💡Power BI Service Principal

Creation and Configuration - step by step

Adding your own "Power BI Service Principal" provides several benefits. Firstly, it allow for the embedding of reports for audiences without Power BI Pro licenses, such as those using User Pass, Mobile ID, or Azure AD without Pro License. Additionally, the Service Principal can act as a fallback in situations where an Azure AD user does not have access to a workspace, allowing for embedding through the Service Principal. Moreover, numerous features within the system rely on the Service Principal for effective operation.

Add Power BI Service Principal

To create your own Service Principal, you can follow the steps outlined in the Microsoft documentation. And then to add the Service Principal to DataCentral, please perform all the steps below in the specified order.

You will need one of these following roles within Azure to create an app registration.

• Application Administrator

• Cloud Application Administrator

• Global Administrator

Step-by-step guide:

1. Azure Portal

2. DataCentral tenant

3. Power BI Service

Azure Portal

Embed Power BI content with Service Principal and an application secret

• Create a Microsoft Entra app

• Enable the Power BI service admin settings

Create a Microsoft Entra app

In the Azure portal create a Microsoft Entra App

1. Sign in to Azure portal

2. Search for and select App registrations

   

   App registration
3. Select "New registration"

   

   New registration

4. Fill in the required information

   • Name - Enter a name for your application

   • Supported account types - Select supported account types

   • (optional) Redirect URI - Enter a URI if needed

5. Select Register

6. After you register your app, the Application (client) ID is available from the Overview tab. Copy and save the Application (client) ID for later use.

   

   Application (client) ID

7. Select Manage and Certification & secrets

   

   Certificated & secrets

8. Select New client secret

   

   New client secret

9. In the Add a client secret window, enter a description, specify when you want the client secret to expire, and select Add.

10. Copy and save the client secret value.

    

    Client secret value

11. Select Manage and API Permissions and make sure your Service Principal has these API permissions and then 'Grant admin consent'.

    Power BI Service (Delegated):

    • Content.Create: Allows service principal to automate the creation of Power BI datasets, reports, and dashboards, enabling efficient content management and integration

    • Dataset.ReadWrite.All: Allows service principal to upload datasets. Used when adding a new dataset to Power BI environment through DataCentral.

    • Report.Read.All: Allows service principal to read which reports it has access to within Power BI and information about them.

    • Report.ReadWrite.All: Allows service principal to upload (write) a report. Can be used when adding a new report to the Power BI workspace through the service principal.

    • Workspace.Read.All: Allows service principal to read which workspaces he has access to within Power BI and information about them. Used to display workspaces in DataCentral.

    • Workspace.ReadWrite.All: Allows service principal to read and modify workspaces and their contents within the Power BI environment. Used for automation and management functionalities.

    

Enable the Power BI service admin settings

For a Microsoft Entra app to access the Power BI content and APIs, a Power BI admin needs to enable the following settings:

• Embed content in apps

• Allow service principals to use Power BI APIs

In the Power BI Admin portal, go to Tenant settings, and scroll down to Developer settings.

• Enable Embed content in apps either for the entire organization or for the specific security group you created in Microsoft Entra ID.

Admin Tenant Settings

• Enable Allow service principals to use Power BI APIs either for the entire organization.

Admin Tenant Settings

---

Power BI Service

Add your Service Principal as an administrator to the workspaces you plan to embed within your tenant or use with your tenant's features. The minimum permission level assignable to the Service Principal is 'member'.

Sign in to the Power BI Environment you intent to use the Power BI Service Principal.

Important: Your service principal must have, at a minimum, 'member' permissions in the workspace to which you are adding it.

Find workspace select Manage access

Workspace

Add your Power BI Service Principal to the workspace either as admin or member.

Add member

---

DataCentral tenant

Authenticate to your tenant.

Under Administration Settings -> Azure Configurations input the values collected from Azure Portal for your Service Principal.

• Directory (tenant) ID

• Application (client) ID

• Client Secret

If you check the box "Only use Service Principal to manage items and workspaces in tenant" in Azure Configurations then you will only see workspaces your Service Principal(s) has access to. If the box is unchecked the normal workspace management will occur through your Azure AD user.

Azure Configuration

If you enable "Only use Service Principal to manage items and workspaces in tenant" then you can tres your Service Principal. Navigate to Power BI Items and select Manage workspaces.

Power BI Items

If steps followed correctly you should now be able to embed report from workspace(s) to your tenant.

Workspaces