# Power BI This guide will walk you through how to set up a Power BI connection in the Datalogz Control Tower using the [**service principal**](https://learn.microsoft.com/en-us/entra/architecture/service-accounts-principal) method for authentication. [This Microsoft's recommended method for running an application in an automated way, without user input.](https://learn.microsoft.com/en-us/entra/identity-platform/app-only-access-primer#when-should-i-use-application-only-access) Below follows [Microsoft's documentation to enable service principal authentication for admin APIs.](https://learn.microsoft.com/en-us/fabric/admin/enable-service-principal-admin-apis) ### Setup Overview Below is the order of operations for completing the Power BI connector setup 1. Register an application in the Microsoft Entra portal 2. Create a security group in the Microsoft Entra portal and add the app registration to the security group 3. Add the security group to the Power BI tenant 4. Create a Power BI connector in the Datalogz Control Tower ### Prerequisites {% stepper %} {% step %} ### Register an application in the Microsoft Entra portal 1. Follow the steps outlined [here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#register-an-application) A note on permissions: Microsoft specifies that when running under service principal authentication, [an app **must not** have any admin-consent required permissions for Power BI set on it in the Azure portal](https://learn.microsoft.com/en-us/fabric/admin/enable-service-principal-admin-apis#how-to-check-if-your-app-has-admin-consent-required-permissions). **Note**: The **Application (client) ID** and the **Directory (tenant) ID** values in the **Overview** screen of the registered application will be needed for the Power BI Connector setup in the Datalogz Control Tower. 1. Under the **Manage** section of your registered application, select **Certificates & secrets** 2. Under **Client secret** select **New client secret** 3. Enter a **Description** for the client secret 4. In the **Expires** leave the default set to **Recommended: 180 days (6 months)** 1. **Note**: You can optionally set the expiry duration to be shorter or longer. Note however that once the client secret expires you'll have to create a new secret and re-authenticate the Datalogz Control Tower Power BI connector configuration. 5. Click **Add** 6. Copy the **Value** 1. **Note**: The generated value will be our **Application Secret Value** used in the Datalogz Control Tower connector setup. Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page. {% endstep %} {% step %} ### Create a security group in the Microsoft Entra portal 1. Follow the steps outlined [here](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members). 2. Under **Group type** select **Security** 1. **Note**: Security groups are used to give group members access to applications, resources and assign licenses. Group members can be users, devices, service principals, and other groups. 3. Enter a **Group name** 1. **Note**: The group name will be needed to complete the Power BI tenant admin configuration. 4. Under **Members** select **No members selected** 5. Search for the name of the registered application, select the check box next to the name and then click **Select** 6. Search for the name of the registered application created in step 1 7. Click the checkbox next to the registered application and click **Select** 8. You should now see the registered application listed under **Direct members** {% endstep %} {% step %} ### Add the security group to the Power BI tenant 1. From the [Power BI admin portal](https://app.powerbi.com/admin-portal/tenantSettings) navigate to the **Tenant settings** section 2. Under **Developer settings** 1. Find **Service principals can call Fabric public APIs** 2. Select **Specific security groups** 3. Enter the security group created above 4. Click **Apply** 3. Under **Admin API settings** 1. Find **Service principals can access read-only admin APIs** 1. Select **Specific security groups** 2. Enter the security group created above 3. Click **Apply** 2. Find **Enhance admin APIs responses with detailed metadata** 1. Select **Specific security groups** 2. Enter the security group created above 3. Click **Apply** 3. Find **Enhance admin APIs responses with DAX and mashup expressions** 1. Select **Specific security groups** 2. Enter the security group created above 3. Click **Apply** 4. **Note**: Power BI tenant configuration changes can take 15 minutes or longer to be applied. {% endstep %} {% step %} ### Create a Power BI connector in the Datalogz Control Tower 1. [Log in to your Datalogz account](https://app.datalogz.io/#/auth/signin) 2. [Navigate to your organizations connectors](https://app.datalogz.io/#/organization/connectors) 3. [Select New Connector](https://app.datalogz.io/#/organization/connectors/new) 4. [Select Power BI](https://app.datalogz.io/#/organization/connectors/new/powerbi) 5. Select **Connect using a Service Principal (SP)** and click **Connect** 6. Enter the following information obtained in the previous steps 1. **Directory (Tenant) ID** 2. **Application (Client) ID** 3. **Application Secret Value** 7. Click **Connect** 8. Enter a **Connector Name** 9. Select the snapshot frequency, e.g., **Weekly** or **Daily** 10. Select the kinds of **workspaces** you'd like to monitor, e.g., **Premium**, **Shared**, and/or **Personal** 11. Select if you'd like to capture **Activity** and **Capacity** metadata as well. 1. **Note**: For **Capacity** monitoring see the additional setup below 12. Click **Next** 13. Click **Confirm and Finish** {% endstep %} {% step %} ### Capcity Monitoring (Optional) The additional capacity monitoring setup is optional, but highly recommended as it provides a way to monitor your Fabric capacity usage with the registered application created above. 1. From the [Power BI admin portal](https://app.powerbi.com/admin-portal/tenantSettings) navigate to the **Tenant settings** section 2. Under **Integration settings** 1. Find **Semantic Model Execute Queries REST API** 1. Select **Specific security groups** 2. Enter the Azure security group created above 3. Click **Apply** 1. **Note**: When enabled, users in the organization can query semantic models by using Data Analysis Expressions (DAX) through Power BI REST APIs. {% endstep %} {% step %} ### Install the **Microsoft Fabric Capacity App** 1. Navigate to the **Apps** section on the side bar of Power BI. 2. Search for the **Microsoft Fabric Capacity App** and add it. 3. Navigate to the **Microsoft Fabric Capacity Metrics** workspace that is created with the app. 4. Go to **Manage Access** and grant **Admin** permissions to the Azure security group 5. [Run the app for the first time](https://learn.microsoft.com/en-us/fabric/enterprise/metrics-app-install?tabs=1st#run-the-app-for-the-first-time) to start data flowing into the semantic model. 1. **Note**: The ID of the dataset/semantic model for the **Fabric Capacity Metrics** will be needed to complete the setup for **Capacity** monitoring in the Datalogz Control Tower Power BI connector. 1. This can be found in the URL when viewing the semantic model in your web browser. The full documentation for the **Microsoft Fabric Capacity App** can be found [here](https://learn.microsoft.com/en-us/fabric/enterprise/metrics-app-install). {% endstep %} {% endstepper %} For questions or assistance with this setup, please contact Datalogz support