing Applications in Microsoft Entra ID

      If you already have an Application set up, modify the following permissions in Microsoft Entra ID:

      1. Set the Service Principal Application with the Workspace.Read.All scope.
      2. Grant Microsoft Graph Application permission to GroupMember.Read.All or Group.Read.All.

      Power BI

      Granting Access Permissions to Applications

      Ensure that Applications have the required permissions to access the relevant Workspaces or Datasets. You can grant Write access either manually or through automation, using the following methods:

      Method 1 - Manual Access

      • Grant the Service Principal Viewer access to each relevant Power BI Workspace.
      • Grant the Service Principal Write access to each relevant Dataset.

      Steps to manually grant Write permissions in Power BI:

      1. Select the workspace to view its items.
      2. Assign the Viewer role to the Service Principal for the relevant Workspace.
      3. In the Workspace, click Manage Access.
      4. Select the Application (represented as the Service Principal) and assign the Viewer role.
      5. For the relevant Dataset, assign the Write role to the Service Principal.

      Method 2 - Automated Write Access

      • Grant the Service Principal Viewer access to each relevant Power BI Workspace.
      • Automate Write access for each relevant Dataset using a script.
        • This approach is useful if you want to avoid assigning member access at the Workspace level and prefer automation for new Datasets.

      Method 3 - Assigning Member Permissions

      • Assign Member access to the Service Principal at the Workspace level. This automatically grants Write access permissions to all existing and future Datasets, eliminating the need for manual assignment.

      Setting Permissions:

      1. Select the workspace and choose the relevant Semantic Model.
      2. Click the three dots next to the model name and select Manage Permissions.
      3. Select the Application (Service Principal) and assign the necessary permissions.
      Important

      You can only discover Datasets where the Service Principal has Write permissions. If a Dataset has only View permissions, the connection will be successful, but the Dataset won’t be discovered for related policies.

      Admin Portal Configuration

      1. Open your Power BI Workspace.
      2. On the top right, click the Settings icon.
      3. Click on Admin portal.
      4. In the left side-panel, click on Tenant settings.
      5. In the Developer settings, enable Allow service principals to use Power BI APIs.
        • Select the security groups connected to the service principle application created prior.
          • Example: “PowerBIOrchestration”
      6. In the Integration settings, enable Allow XMLA endpoints and Analyze in Excel with on-premises datasets.
        • Select the security groups connected to the service principle application created prior.
          • Example: “PowerBIOrchestration”
      7. Click Apply.

      Premium Per User Settings

      Ensure that your Power BI Workspace is set to Premium per-user. You can locate this setting in the Power BI Workspace Settings.

      1. In the left side-panel, click on Premium Per User settings and select the relevant workspace.
      2. In the XMLA Endpoint dropdown, select Read Write.
      3. Click Apply.
      Important

      When working in Learn Mode, the Premium Per User XMLA Endpoint can be set to Read. However, working in Manage Mode, the XMLA Endpoint must be set to Read Write. Check out the Learn and Manage Modes article for more information.

      Setting up Capacity Settings

      1. In the left side panel, click on Capacity settings.
      2. Choose the capacity you need according to capacity configuration (Power BI Workload, Capacity Usage Report, etc.).
      3. Select the relevant workspace and expand Power BI workloads.
      4. In Power BI Workloads, locate the XMLA Endpoint dropdown and select Read Write.
      5. Click Apply.

      Note: Your capacity may be predefined according to your Power BI license.

      Important

      The option chosen in the XMLA Endpoint in the Capacity Settings overrides the XMLA Endpoint set in the Premium Per User settings.

      Licenses and XMLA Endpoints

      Adjusting the XMLA endpoint at the Capacity Settings level may also override the Workspace license setting and change it to Trial. If you remove the Capacity Name from the Capacity Settings in the Trial section, the Workspace license will switch to Pro, which does not have permissions to change XMLA endpoints. Workspaces cannot be discovered or deployed if using a Pro license.

      Was this article helpful?
      What's Next