🤓 Who can do this? Depending on the authentication method you choose, you may need a combination of your Cloud Application Administrator or Application Administrator for Microsoft Entra ID, Microsoft 365 administrator for Microsoft 365, and Fabric Administrator (formerly known as Power BI Administrator) for Microsoft Power BI to complete these tasks — you may not have access yourself.
Atlan supports the following authentication methods for fetching metadata from Microsoft Power BI:
- Delegated user authentication
- Service principal authentication
Register app with Microsoft Entra ID
🤓 Who can do this? You will need your Cloud Application Administrator or Application Administrator to complete these steps — you may not have access yourself. This will be required if the creation of registered applications is not enabled for the entire organization.
As a prerequisite for using either authentication method, you will need to register a client application with Microsoft Entra ID and note down the values of the tenant ID, client ID, and client secret.
To register your client application with Microsoft Entra ID:
- Log in to the Azure portal.
- In the search bar, search for Microsoft Entra IDÂ and select it from the dropdown list.
- From the left menu of the Microsoft Entra ID page, click App registrations.
- From the toolbar on the App registrations page, click + New registration.
- On the Register an application page, for Name, enter a name for your client application and then click Register.
- On the homepage of your newly created application, from the Overview screen, copy the values for the following fields and store them in a secure location:
- Application (client) ID
- Directory (tenant) ID
- From the left menu of your newly created application page, click Certificates & secrets.
- On the Certificates & secrets page, under Client secrets, click + New client secret.
- In the Add a client secret screen, enter the following details:
- For Description, enter a description for your client secret.
- For Expiry, select when the client secret will expire.
- Click Add.
- On the Certificates & secrets page, under Client secrets, for the newly created client secret, click the clipboard icon to copy the Value and store it in a secure location.
Create a security group in Microsoft Entra ID
🤓 Who can do this? You will need your Cloud Application Administrator or Application Administrator to complete these steps — you may not have access yourself.
To create a security group:
- Log in to the Azure portal.
- In the search bar, search for Microsoft Entra ID and select it from the dropdown list.
- In the left menu, under the Manage section, click Groups.
- From the top of the page, click the New group button.
- Set the Group type to Security.
- Enter a Group name and (optionally) a Group description.
- Under Members, click the No members selected link.
- Depending on the authentication method you choose, configure the following:
- For Delegated User authentication, search for the user and click to select it.
- For Service Principal authentication, search for the application registration created above and click to select it.
- At the bottom of the page, click the Select button.
- At the bottom of the page, click the Create button.
Assign security group and role in Microsoft Power BI workspace
🤓 Who can do this? You will need to be at least a member of the Microsoft Power BI workspace to which you want to add the security group to complete these steps — you may not have access yourself. Ensure that you add the security group from the homepage and not the admin portal.
There are three ways to add a security group to a Microsoft Power BI workspace role:
- Manually, outlined below
- Using PowerShell
- Using the Groups - add group user API
To assign a Microsoft Power BI workspace role to the security group:
- Open the Microsoft Power BI homepage.
- From the menu on the left, open Workspaces and then the workspace you want to access from Atlan.
- Above the table, click the Access button.
- In the resulting panel:
- Inside the text box that says Enter email addresses, enter the name of the security group you created above.
- Depending on your workspace settings, you can either:
- For workspaces that do not have any parameters defined, change the dropdown below this to Viewer.
- If your workspace has any semantic models with parameters defined, change the dropdown below this to Contributor to bring in the parameters to Atlan. You will have to do this for all existing workspaces for which parameters have been defined.
- To crawl and generate lineage for dataflows, in addition to crawling defined parameters for semantic models, change the dropdown below this to Member.
- Below the dropdown, click the Add button.
Delegated user authentication
Assign Fabric administrator role in Microsoft 365
🤓 Who can do this? You will need your Microsoft 365 administrator to complete these steps — you may not have access yourself.
To assign the delegated user to the Fabric Administrator role:
- Open the Microsoft 365 admin portal.
- From the left menu of the Microsoft 365 admin center, click Users and then click Active users.
- On the Active users page, select the delegated user that you want to assign the role to.
- In the selected user form, under Roles, click Manage roles.
- In the Manage admin roles form, expand the Show all by category dropdown, and then from under the Collaboration category, select the Fabric Administrator role.
- Click Save changes to save your selections.
Add permissions in Microsoft Entra ID
🤓 Who can do this? You will need your Cloud Application Administrator or Application Administrator to complete these steps — you may not have access yourself.
🚨 Careful! The following permissions are only required for delegated user authentication. If using service principal authentication, you do not need to configure any delegated permissions for a service principal — it is recommended that you avoid adding these permissions. These are never used and can cause errors that may be hard to troubleshoot.
To add permissions for the registered application:
- In the left menu of the app registration, under the Manage section, click API permissions.
- Under the Configured permissions heading, click the Add a permission button.
- Using Cmd+F / Ctrl+F search for and click the Power BI Service tile.
- In the resulting page, click Delegated permissions and select the following necessary permissions to allow Atlan to fetch metadata:
Capacity.Read.All
Dataset.Read.All
Report.Read.All
Tenant.Read.All
Workspace.Read.All
- At the bottom of the page, click the Grant Admin consent button. (If you only see the Add permissions button you are not an administrator.)
Enable extra admin API settings in Microsoft Power BI
🤓 Who can do this? You will need your Fabric Administrator (formerly known as Power BI Administrator) to complete these tasks — you may not have access yourself.
To enable the Microsoft Power BI admin API:
- Log in to the Power BI admin portal.
- From the menu under Admin portal click Tenant settings.
- Under the Admin API settings heading, configure the following:
-
Click to expand the Enhance admin APIs responses with detailed metadata expandable and ensure this is Enabled.
- Under Specific security groups, add the security group created above.
- At the bottom of the expanded section, click the Apply button.
- Click to expand the Enhance admin APIs responses with DAX and mashup expressions expandable and ensure this is Enabled.
- Under Specific security groups, add the security group created above.
- At the bottom of the expanded section, click the Apply button.
-
Click to expand the Enhance admin APIs responses with detailed metadata expandable and ensure this is Enabled.
Service principal authentication
Enable extra admin API settings in Microsoft Power BI
🤓 Who can do this? You will need your Fabric Administrator (formerly known as Power BI Administrator) to complete these tasks — you may not have access yourself.
To enable the Microsoft Power BI admin API:
- Log in to the Power BI admin portal.
- From the menu under Admin portal click Tenant settings.
- Under the Developer settings heading, click to expand Service principals can use Fabric APIs and ensure this is Enabled.
- Under Specific security groups (Recommended), add the security group created above.
- At the bottom of the expanded section, click the Apply button.
- Under the Admin API settings heading, configure the following:
- Click to expand the Allow service principals to use read-only Power BI admin APIs expandable and ensure this is Enabled.
- Under Specific security groups, add the security group created above.
- At the bottom of the expanded section, click the Apply button.
-
Click to expand the Enhance admin APIs responses with detailed metadata expandable and ensure this is Enabled.
- Under Specific security groups, add the security group created above.
- At the bottom of the expanded section, click the Apply button.
- Click to expand the Enhance admin APIs responses with DAX and mashup expressions expandable and ensure this is Enabled.
- Under Specific security groups, add the security group created above.
- At the bottom of the expanded section, click the Apply button.
- Click to expand the Allow service principals to use read-only Power BI admin APIs expandable and ensure this is Enabled.