Skip to main content

Setting up authentication for Power BI

There are two methods to authenticate. The first method is Service Principal, which uses a client secret from Azure Application Registration and does not require user interaction during import. The second method is Interactive mode, which requires user interaction each time a data source is imported. Because of this, import tasks using Interactive mode cannot be scheduled in Dataedo Scheduler.

When using the Interactive authentication type without Advanced authentication settings, the only prerequisite is that the user you are connecting with has the appropriate permissions. However, when using the Service Principal authentication type or the Interactive authentication type with Advanced authentication settings, you must first have an Azure Application Registration created.

info

This page describes authentication setup prerequisites in Microsoft Entra ID and Power BI (Fabric) (permissions, service principal, admin settings). To sign in and import metadata in Dataedo, go to Power BI connector documentation and use Importing Metadata in Dataedo Portal or Importing Metadata in Dataedo Desktop.

Follow the steps in this order:

  1. Review Permissions - all authentication types (workspace/object access).
  2. Create or identify Azure Application Registration for the Service Principal path (section Creating Azure Application Registration).
  3. Complete Service Principal for Power BI (recommended) (security group and workspace access).
  4. Complete Enable admin API settings in Microsoft Power BI, including Additional settings for Service Principal.
  5. Go to the Power BI connector page and configure/import metadata in Importing Metadata in Dataedo Portal (recommended) or Importing Metadata in Dataedo Desktop.

Interactive

Follow the steps in this order:

  1. Review Permissions - all authentication types (workspace/object access).
  2. Complete Enable admin API settings in Microsoft Power BI (the subsection Settings for both authentication methods).
  3. Configure interactive authentication in Interactive authentication type (if you use Advanced authentication settings, complete Creating Azure Application Registration).
  4. Import metadata using Dataedo Desktop only: go to the Power BI connector page and follow Importing Metadata in Dataedo Desktop.

Permissions - all authentication types

User must have at least Member access to every workspace and to each object (reports, datasets, dashboards, etc.) they want to document.

You can verify this by visiting app.powerbi.com and checking whether the target workspace and its objects are visible.

To set up Power BI import using service principal authentication in addition to application registration, it is required to create a security group and assign this group to proper roles in Microsoft Power BI workspace. First create or identify Azure Application Registration (see Creating Azure Application Registration in Service Principal authentication type). Then complete Creating security group and Assigning security group and role in Microsoft Power BI below. Additional Power BI Admin Portal settings (shared across authentication methods) are described in Enable admin API settings in Microsoft Power BI.

Creating a security group

  1. Login to the Azure Portal.
  2. In the search bar, enter Microsoft Entra ID and select it from the list.
  1. In the left menu under Manage section, click Groups.
  1. Click the New group.
  1. Set the Group type to Security.
  2. Enter Group name and description.
  3. Under Members, click the No members selected link.
  1. Search for application registration created before and click to select it.
  2. Click Select.
  1. Click Create.

Assigning security group and role in Microsoft Power BI

  1. Open https://app.powerbi.com/home
  2. Open Workspaces and then select workspace which you wish to import.
  3. Click Manage Access button.
  1. Click "Add people or groups"
  1. Inside the box Enter email addresses enter the name of the security group you created before.
  2. To generate lineage for dataflows in addition to importing defined parameters for semantic models set it to Member.
  3. Click Add below the dropdown.

Enable admin API settings in Microsoft Power BI

This section contains Power BI tenant settings required for metadata import. It applies to both authentication methods, while settings explicitly mentioning Service Principal are only required for that method. If you use Service Principal authentication, remember to complete the Additional settings for Service Principal subsection.

  1. Login to https://app.powerbi.com/admin-portal
  2. From the menu under Admin portal click Tenant settings.

Settings for both authentication methods

  1. Under the Enhance admin APIs responses with detailed metadata click Enabled. You can enable it for the Entire organization or limit it to specific security groups. If you choose groups, add the security group created before and click Apply.
  1. Under the Enhance admin APIs responses with DAX and mashup expressions select Enabled. You can enable it for the Entire organization or limit it to specific security groups. If you choose groups, add the security group created before and click Apply.

Additional settings for Service Principal

These settings require the security group created in Creating a security group.

  1. Under the Developer settings, click Service principals can call Fabric public APIs and select Enabled. Under security groups add the security group created before and click Apply.
  1. Under the Admin API settings, click Allow service principals to use read-only Power BI admin APIs and click Enabled. Under security groups add the security group created before and click Apply.

After completing the Power BI-side steps above, continue below with Configure Service Principal credentials in Dataedo or Interactive authentication type to configure credentials in Dataedo. Then return to the Power BI connector page and continue with sign-in/import in Dataedo Portal or Dataedo Desktop.

