PowerBI

The following documentation describes the settings and permissions required to setup the Datalogz PowerBI Connector

Datalogz supports connecting to the PowerBI API by Service Principal or Microsoft Admin.

Option 1: Service Principal

The Service Principal is restricted to read-only access to Admin API endpoints for a single PowerBI tenant, and does not require admin consent to be granted by a Microsoft O365 Administrator. Option 2: Microsoft Admin

The Microsoft Admin is also restricted to read-only access to Admin API endpoints for all PowerBI tenants registered in Azure Active Directory (AD), but the Tenant.Read.All permission which requires admin content to be granted by a Microsoft O365 Administrator.

Instructions

Option 1: Service Principal

  1. Create an Azure AD App Registration

    • Note down the following properties which will be used later:

      • Client ID

      • Tenant ID

  2. Create a new Secret and store this in a secure location to be used later:

    • Client Secret (value)

  3. Create an Azure Security Group

  4. Add the Azure AD App Registration as a Member to the Security Group

  5. Add the Security Group to the PowerBI Tenant Admin Settings

  6. Enable PowerBI REST API permissions for this security group in the tenant admin settings.

  7. Login to the PowerBI app portal as a PowerBI Service Administrator

  8. Navigate to the settings in the upper right, and click Admin Portal.

  9. Under Tenant settings, scroll down to Admin API settings and enable the following permissions:

    • Allow service principals to use PowerBI APIs

    • Allow service principals to use read-only admin APIs

  10. Add the Security Group created above to the security groups list

  11. Scroll down to Admin API settings and enable the following permissions:

    • API responses with detailed metadata.

    • API responses with DAX and mashup expressions.

  12. Add the Security Group created above to the security groups list, unless other users rely on this setting to apply to the entire organization, then leave the setting as shown.

  13. Create a second App Registration in Azure for your Datalogz client.

    • Login to your Azure portal and navigate to Azure App registration

    • Register an Application

    • Add the following redirect URIs

    https://app.your_domain.com/api/v0/oauth/ms/redirect
    https://app.your_domain.com/api/v0/oauth/powerbi/redirect
    • Add the following Read-Only Microsoft Graph API Permissions to login with Microsoft.

    Microsoft Graph (3)
    email
    openid
    User.Read
  14. Login to https://app.datalogz.io using Microsoft Azure Active Directory.

  15. The following API permissions will be required to be approved by this user during this authentication process for a successful login and account creation. No admin consent is required for this step.

Microsoft Graph (3)
email
openid
User.Read
  1. After logging in, proceed to create a new PowerBI Connector from the Connectors tab selecting the Service Principal option Complete Steps 1 - 4. In step 3 you will select the specific Workspaces you want to assign to this connector.

Once the Service Principal has been provided access to the read-only Admin APIs by following the steps above, the app is able to use the following endpoints documented here.

  1. After you have completed your connector setup, the connector refresh status can be viewed from the Connectors page. After a few minutes the metadata refresh will complete and the Overview and Recommendations tabs will be populated.

  1. Now create a Role and grant read access to this connector. Navigate to Role Settings from the profile menu in the upper-right of your window. Once the role is created and assigned to the connector, new users can be invited and assigned to the role(s) and connectors they should have access to.

  2. To invite users, navigate to User Settings from the profile menu in the upper-right of your window. You can send email invitations to invite users, designating their user type as Admin or Member as described below:

    - Admin: Can create and manage connectors and roles, manage account settings, and view the overview and recommendations. - Member: Can manage personal settings and view overview and recommendations.

  3. Navigate back to the Connector page to check on the status of the connector. Once it successfully completes it's first run, the Overview and Recommendations views will be populated.

Option 2: Microsoft O365 Global Administrator

  1. Enable PowerBI REST API permissions for this security group in the tenant admin settings.

    • Login to the PowerBI app portal as a Microsoft 365 Global Administrator.

    • Navigate to the settings in the upper right, and click Admin Portal.

    • Under Tenant settings, scroll down to Admin API settings and enable the following permissions:

      • API responses with detailed metadata.

      • API responses with DAX and mashup expressions.

  1. Create a new App Registration in Azure for your Datalogz client.

  • Login to your Azure portal and navigate to Azure App registration

  • Register an Application

  • Add the following redirect URIs

https://app.your_domain.com/api/v0/oauth/ms/redirect
https://app.your_domain.com/api/v0/oauth/powerbi/redirect
  • Add the following Read-Only API Permissions

Microsoft Graph (3)
email
openid
User.Read

Power BI Service (11)
App.Read.All
Capacity.Read.All
Dashboard.Read.All
Dataflow.Read.All
Dataset.Read.All
Gateway.Read.All
Pipeline.Read.All
Report.Read.All
StorageAccount.Read.All
Tenant.Read.All (admin consent required)
Workspace.Read.All

Once the App Registration has those delegated permissions, the app is able to use any admin or non-admin API that needs those permissions (such as WorkspaceGetInfo). The Tenant.Read.All permission is required for Activity Events and Workspace Datasets, Tables, Columns, and Queries.

  • Create a new Client Secret

  • Add the following environment variables to your Key Vault. The Client ID and Client Secret will be the same for both PowerBI and Microsoft having created a single app registration above.

    • These variables are split out in case you want to create app registrations for the Microsoft Graph API and PowerBI API separately.

POWERBI-CLIENT-ID
POWERBI-CLIENT-SECRET
MICROSOFT-CLIENT-ID
MICROSOFT-CLIENT-SECRET
  1. Login to your on premises deployment of Datalogz as a Microsoft 365 Global Administrator.

The following API permissions will be required to be approved by your administrator during this authentication process.

Microsoft Graph (3)
email
openid
User.Read
  1. As the Microsoft 365 Global Administrator, after logging in, proceed to create a new PowerBI Connector from the Connectors tab. Complete Steps 1 - 4. In step 3 you will select the specific Workspaces you want to assign to this connector.

  1. After you have completed your connector setup, the connector refresh status can be viewed from the Connectors page. After a few minutes the metadata refresh will complete and the Overview and Recommendations tabs will be populated.

  1. Now create a Role and grant read access to this connector. Navigate to Role Settings from the profile menu in the upper-right of your window. Once the role is created and assigned to the connector, new users can be invited and assigned to the role(s) and connectors they should have access to.

  2. To invite users, navigate to User Settings from the profile menu in the upper-right of your window. You can send email invitations to invite users, designating their user type as Admin or Member as described below:

    - Admin: Can create and manage connectors and roles, manage account settings, and view the overview and recommendations. - Member: Can manage personal settings and view overview and recommendations.

  3. Navigate back to the Connector page to check on the status of the connector. Once it successfully completes it's first run, the Overview and Recommendations views will be populated.

Last updated