Power BI with Service Principal

- Premium App

Step 1 – Create a Microsoft Entra app in the Azure portal
Step 2 – Enable the Power BI service admin settings
Step 3 – Add the service principal to your workspace
Step 4 – Set up a Power Bi with Service Principal in the Portal

For companies with strict information security protocols, integrating Power BI through a service principal with app registration is a more favorable approach than using individual user accounts. This method addresses several challenges that often arise in user-based integrations.

For instance, when an employee’s role or permissions change, another user typically must re-authenticate, leading to potential disruptions. Similarly, with individual accounts, authentication tokens usually expire after a short period, forcing re-authorization and token refreshes every few months, which can be inconvenient.

By adopting a service principal, the authentication tokens are linked to a registered application rather than a user, which extends their validity and reduces the frequency of re-authorization.

Premium App

This is a Premium App; you must be on the Premium Plan to use it!

Step 1 – Create a Microsoft Entra app in the Azure portal

You need to purchase a Power Bi embedded or premium capacity to use this app without limitations. Learn more

Sign in to the Azure portal.
Search for and select App registrations.

Select New registration.

Fill out the Name for your application and leave the other information as is. These options can change whenever you wish in the future.

Select Register.
After you register your app, the Application ID and Tenant ID are available from the Overview tab. Copy and save them for later use.

Select Certificates & secrets.
Select New client secret.

In the Add a client secret window, enter a description, specify when you want the client secret to expire, and select Add

Copy and save the client secret value.

After you leave this window, the client secret value is hidden, and you can’t view or copy it again.

Step 2 – Enable the Power BI service admin settings

Power BI admin rights are required to enable service principal in developer settings within the Power BI Admin portal..

For a Microsoft Entra app to access the Power BI content and APIs, a Power BI admin needs to enable the following settings:

Embed content in apps
Allow service principals to use Power BI APIs

In the Power BI Admin portal, go to Tenant settings and scroll down to Developer settings.

Enable Embed content in apps for (*) the entire organization.

Enable Allow service principals to use Power BI APIs for (*) the entire organization.

Service principals have access to any tenant settings they’re enabled for. Depending on your admin settings, this includes specific security groups or the entire organization. In this example, we have applied the admin settings to the entire organization.

To restrict service principal access to specific tenant settings, allow access only to specific security groups. Alternatively, you can create a dedicated security group for service principals, and exclude it from the desired tenant settings.

Step 3 – Add the service principal to your workspace

My Workspace isn’t supported when using service principal.

In the Power BI service, scroll to the workspace you want to enable access to. From its More menu, select Workspace access.

In the Access pane, click the Add people or groups button.

You can add one of the following:
- (We use this in our example) Your service principal. The name of your service principal is the Display name of your Microsoft Entra app, as it appears in your Microsoft Entra app’s overview tab.
- The security group that includes your service principal.