🔒Authentication Service Principal

Creation and Configuration - step by step

Adding your own "Authentication Service Principal" in DataCentral simplifies user and security management, reduces IT overhead, ensures compliance, and enhances the user experience by allowing access with familiar Microsoft credentials.

In DataCentral host settings, you can configure three Authentication Service Principals with different permissions, which Azure AD users must accept on their first login. This enables tenants to authenticate users with varying permission levels.

In this guide we will set up three authentication service principals:

Authentication only
Authentication + Power BI resource access
Authentication + Power BI and security group resource access

Permission matrix for 'Authentication Service Principal'.

Authentication Service Principal - step by step

The primary goal of the "Authentication App Registration" is to verify the identities of users accessing the DataCentral system.

Additionally, it fulfils a dual-purpose role:

Firstly, it allows users to gain access to their Power BI entities through DataCentral.
Secondly, it enables administrators to manage and organize security groups within Entra ID for which they are designated as "owners."

Prerequisites

Active Azure account and subscription
Administrative permissions in the Azure Portal

Go to your Azure Portal and register a new App Registration in Microsoft Entra ID.
- Choose "Accounts in any organizational directory (any Microsoft Entra ID tenant Multitenant)"
- Put in your "Redirect URI" for Single-page application (SPA)
Go to "Authentication Settings" and add additional "Redirect URIs" if needed.
Go to "API Permissions" and add necessary permissions.

Authentication only

Permissions for the first authentication service principal:

User.Read: Basic permission required about a user who is authenticating themselves. This is one of the "low-privilege" permissions needed to use Microsoft's authentication service.
Optionally "Grant admin consent" for your company on above permissions.

Authentication + Power BI resource access

Permissions for the second authentication service principal: All permissions above + delegated permissions for accessing user Power BI entities.

App.Read.All: Permission to read which apps a user has access to within Power BI and information about them. Used to display a user's apps in the DataCentral.
Dashboard.Read.All: Permission to read which dashboards a user has access to within Power BI and information about them. Used to display a user's dashboards in the DataCentral.
Dataset.Read.All: Permission to read which datasets a user has access to within Power BI and information about them. Used to display a user's datasets in the DataCentral.
Dataset.ReadWrite.All: Permission to upload datasets. Used when a user is adding a new dataset to their Power BI environment through DataCentral.
Report.Read.All: Permission to read which reports a user has access to within Power BI and information about them. Used to display a user's reports in the DataCentral.
Report.ReadWrite.All: Permission to upload (write) a report. Used when a user is adding a new report to their Power BI environment through DataCentral.
Workspace.Read.All: Permission to read which workspaces a user has access to within Power BI and information about them. Used to display a user's workspaces in the DataCentral.
Optionally "Grant admin consent" for your company on above permissions.

Authentication + Power BI and security group resource access

Permissions for the third authentication service principal: All permissions above + delegated permissions for administration of user security group:

The following permissions require either 'Grant admin consent' or approval from an admin in the relevant Azure tenant through the authentication process.

Group.Read.All: Permission to read security groups and information related to them. Information on which users are in the defined groups. This is necessary when needing to list users in security groups.
GroupMember.ReadWrite.All: Permission to read and write users in and out of security groups. This is necessary for the administration of users in security groups.
Optionally "Grant admin consent" for your company on above permissions.

'Granting admin consent' will accept these permissions on behalf of all internal users in your Entra ID. When external Azure AD users log in for the first time, they will have to accept these permissions, and if they are an admin, they can also 'Grant admin consent' for their own Entra ID.

Go to "Overview" and get the "Application (client) ID" that will be used later on.

Go to "Branding & properties" and fill in this information.
- "Upload new logo": Upload relevant logo (optional)
- "Home page URL": Enter a URL to your Home page (optional)
- "Terms of service URL": Enter a URL to your Terms of Service (optional)
- "Privacy statement URL" : Enter a URL to your privacy statement (optional)
- "Publisher verification": Enter your partner ID to verify the application (mandatory)

DataCentral host instance and your tenants

Under 'Administration Settings' -> 'Azure Configurations' in your host instance input the values 'Application (client) ID' collected from Azure Portal for each of your Authentication Service Principal.

There are three available authentication input fields:

Authentication and resource access application (client) ID
Authentication + Power BI resource access application (client) ID
Authentication + Power BI and security group resource access application (client) ID

After your host instance configurations go to one of your tenants and under 'Administration Settings -> Security' you are able to control which Authentication your Azure AD users will authenticate against.

The choices available are linked to the authentication service principal configured in the host instance:

Authentication only
Authentication + Power BI resource access
Authentication + Power BI and security group resource access

Why use different authentication service principals for your tenants?

Authentication only service principal

This authentication method ensures that you request only the minimum necessary permissions for users in tenant.

The 'User.Read' permission allows the application to access basic profile information of the signed-in Azure AD user, such as their name, email, and tenant details. This is essential for personalizing user experiences, displaying relevant account details, and ensuring that the correct user is authenticated within the app.

Because we are not requesting any permissions for Power BI or security groups here. We will have to use a Power BI Service Principal to embed reports for this tenant.

On first login, AAD user only has to accept one permission:

Authentication + Power BI resource access

This authentication method ensures that you request the same permissions for authentication as well additional for the Power BI entities the AAD user has access to within their organization or your company.

With these permissions granted, your AAD users can use their own Power BI Pro licenses to embed reports without requiring a Power BI Service Principal. However, they must have access to the workspace they are embedding from; otherwise, the process will default to the configured Power BI Service Principal.

On first login, AAD has to accept these permissions:

Authentication + Power BI and security group resource access

This authentication method ensures that you request the same permissions as above, with the additional requirement of permissions related to security groups in your Entra ID.

By accepting these permissions, you can use 'Entra ID Management,' which allows your administrative AAD users to manage and organize the security groups they are designated as 'owners' of within Entra ID and add users to these groups through DataCentral.

On first login, AAD has to accept these permissions:

PreviousGraph Service Principal NextUser Stories

Last updated 1 month ago