# Authentication Service Principal Adding your own "*Authentication Service Principal*" in DataCentral simplifies user and security management, reduces IT overhead, ensures compliance, and enhances the user experience by allowing access with familiar Microsoft credentials. In DataCentral host settings, you can configure three Authentication Service Principals with different permissions, which Azure AD users must accept on their first login. This enables tenants to authenticate users with varying permission levels. In this guide we will set up three authentication service principals: 1. Authentication only 2. Authentication + Power BI resource access 3. Authentication + Power BI and security group resource access

Authentication from lower to higher permissions

Permission matrix for 'Authentication Service Principal'.
API PermissionAuthentication only+ Power BI+ security group
User.Readtruetruetrue
App.Read.Allfalsetruetrue
Dashboard.Read.Allfalsetruetrue
Dataset.Read.Allfalsetruetrue
Dataset.ReadWrite.Allfalsetruetrue
Report.Read.Allfalsetruetrue
Report.ReadWrite.Allfalsetruetrue
Workspace.Read.Allfalsetruetrue
Group.Read.Allfalsefalsetrue
Group.Member.ReadWrite.Allfalsefalsetrue
### Authentication Service Principal - step by step The primary goal of the "*Authentication App Registration*" is to verify the identities of users accessing the DataCentral system. Additionally, it fulfils a dual-purpose role: * Firstly, it allows users to gain access to their Power BI entities through DataCentral. * Secondly, it enables administrators to manage and organize security groups within Entra ID for which they are designated as "owners." **Prerequisites** * Active Azure account and subscription * Administrative permissions in the Azure Portal 1. Go to your [Azure Portal](https://ms.portal.azure.com/#allservices) and register a new App Registration in Microsoft Entra ID. * Choose "*Accounts in any organizational directory (any Microsoft Entra ID tenant Multitenant)*" * Put in your "*Redirect URI*" for Single-page application (SPA)

Location "App Registration"

Properties for new application

2. Go to "*Authentication Settings*" and add additional "*Redirect URIs*" if needed.

Optional additional "Redirect URIs"

3. Go to "*API Permissions"* and add necessary permissions. **Authentication only** Permissions for the *first authentication* service principal: * [x] *User.Read:* Basic permission required about a user who is authenticating themselves. This is one of the "low-privilege" permissions needed to use Microsoft's authentication service. * [x] Optionally "*Grant admin consent*" for your company on above permissions.

Permissions Authentication Only

**Authentication + Power BI resource access** Permissions for the *second authentication* service principal:\ All permissions above + delegated permissions for accessing user Power BI entities. * [x] *App.Read.All*: Permission to read which apps a user has access to within Power BI and information about them. Used to display a user's apps in the DataCentral. * [x] *Dashboard.Read.All*: Permission to read which dashboards a user has access to within Power BI and information about them. Used to display a user's dashboards in the DataCentral. * [x] *Dataset.Read.All*: Permission to read which datasets a user has access to within Power BI and information about them. Used to display a user's datasets in the DataCentral. * [x] *Dataset.ReadWrite.All*: Permission to upload datasets. Used when a user is adding a new dataset to their Power BI environment through DataCentral. * [x] *Report.Read.All*: Permission to read which reports a user has access to within Power BI and information about them. Used to display a user's reports in the DataCentral. * [x] *Report.ReadWrite.All*: Permission to upload (write) a report. Used when a user is adding a new report to their Power BI environment through DataCentral. * [x] *Workspace.Read.All*: Permission to read which workspaces a user has access to within Power BI and information about them. Used to display a user's workspaces in the DataCentral. * [x] Optionally "*Grant admin consent*" for your company on above permissions.

Permission Authentication Power BI

**Authentication + Power BI and security group resource access** Permissions for the *third authentication* service principal:\ All permissions above + delegated permissions for administration of user **security group:** {% hint style="info" %} The following permissions require either 'Grant admin consent' or approval from an admin in the relevant Azure tenant through the authentication process. {% endhint %} * [x] *Group.Read.All:* Permission to read security groups and information related to them. Information on which users are in the defined groups. This is necessary when needing to list users in security groups. * [x] *GroupMember.ReadWrite.All:* Permission to read and write users in and out of security groups. This is necessary for the administration of users in security groups. * [x] Optionally "*Grant admin consent*" for your company on above permissions.

Permission Authentication Securitu Group

{% hint style="info" %} '*Granting admin consent*' will accept these permissions on behalf of all internal users in your Entra ID. When external Azure AD users log in for the first time, they will have to accept these permissions, and if they are an admin, they can also '*Grant admin consent*' for their own Entra ID. {% endhint %} 1. Go to "*Overview*" and get the "*Application (client) ID*" that will be used later on.

Location of "Application (client) ID"

5. Go to "*Branding & properties"* and fill in this information. * "Upload new logo": Upload relevant logo (optional) * "Home page URL": Enter a URL to your Home page (optional) * "Terms of service URL": Enter a URL to your Terms of Service (optional) * "Privacy statement URL" : Enter a URL to your privacy statement (optional) * "Publisher verification": Enter your partner ID to verify the application **(mandatory)**

Publisher verification

*** ### DataCentral host instance and your tenants Under '*Administration Settings*' -> '*Azure Configurations*' in your **host instance** input the values 'Application (client) ID' collected from Azure Portal for each of your *Authentication Service Principal*. There are three available authentication input fields: * Authentication and resource access application (client) ID * Authentication + Power BI resource access application (client) ID * Authentication + Power BI and security group resource access application (client) ID

Authentication Configurations

After your host instance configurations go to one of your tenants and under '*Administration Settings -> Security*' you are able to **control** which Authentication your Azure AD users will authenticate against. The choices available are linked to the authentication service principal configured in the host instance: * Authentication only * Authentication + Power BI resource access * Authentication + Power BI and security group resource access

Authentication methods

*** ### Why use different authentication service principals for your tenants? **Authentication only** service principal This authentication method ensures that you request only the minimum necessary permissions for users in tenant. The 'User.Read' permission allows the application to access basic profile information of the signed-in Azure AD user, such as their name, email, and tenant details. This is essential for personalizing user experiences, displaying relevant account details, and ensuring that the correct user is authenticated within the app. Because we are not requesting any permissions for Power BI or security groups here. We will have to use a [Power BI Service Principal](/datacentral-knowledge-center/deployments/power-bi-service-principal.md) to embed reports for this tenant. On first login, AAD user only has to accept one permission:
**Authentication + Power BI resource access** This authentication method ensures that you request the same permissions for authentication as well additional for the Power BI entities the AAD user has access to within their organization or your company. With these permissions granted, your AAD users can use their own Power BI Pro licenses to embed reports without requiring a Power BI Service Principal. However, they must have access to the workspace they are embedding from; otherwise, the process will default to the configured [Power BI Service Principal](/datacentral-knowledge-center/deployments/power-bi-service-principal.md). On first login, AAD has to accept these permissions:
**Authentication + Power BI and security group resource access** This authentication method ensures that you request the same permissions as above, with the additional requirement of permissions related to security groups in your Entra ID. By accepting these permissions, you can use '[Entra ID Management](/datacentral-knowledge-center/product-guides/entra-id-management.md),' which allows your administrative AAD users to manage and organize the security groups they are designated as 'owners' of within Entra ID and add users to these groups through DataCentral. On first login, AAD has to accept these permissions:
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://uidata.gitbook.io/datacentral-knowledge-center/deployments/authentication-service-principal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.