Create an Azure AD app

Log into the Microsoft Azure Portal

Search for App registrations and click the App registrations link.
azure app registration

Click New registration
new registration

Fill in the required information:

  • Name - Enter a name for your application - eg: PowerBI-Workspace-DEV
  • Supported account types - Select supported account types - eg: Accounts in this organisational directory only (Single Tenant)

Click Register.

After registering, the Application ID is available from the Overview tab. Copy and paste the Application ID and Tenant ID into notepad for later use.

Click the Certificates & secrets tab.
A screenshot that shows the certificates and secrets pane for an app in the Azure portal.

Click New client secret
A screenshot that shows the new client secret button in the certificates and secrets pane.

In the Add a client secret window, enter a description, specify the client secret to never expire, and click Add.

Copy and paste the Client secret value into notepad for later use.
A screenshots that shows a blurred out secret value in the certificates and secrets pane.

Important

Before finishing this part, make sure you have a copy of these following items for the Power BI Actions Extension in Azure DevOps:

  • Application ID (also known as a Client ID)
  • Directory ID (also known as a Tenant ID)
  • Client Secret Value

Modifying Permissions of an Existing App Registration

The last step in performing an App Registration, and a step that may need to be performed over time as needs change, is to assign permissions to the registration. These are permissions that the app will be allowed to do, providing the authenticating user also has the necessary permission.

Note that if you need the Power BI Tenant.Read.All or Tenant.Write.All permission, those must be assigned via this process.

To add, view, or change permissions, follow the below steps:

Within your registration, click on View API permissions either on the left menu or bottom button. Also note that your Application Client ID used in your application is visible at the top of the page.

View the permissions on this page and add additional ones with the Add a permission button. Note that permissions starting with Tenant. will require an Azure AD / O365 admin to visit this page to click on the “Grant admin consent” button

After clicking on Add a Permission, select Power BI Service.

Ensure that you select “Delegated permissions” (the option to use when the application connects with user credentials). Select the desired permissions and press Add permissions. Note that Tenant.Read.All and Tenant.Write.All permissions will require Azure AD / O365 admin consent before becoming effective. Also note that you need at least one Power BI permission assigned to your application to be able to authenticate as a Power BI application.

Create an Azure AD security group

Your service principal doesn't have access to any of your Power BI content and APIs. To give the service principal access, create a security group in Azure AD, and add the service principal you created to that security group.

Search for and select Azure Active Directory.

On the Active Directory page, select Groups and then select New group.
Azure AD page, with Groups showing

The New Group pane will appear and you must fill out the required information.

Add the Azure App Service Principal as a member (for our example we named it PowerBI Anayltics) as well as other users and owners as applicable for your security

Click "Create"

Enable the Power BI service admin settings

For an Azure AD app to be able to access the Power BI content and APIs, a Power BI admin needs to enable service principal access in the Power BI admin portal.

Add the security group you created in Azure AD, to the specific security group section in the Developer settings.

Important

Service principals have access to any tenant settings they're enabled for. Depending on your admin settings, this includes specific security groups or the entire organization.

To restrict service principal access to specific tenant settings, allow access only to specific security groups. Alternatively, you can create a dedicated security group for service principals, and exclude it from the desired tenant settings.

Screenshot showing the developer settings in the admin options in the Power BI portal.

Add the service principal to your workspace

To enable your Azure AD app access artifacts such as reports, dashboards and datasets in the Power BI service, add the service principal entity as a member or admin to your workspace.

Scroll to the workspace you want to enable access for, and from the More menu, select Workspace access.
Screenshot showing the workspace access button in the more menu of a Power BI workspace.

Add the service principal as an Admin or Member to the workspace.
Screenshot showing adding a member or an admin to the access pane in the Power BI portal.

  • No labels