Interactive authentication type

In this authentication workflow, we are using user impersonation against Azure Application Registration. In default mode, we are using Dataedo’s Application Registration, but when clicking Advanced authentication settings, it is possible to provide connection details for your own Azure Application Registration.

Required permissions

Workspaces with Pro license (Interactive authentication)

If you are using Interactive authentication with workspaces on Pro license, the user you are connecting with must be a Fabric Administrator; otherwise some data may be missing or incomplete. For workspaces on Premium license, this is not required.

Metadata is retrieved using the Power BI Admin API. The connecting user must be a Fabric Administrator.

The user must have the following scopes:

  • Report.Read.All
  • Workspace.Read.All
  • Dataset.Read.All
  • Dataflow.Read.All
  • Dashboard.Read.All
  • Tenant.Read.All – required to import usage statistics and perform WorkspaceInfo scans. Microsoft Documentation ›

Interactive authentication using default settings

To use interactive authentication, Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be unchecked.

When you click Connect or select some details (workspace), your default browser will be opened with Microsoft login screen. After successful login, you can close the browser and start import. In some cases, for the first time use there will be Azure Administrator consent required and there will be Administrator action needed as explained in Adding Azure Administrator consent to Azure Application Registration section below.

Interactive authentication using advanced authentication settings

To use interactive authentication using advanced authentication settings. Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be checked. Then please enter your Application Registration Client Id to Client Id textbox. How to create Azure Application Registration and where is Application Registration Client Id is explained in Creating Azure Application Registration section below. When you are using not default settings in Application Registration or Azure Cloud Instance other than Azure Public please select proper values in Authority, Cloud Instance and Audience fields.

Creating Azure Application Registration

To create an Azure Application Registration:

  1. Log in to the Azure Portal.
  2. In the search bar, search for App registrations and select it from the list.
  3. From the toolbar, on the App registrations page, click + New registration.
  4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.
  5. Click Register.
  6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo.
  7. On the left sidebar of your created application page click on Manage and then click API permissions to assign proper permissions to the application.
  8. In API permissions page click Add a permission.
  9. On the right sidebar Request API permissions click on Azure Services Management.
  10. On the permissions list which will appear after clicking on Azure Service Management check the checkbox user_impersonation and click Add Permissions

In some Azure subscription configurations, Admin consent may be required for using Application Registration.

If the user encounters a screen like this, it means that requesting Admin consent is disabled for your Azure subscription:

To resolve this, the user needs to see a screen like this, where they can send a request for approval to the Azure Admin:

To enable sending Admin consent requests, the Azure Administrator needs to take the following steps in Azure Portal:

  1. Open Enterprise applications in the Azure portal.
  2. In the left sidebar, go to Security and click on the Consent and permissions menu.
  3. In Consent and permissions, click Admin consent settings in the left sidebar and select YES for "Admin consent requests – Users can request admin consent to apps they are unable to consent to." Select one or more users, groups, or roles that can consent to applications.

Once consent requests are enabled, the user can send a request for approval:

After the request is sent, the Azure Administrator will see the request for review under Enterprise applications in the Azure Portal, within the Activity → Admin consent requests menu. After reviewing and approving the requested permissions, the user will be able to log in and import the Power BI workspace with the Dataedo application.

Service Principal authentication type

Configure Service Principal credentials in Dataedo

To use the service principal authentication type, please select Service Principal in Authentication Type dropdown and fill Client Id, Client Secret and Tenant Id with proper values from your Azure Application Registration. How to create Azure Application Registration and where those values available are explained in Creating Azure Application Registration section below.

Creating Azure Application Registration

To create an Azure Application Registration:

  1. Log in to the Azure Portal.
  2. In the search bar, search for App registrations and select it from the list.
  3. From the toolbar, on the App registrations page, click + New registration.
  4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.
  5. Click Register.
  6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo and Tenant Id into Tenant Id in Dataedo.
  7. From the left menu of your created application registration page, click Certificates & secrets.
  8. On the Certificates & secrets page, under Client secrets, click + New client secret.
  9. In the Add client secret screen, enter the description, expiry and click Add
  10. On the certificates & secrets page, under Client secrets click the clipboard icon to copy it and paste it in Client secret field in Dataedo.
Last updated on
On this page
Questions?
If you have any questions or need assistance, feel free to reach out to the Dataedo support team.
Dataedo support
Dataedo is an end-to-end data governance solution for mid-sized organizations.
Data Lineage • Data Quality • Data Catalog
Release notesArchiveRoadmapSupport
LinkedInYouTube