# Power BI Service Principal

Adding your own "*Power BI Service Principal*" provides several benefits. Firstly, it allow for the embedding of reports for audiences without Power BI Pro licenses, such as those using User Pass, Mobile ID, or Azure AD without Pro License. Additionally, the Service Principal can act as a fallback in situations where an Azure AD user does not have access to a workspace, allowing for embedding through the Service Principal. Moreover, numerous [features](/datacentral-knowledge-center/product-guides/features.md) within the system rely on the Service Principal for effective operation.

## Add Power BI Service Principal

To create your own Service Principal, you can follow the steps outlined in the Microsoft documentation. And then to add the Service Principal to DataCentral, please perform all the steps below in the specified order.

You will need one of these following roles within Azure to create an app registration.

* Application Administrator
* Cloud Application Administrator
* Global Administrator

Step-by-step guide:

1. [Azure Portal](#azure-portal)
2. [DataCentral tenant](#datacentral-tenant)
3. [Power BI Service](#power-bi-service)

### **Azure Portal**

Embed Power BI content with Service Principal and an application secret

* [x] [Create a Microsoft Entra app](#create-a-microsoft-entra-app)
* [x] [Enable the Power BI service admin settings](#enable-the-power-bi-service-admin-settings)

#### Create a Microsoft Entra app

In the Azure portal create a Microsoft Entra App

1. Sign in to [Azure portal](https://ms.portal.azure.com/#allservices)

2. Search for and select **App registrations**<br>

   <div align="left"><figure><img src="/files/duEv6eMqHwpBzXLGzSl4" alt=""><figcaption><p>App registration</p></figcaption></figure></div>

3. Select **"New registration"**<br>

   <figure><img src="/files/uTuxYD1QsHQV45CTHG1O" alt=""><figcaption><p>New registration</p></figcaption></figure>

4. Fill in the required information

   * **Name** - Enter a name for your application
   * **Supported account types** - Select supported account types
   * **Redirect URI** - Leave this empty

   <br>

   <figure><img src="/files/pZxUsMJr164TJjCDS2je" alt=""><figcaption></figcaption></figure>

5. Select **Register**

6. After you register your app, the **Application (client) ID** is available from the **Overview** tab. Copy and save the **Application (client) ID** for later use.<br>

   <figure><img src="/files/w5EUfbQQUGqnOtTZXqFZ" alt=""><figcaption><p>Application (client) ID</p></figcaption></figure>

7. Select **Manage** and **Certification & secrets**<br>

   <figure><img src="/files/zJfpJty2fZctUHrXhvAD" alt=""><figcaption><p>Certificated &#x26; secrets</p></figcaption></figure>

8. Select **New client secret**<br>

   <figure><img src="/files/r2akZdXgrqUHhJ38mkU0" alt=""><figcaption><p>New client secret</p></figcaption></figure>

9. In the **Add a client secret** window, enter a description, specify when you want the client secret to expire (2 years recommended), and select **Add**.

10. Copy and save the client secret value.<br>

    <figure><img src="/files/RFvA1QmG2SfPDTri2Ae5" alt=""><figcaption><p>Client secret value</p></figcaption></figure>

#### Enable the Power BI service admin settings

For a Microsoft Entra app to access the Power BI content and APIs, a Power BI admin needs to enable the following settings:

* Embed content in apps
* Allow service principals to use Power BI APIs
*

In the [**Power BI Admin portal**](https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal), go to **Tenant settings**, and scroll down to **Developer settings**.

* Enable **Embed content in apps** either for the entire organization or for the specific security group you created in Microsoft Entra ID.

<figure><img src="/files/JDDcEecoxoC4N0DMWeS3" alt=""><figcaption><p>Admin Tenant Settings</p></figcaption></figure>

<figure><img src="/files/RCxlco03XnHSQqyHb6Yf" alt=""><figcaption></figcaption></figure>

<p align="center">Alternately use Security Groups, but remember to put the Service Principal(s) into that Security Group.</p>

<p align="center"></p>

* Enable **Allow service principals to use Power BI APIs** either for the entire organization or a specified Security Groups as shown in the images below.

<figure><img src="/files/MR4XmvjyaWXP9wzyQFCE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/mGTtzuvapojhGh7I02cc" alt=""><figcaption></figcaption></figure>

***

### Power BI Service

Add your Service Principal as a MEMBER or ADMINISTRATOR to the workspaces you plan to embed within your tenant or use with your tenant's features. The minimum permission level assignable to the Service Principal is 'member'.

Sign in to the [Power BI Environment](https://app.powerbi.com/) you intent to use the Power BI Service Principal.

{% hint style="info" %}
**Important:** Your service principal must have, at a minimum, **'member'** permissions in the workspace to which you are adding it.
{% endhint %}

Find workspace select **Manage access**

<figure><img src="/files/jYym3wgxwq3Xn9dzbsqY" alt=""><figcaption><p>Workspace</p></figcaption></figure>

Add your Power BI Service Principal to the workspace either as **admin** or **member**.

<figure><img src="/files/sfuGWwAnUUtHg31lEc9P" alt=""><figcaption><p>Add member</p></figcaption></figure>

***

### DataCentral tenant

Authenticate to your tenant.

Under Administration Settings -> Azure Configurations input the values collected from Azure Portal for your Service Principal.

* Directory (tenant) ID
* Application (client) ID
* Client Secret

If you check the box "*Only use Service Principal to manage items and workspaces in tenant*" in Azure Configurations then you will only see workspaces your Service Principal(s) has access to. If the box is unchecked the normal workspace management will occur through your Azure AD user.

<figure><img src="/files/EPlEe73HiCAo6LUUwDvd" alt=""><figcaption><p>Azure Configuration</p></figcaption></figure>

If you enable "*Only use Service Principal to manage items and workspaces in tenant*" then you can tres your Service Principal. Navigate to **Power BI Items** and select **Manage workspaces.**

<figure><img src="/files/HO5tsWqhhBldPxexPreI" alt=""><figcaption><p>Power BI Items</p></figcaption></figure>

If steps followed correctly you should now be able to embed report from workspace(s) to your tenant.

<figure><img src="/files/w30Kyk2DVeNPSWhPYI1h" alt=""><figcaption><p>Workspaces</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://uidata.gitbook.io/datacentral-knowledge-center/deployments/power-bi-service-principal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.