How to set up Microsoft Power BI

πŸ€“ Who can do this? You will probably need your Microsoft Power BI tenant administrator to run these commands β€” you may not have access yourself. You will also need to work with your Azure AD administrator to carry out the tasks in Azure AD.

Create an Azure Active Directory application

To create an Azure Active Directory (AD) application:

  1. Log in to the Azure portal: https://portal.azure.com/
  2. Open the menu and click Azure Active Directory.
  3. In the left menu, under the Manage section, click App Registrations.
  4. At the top of the page, click the New registration button.
  5. In the resulting page, enter the following information:
    • For Name enter a name for the integration. For example, AtlanPowerBIIntegration.
    • For Supported account types select Accounts in this organizational directory only (<directory> only - Single tenant).
  6. At the bottom of the page, click the Register button.

Add permissions

🚨 Careful! Only administrators can perform this action β€” this is necessary so the Atlan crawler does not need to ask user permissions every time it runs. However, these permissions are only required for delegated user authentication. If using service principal authentication, you do not need to configure any delegated permissions for a service principal β€” it is recommended that you avoid adding these permissions. They're never used and can cause errors that may be hard to troubleshoot.

To add permissions for this application:

  1. In the left menu of the app registration, under the Manage section, click API permissions.
  2. Under the Configured permissions heading, click the Add a permission button.
  3. Using Cmd+F / Ctrl+F search for and click the Power BI Service tile.
  4. In the resulting page, click Delegated permissions and select the following permissions:
    • App.Read.All
    • Capacity.Read.All
    • Dashboard.Read.All
    • Dataflow.Read.All
    • Dataset.Read.All
    • Gateway.Read.All
    • Pipeline.Read.All
    • Report.Read.All
    • StorageAccount.Read.All
    • Tenant.Read.All
    • Workspace.Read.All
  5. At the bottom of the page, click the Grant Admin consent button. (If you only see the Add permissions button you are not an administrator.)

Create a client secret

To create a client secret:

  1. In the left menu of the app registration, under the Manage section, click Certificates & secrets.
  2. Under the Client secrets tab, click the New client secret button.
  3. Enter a description and set the expiration.
  4. At the bottom of the page click the Add button.
  5. For your create secret, under the Value column, click the copy icon to copy the secret value.

Retrieve the tenant and client IDs

To retrieve the tenant ID and client ID from the Azure portal:

  1. In the left menu of the app registration, at the top click Overview.
  2. Under the Essentials section, copy the Application (client) ID and the Directory (tenant) ID.

Create a security group

To create a group:

  1. Open the menu and click Azure Active Directory.
  2. In the left menu, under the Manage section, click Groups.
  3. At the top of the page, click the New group button.
  4. Set the Group type to Security.
  5. Enter a Group name and (optionally) a Group description.
  6. Under Members click the No members selected link.
  7. Search for the application registration created above and click it to select it.
  8. If your authentication method in Atlan is Delegated User, search for the user and click to select it. Otherwise, skip to step 9.
  9. At the bottom of the page click the Select button.
  10. At the bottom of the page click the Create button.

Enable extra admin API settings

🚨 Careful! Only administrators can perform this action.

To enable the Microsoft Power BI admin API:

  1. Log in to the Power BI admin portal: https://app.powerbi.com/admin-portal
  2. From the menu under Admin portal click Tenant settings.
  3. Under the Developer settings heading, expand the Allow service principals to use Power BI APIs expandable and ensure this is Enabled.
    1. Under Specific security groups (Recommended) add the security group created above.
    2. At the bottom of the expanded section click the Apply button.
  4. Under the Admin API settings heading, expand the Allow service principals to use read-only Power BI admin APIs expandable and ensure this is Enabled.
    1. Under Specific security groups add the security group created above.
    2. At the bottom of the expanded section click the Apply button.
  5. Still under the Admin API settings heading, expand the Enhance admin APIs responses with detailed metadata expandable and ensure this is Enabled.
    1. Under Specific security groups add the security group created above.
    2. At the bottom of the expanded section click the Apply button.
  6. Still under the Admin API settings heading, expand the Enhance admin APIs responses with DAX and mashup expressions expandable and ensure this is Enabled.
    1. Under Specific security groups add the security group created above.
    2. At the bottom of the expanded section click the Apply button.

Add service principal as a workspace viewer

🚨 Careful! Only administrators can perform this action. Ensure that you add the security group from the homepage and not the admin portal.

To add a service principal as a workspace viewer:

  1. Log in to the Power BI portal and go to the homepage.
  2. From the menu on the left, open Workspaces and then the workspace you want to access from Atlan.
  3. Above the table, click the Access button.
  4. In the resulting panel:
    1. Inside the text box that says Enter email addresses enter the name of the security group you created above.
    2. Change the dropdown below this to Viewer.
    3. Below the dropdown, click the Add button.
πŸ’ͺ Did you know? If you have defined parameters in a workspace, then the security group permissions while attaching it to the workspace will need to be set to the Contributor role to bring in the parameters to Atlan. You will have to do this for all existing workspaces for which parameters have been defined. For workspaces that do not have any parameters, Viewer permissions will suffice.

Related articles

Was this article helpful?
1 out of 1 found this helpful