Contents x
      Power BI Setup
      • 27 Feb 2025
      • 7 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Power BI Setup

      • Updated on 27 Feb 2025
      • 7 Minutes to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Integrating Power BI (formerly Azure AD) Policy Orchestration Points (POPs) allows organizations to enforce tailored Authorization Policies within their Environments. This section outlines the prerequisites for setting up Power BI POPs and provides detailed instructions for creating and managing them, ensuring seamless integration and Policy enforcement.

      Following is a set of requirements and instructions to support and manage SaaS Authorization Management for Power BI.

      Microsoft Entra ID Prerequisites

      Ensure that you have a Microsoft Entra ID Tenant connected to Power BI, a Service Principal Application, and a Client ID and Client Secret as defined in the App definition.

      Managing Applications

      To create and manage Applications:

      1. In Microsoft Entra ID, create a new Application with Workspace.Read.All API Permissions.
      2. In the Application's API permissions, grant approval for Group.Read.All or GroupMember.Read.All.
      3. Create a security group named "PowerBIOrchestration" and connect it to the Service Principal Application.

      If you already have an Application set up, modify the following permissions in Microsoft Entra ID:

      1. Set the Service Principal Application with the Workspace.Read.All scope.
      2. Grant Microsoft Graph Application permission to GroupMember.Read.All or Group.Read.All.

      Power BI Prerequisites

      Granting Access Permissions to Applications

      Ensure that Applications have the required permissions to access the relevant Workspaces or Datasets. You can grant Write access either manually or through automation, using the following methods:

      Method 1 - Manual Access

      • Grant the Service Principal Viewer access to each relevant Power BI Workspace.
      • Grant the Service Principal Write access to each relevant Dataset.

      Steps to manually grant Viewer and Write permissions in Power BI:

      • To grant Viewer permissions in a Workspace:
      1. Click on Workspaces
      2. Hover over the relevant Workspace and click on the three dots.
      3. Click on Workspace access.
      4. Select the Application (represented as the Service Principal) and assign the Viewer role.
      • To grant Write permissions in a Dataset:
      1. Select the workspace and choose the relevant Semantic Model.
      2. Click the three dots next to the model name and select Manage Permissions.
      3. Select the Application (Service Principal) and assign the Write role.

      Method 2 - Automated Write Access

      • Grant the Service Principal Viewer access to each relevant Power BI Workspace.
      • Automate Write access for each relevant Dataset using a script.
        • This approach is useful if you want to avoid assigning member access at the Workspace level and prefer automation for new Datasets.

      Method 3 - Assigning Member Permissions

      • Assign Member access to the Service Principal at the Workspace level. This automatically grants Write access permissions to all existing and future Datasets, eliminating the need for manual assignment.


      Important

      You can only discover Datasets where the Service Principal has Write permissions. If a Dataset has only View permissions, the connection will be successful, but the Dataset won’t be discovered for related policies.

      Admin Portal Configuration

      1. Open your Power BI Workspace.
      2. On the top right, click the Settings icon.
      3. Click on Admin portal.
      4. In the left side-panel, click on Tenant settings.
      5. In the Developer settings, enable Allow service principals to use Power BI APIs.
        • Select the security groups connected to the service principle application created prior.
          • Example: “PowerBIOrchestration”
      6. In the Integration settings, enable Allow XMLA endpoints and Analyze in Excel with on-premises datasets.
        • Select the security groups connected to the service principle application created prior.
          • Example: “PowerBIOrchestration”
      7. Click Apply.

      Premium Per User Settings

      Ensure that your Power BI Workspace is set to Premium Per User. You can locate this setting in the Power BI Workspace Settings.

      1. In the left side-panel, click on Premium Per User settings and select the relevant workspace.
      2. In the XMLA Endpoint dropdown, select Read Write.
      3. Click Apply.
      Important

      When working in Learn Mode, the Premium Per User XMLA Endpoint can be set to Read. However, when working in Manage Mode, the XMLA Endpoint must be set to Read Write. Check out the Learn and Manage Modes article for more information.

      Setting up Capacity Settings

      1. In the left side panel, click on Capacity settings.
      2. Choose the capacity you need according to capacity configuration (Power BI Workload, Capacity Usage Report, etc.).
      3. Select the relevant workspace and expand Power BI workloads.
      4. In Power BI Workloads, locate the XMLA Endpoint dropdown and select Read Write.
      5. Click Apply.

