Skip to main content

Power BI Service Principal

Administrator

A Power BI Service Principal is an identity created in Microsoft Entra ID (Azure AD) that allows DataCentral to authenticate and interact with the Power BI Service programmatically, without requiring a user's personal credentials.

This is a critical component for "App Owns Data" embedding. It enables DataCentral to display reports to users who do not have their own Power BI Pro licenses (such as User Pass or Mobile ID users).

1. Why Use a Service Principal?

  • License Pooling: Instead of purchasing a Power BI Pro license for every external partner or customer, you can use a single Service Principal to generate embed tokens for all of them.
  • Security: It eliminates the need to store a "master user" password (which is against Microsoft's terms of service and prone to MFA issues).
  • Automation: It allows DataCentral to manage workspaces, import items, and trigger data refreshes automatically.

2. Setting Up the Service Principal

Setting up a Service Principal involves creating an App Registration in Azure and then granting that application access to your Power BI tenant.

Step 1: Create an App Registration in Entra ID

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Identity > Applications > App registrations.
  3. Click New registration.
  4. Name the application (e.g., DataCentral Power BI Access).
  5. Select Accounts in this organizational directory only (Single tenant).
  6. Click Register.

Step 2: Create a Client Secret

  1. In your new App Registration, go to Certificates & secrets.
  2. Click New client secret.
  3. Add a description and select an expiration period.
  4. Click Add.
  5. Copy the Value of the secret immediately. You will need this later.

Step 3: Create a Security Group

Power BI requires Service Principals to be members of a Security Group to use the APIs.

  1. In the Entra admin center, go to Groups.
  2. Click New group.
  3. Set the Group type to Security.
  4. Name the group (e.g., Power BI Service Principals).
  5. Click No owners selected and add yourself as an owner.
  6. Click No members selected and search for the App Registration you created in Step 1 (DataCentral Power BI Access). Add it as a member.
  7. Click Create.

3. Configuring Power BI

Now you must tell Power BI to trust the Security Group you just created.

Step 1: Enable Service Principals in the Power BI Admin Portal

  1. Log in to Power BI as a Power BI Administrator.
  2. Click the gear icon (Settings) and select Admin portal.
  3. Go to Tenant settings.
  4. Scroll down to Developer settings and expand Allow service principals to use Power BI APIs.
  5. Enable the setting.
  6. Select Specific security groups and add the group you created earlier (Power BI Service Principals).
  7. Click Apply.

Step 2: Grant Workspace Access

For DataCentral to see your reports, the Service Principal must be an Admin or Member of the workspace where the reports reside.

  1. In Power BI, go to the workspace you want to share.
  2. Click Manage access.
  3. Click Add people or groups.
  4. Search for your App Registration name (DataCentral Power BI Access).
  5. Grant it Member or Admin permissions.
  6. Click Add.

4. Configuring DataCentral

Finally, provide the Service Principal credentials to DataCentral.

  1. Log in to your DataCentral Tenant as an Administrator.
  2. Navigate to Administration > Settings > Azure.
  3. Locate the Power BI Service Principal section.
  4. Enter the following details from your Azure App Registration (Step 1):
    • Tenant ID
    • Client ID (Application ID)
    • Client Secret (The value you copied in Step 2)
  5. Click Save.

DataCentral is now authorized to securely access and embed reports from your Power BI workspaces.