Integrating Power BI (formerly Azure AD) Policy Orchestration Points (POPs) allows organizations to enforce tailored Authorization Policies within their Environments. This section outlines the prerequisites for setting up Power BI POPs and provides detailed instructions for creating and managing them, ensuring seamless integration and Policy enforcement.
Following is a set of requirements and instructions to support and manage SaaS Authorization Management for Power BI.
Microsoft Entra ID Prerequisites
Ensure that you have a Microsoft Entra ID Tenant connected to Power BI, a Service Principal Application, and a Client ID and Client Secret as defined in the App definition.
Managing Applications
To create and manage Applications:
- In Microsoft Entra ID, create a new Application with
Workspace.Read.All
API Permissions. - In the Application's API permissions, grant approval for
Group.Read.All
orGroupMember.Read.All
. - Create a security group named "PowerBIOrchestration" and connect it to the Service Principal Application.
If you already have an Application set up, modify the following permissions in Microsoft Entra ID:
- Set the Service Principal Application with the
Workspace.Read.All
scope. - Grant Microsoft Graph Application permission to
GroupMember.Read.All
orGroup.Read.All
.
Power BI Prerequisites
Granting Access Permissions to Applications
Ensure that Applications have the required permissions to access the relevant Workspaces or Datasets. You can grant Write
access either manually or through automation, using the following methods:
Method 1 - Manual Access
- Grant the Service Principal
Viewer
access to each relevant Power BI Workspace. - Grant the Service Principal
Write
access to each relevant Dataset.
Steps to manually grant Viewer
and Write
permissions in Power BI:
- To grant
Viewer
permissions in a Workspace:
- Click on Workspaces
- Hover over the relevant Workspace and click on the three dots.
- Click on Workspace access.
- Select the Application (represented as the Service Principal) and assign the Viewer role.
- To grant
Write
permissions in a Dataset:
- Select the workspace and choose the relevant Semantic Model.
- Click the three dots next to the model name and select Manage Permissions.
- Select the Application (Service Principal) and assign the
Write
role.
Method 2 - Automated Write Access
- Grant the Service Principal
Viewer
access to each relevant Power BI Workspace. - Automate
Write
access for each relevant Dataset using a script.- This approach is useful if you want to avoid assigning member access at the Workspace level and prefer automation for new Datasets.
Method 3 - Assigning Member Permissions
- Assign
Member
access to the Service Principal at the Workspace level. This automatically grantsWrite
access permissions to all existing and future Datasets, eliminating the need for manual assignment.
You can only discover Datasets where the Service Principal has Write
permissions. If a Dataset has only View
permissions, the connection will be successful, but the Dataset won’t be discovered for related policies.
Admin Portal Configuration
- Open your Power BI Workspace.
- On the top right, click the Settings icon.
- Click on Admin portal.
- In the left side-panel, click on Tenant settings.
- In the Developer settings, enable Allow service principals to use Power BI APIs.
- Select the security groups connected to the service principle application created prior.
- Example: “PowerBIOrchestration”
- Select the security groups connected to the service principle application created prior.
- In the Integration settings, enable Allow XMLA endpoints and Analyze in Excel with on-premises datasets.
- Select the security groups connected to the service principle application created prior.
- Example: “PowerBIOrchestration”
- Select the security groups connected to the service principle application created prior.
- Click Apply.
Premium Per User Settings
Ensure that your Power BI Workspace is set to Premium Per User. You can locate this setting in the Power BI Workspace Settings.
- In the left side-panel, click on Premium Per User settings and select the relevant workspace.
- In the XMLA Endpoint dropdown, select Read Write.
- Click Apply.
When working in Learn Mode, the Premium Per User XMLA Endpoint can be set to Read. However, when working in Manage Mode, the XMLA Endpoint must be set to Read Write. Check out the Learn and Manage Modes article for more information.
Setting up Capacity Settings
- In the left side panel, click on Capacity settings.
- Choose the capacity you need according to capacity configuration (Power BI Workload, Capacity Usage Report, etc.).
- Select the relevant workspace and expand Power BI workloads.
- In Power BI Workloads, locate the XMLA Endpoint dropdown and select Read Write.
- Click Apply.
Note: Your capacity may be predefined according to your Power BI license.
The option chosen in the XMLA Endpoint in the Capacity Settings overrides the XMLA Endpoint set in the Premium Per User settings.
Adjusting the XMLA endpoint at the Capacity Settings level may also override the Workspace license setting and change it to Trial. If you remove the Capacity Name from the Capacity Settings in the Trial section, the Workspace license will switch to Pro, which does not have permissions to change XMLA endpoints. Workspaces cannot be discovered or deployed if using a Pro license.
All Policy Orchestration Points are listed on the Orchestration Workspace. Next to the name of each POP is the vendor icon. To create a POP, you will need the following information:
- Authentication Method: this will be set to Service Principal
- Client ID
Manage Connections and Gateway Configurations
In Manage Mode, make sure to assign 'User' permissions to the Service Principal Application for all data connections associated with the Semantic Model.
To view and manage data connections head to Manage Connections and Gateways in the Power BI console.
Unsupported Semantic Models
The following semantic models are not supported. These semantic models do no appear under the workspace in SSMS or in other tools:
- Semantic models based on a live connection to an Azure Analysis Services or SQL Server Analysis Services model.
- Semantic models based on a live connection to a Power BI semantic model in another workspace.
- Semantic models with Push data by using the REST API.
- Semantic models in My Workspace.
- Excel workbook semantic models.
Managing a Power BI POP
Power BI POPs allow users granular control over access and authorization. This section details how to create and configure a Power BI POP, allowing you to seamlessly manage Policies. From establishing connections to testing configurations, see the following steps to enable secure and efficient policy management. You can learn how to create a Power BI POP in Managing POPs and how to switch between modes in Orchestration Workspace.
Power BI Connection Settings
General Connection Settings
Connection Field | Description |
---|---|
Authentication Method | Defaults to service_principal , which is required for Power BI integration. |
Client ID | The Application (Client) ID as defined in Power BI. |
Client Secret | The Application Secret as defined in Power BI. |
Tenant | The Azure AD Tenant ID used to connect to Power BI. |
Discovery Scope Rule | (Optional) Defines which Policies can be discovered or managed, based on Workspaces or Datasets. If not defined, discovery will be based on user permissions. See details below. |
Discovery Scope Rule Fields
Used within the Discovery Scope Rule to customize which Workspaces or Datasets are included in Discovery.
Connection Field | Description |
---|---|
Hierarchy Scope Key | Specifies what to base Discovery on: workspace or dataset . |
Operator | Comparison logic used for filtering. Supported values: IN , NOT_IN , EQUALS , NOTEQUALS . |
Value | List of Workspace or Dataset names. For Datasets, use the format ["workspaceName.datasetName"] . Avoid renaming these in Power BI if they are referenced in the rule. |
- For defining a service principal, refer to the following Power BI documentation:
Roles in workspaces in Power BI
Dataset permissions