      Note: Your capacity may be predefined according to your Power BI license.

      Important

      The option chosen in the XMLA Endpoint in the Capacity Settings overrides the XMLA Endpoint set in the Premium Per User settings.

      Licenses and XMLA Endpoints

      Adjusting the XMLA endpoint at the Capacity Settings level may also override the Workspace license setting and change it to Trial. If you remove the Capacity Name from the Capacity Settings in the Trial section, the Workspace license will switch to Pro, which does not have permissions to change XMLA endpoints. Workspaces cannot be discovered or deployed if using a Pro license.

      All Policy Orchestration Points are listed on the Orchestration Workspace. Next to the name of each POP is the vendor icon. To create a POP, you will need the following information:

      • Authentication Method: this will be set to Service Principal
      • Client ID

      Manage Connections and Gateway Configurations

      In Manage Mode, make sure to assign 'User' permissions to the Service Principal Application for all data connections associated with the Semantic Model.
      To view and manage data connections head to Manage Connections and Gateways in the Power BI console.

      Unsupported Semantic Models

      The following semantic models are not supported. These semantic models do no appear under the workspace in SSMS or in other tools:

      • Semantic models based on a live connection to an Azure Analysis Services or SQL Server Analysis Services model.
      • Semantic models based on a live connection to a Power BI semantic model in another workspace.
      • Semantic models with Push data by using the REST API.
      • Semantic models in My Workspace.
      • Excel workbook semantic models.

      Managing a Power BI POP

      Power BI POPs allow users granular control over access and authorization. This section details how to create and configure a Power BI POP, allowing you to seamlessly manage Policies. From establishing connections to testing configurations, see the following steps to enable secure and efficient policy management.

      Creating a Power BI POP

      We recommend creating a separate Power BI POP for each Power BI Workspace you wish to manage Policies for.

      To create a Power BI Policy Orchestration Point (POP):

      1. In the Orchestration Workspace, click Add Policy Orchestration Point. The Select Vendor side panel opens.

      2. Click on the Power BI logo image.png to select Power BI.

      3. In the General section:

        • Enter the Display Name. Note that this name must be unique within the Environment.
        • Enter the Description (optional).

      4. In the Associated Workspaces section, use the down arrow to access and select the Identity Workspace (required) and the Authorization Workspace (required) in which you want to manage the relevant objects discovered from the Power BI tenant.

        • We recommend generating a designated Authorization Workspace to manage your Power BI Policies.

      5. In the Connection Settings section, configure the values to connect the POP defined in the Authorization Platform to Power BI:

        • Authentication Method: by default, this will be set to Service Principal
        • Tenant: Tenant ID that Power BI will connected to
        • Client ID: as defined in Power BI
        • Client Secret: as defined in Power BI
        • Discovery Scope (optional): defines which Policies can be discovered or managed based on Workspaces or Datasets.
          • When defining a Discovery Scope based on Workspaces, input a valid Workspace name.
          • When defining a Discovery Scope based on Datasets, input a valid Workspace and Dataset name. E.g. ["workspaceName.datasetName"]
          • Avoid changing Workspace or Dataset Names in Power BI if they are used in a Discovery Scope Rule.
          • If a Discovery Scope is not defined, Policies discovered will be based on user permissions.

      6. Click Test Connection to test that the Platform can connect successfully.

      Note: If the Connection fails, verify that all of the values are correct and that all other requirements and permissions have been configured correctly in the target system. Then, test the connection again.

      1. Click Create. The POP is created, automatically assigned a POP ID, and added to the list of existing POPs.

      During the creation of the POP, an initial discovery process takes place. Objects found in the third-party vendor are translated and populated in the Platform Workspaces. After discovery, the full path is used as the display name for the discovered tables on the Objects tab.

      For more details, see Microsoft Power BI.

      Switching between Modes

      In the Orchestration Workspace, you can work in Learn mode or in Manage mode. For more information, see Learn Mode vs. Manage Mode.

      To switch between Learn and Manage Mode:

      1. In the Orchestration Workspace, locate the POP for which you want to switch modes. Click the three vertical dots and select Settings. A side panel opens with the POP Details displayed.
      2. In the Orchestration Settings area, select the Mode. Options are Learn or Manage.
      3. After changing the mode, click Save.

      After changing the mode, you should test the connection by clicking the Test Connection button.

      Was this article helpful?
      What's Next