Power BI

Power BI is a visualisation tool that is provided as part of the Microsoft Fabric suite of data products.

Authentication

To authenticate Orchestra to PowerBI, you need to create a Microsoft Entra Application and grant it the required permissions within the Azure Portal. The relevant admin settings in Power BI also need to be enabled.

Prerequisites to connect PowerBI:

  • admin permissions within your PowerBI and Azure account

  • a Power BI workspace (My Workspace isn't supported)

Instructions

Create Service Principal / Entra Application

  1. Head to Microsoft Entra and to Enterprise Applications. Create a new application.

  2. Head to Permissions and select the hyperlinked, "app registration". This will take you to a page where you can grant the application the permissions it needs in Power BI

  3. The permissions you need to add are Application Permissions Tenant.Read.All and Tenant.ReadWrite.All - this is because when Orchestra authenticates to Power BI, it does so without a signed-in user

  4. Ensure the Application has been granted consent for default directory

  5. Finally, Head back to Entra and Create a new Group. The type should be security.

  6. From the Application, Select "Users and Groups" and assign the group you just created to the user

    This might seem like overkill, but Power BI grants access of its API to Security Groups. This means that the Application has to be part of a Security Group, so it can access Power BI.

  7. There is a quirk in Azure where even if resource A has been granted to B, B needs to be granted to A as well. Although you've added the Group as a Group to the Application, the Service Principal still needs to be added to the Group as a Member

  8. Finally, you can now create a client secret. Note this down.

Authorise in Power BI

  1. Head over to the relevant workspace in Power BI. Make a note of the Workspace ID and Add the Application from the first part to the Application as an admin

  2. Next, head to the Admin Portal

  1. Ensure the following are enabled

    1. Embed content in Apps

    2. Service Principals can use Fabric APIs

Phew! That was a lot. In summary, we have:

  • Created a Microsoft Entra App

  • Added the Tenant.read.all and the Tenant.ReadWRite.all permissions

  • Ensure Grant Admin Consent for Default Directory is selected

  • Create a Microsoft Entra security group

    • Add the Entra App as a member to the group, and add the group as a group to the Application

  • Create a client secret for the App

  • Add the service principal to the Power BI workspace

  • Enabled Embed content in Apps

  • Added the Security Group to the Developer Settings in Power BI.

Recreate the request!

If you can do the following, you'll know you're set up correctly.

Fetch a token from Azure

First request

```python
import requests

url = "https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token"

payload = 'client_id={clientid}&client_secret={client_secret}&grant_type=client_credentials&scope=https%3A%2F%2Fanalysis.windows.net%2Fpowerbi%2Fapi%2F.default'
headers = {
  'Content-Type': 'application/x-www-form-urlencoded',
  'Cookie': 'fpc=AjPZE_4LtqNFu22KLNIbcFWUuym3AgAAAL0hpt0OAAAAR7tv7wEAAAD1IabdDgAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd'
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

```

Response

```json
{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "{token}"
    }
```

Next request - test you can connect to the Power BI API

```python
import requests

url = "https://api.powerbi.com/v1.0/myorg/groups/{workspace_id}/datasets"

payload = {}
headers = {
  'Authorization': 'Bearer {token}'
  }

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

```

If this endpoint returns a JSON response and a 200 status code, congrats! You're ready to get set-up in Orchestra.

Variable Names

Microsoft has renamed some variables recently so to clear up any confusion please use this list to help:

  • Microsoft Entra = Active Directory

  • Dataset = Semantic Model

  • Group = Workspace

Your Workspace ID can be found by navigating to your workspace in the Power BI app and copying the id in the URL after /groups. It should be a 36 character UUID.

PreviousProject runNextDataset Refresh

Last updated