Редактиране

Споделяне чрез


Microsoft Entra ID application setup

To use the Authentication API, the ISV must first register an application in Microsoft Entra ID for each cloud to be supported, and preauthorize the Power BI applications with a dedicated scope for each visual. The tenant administrator then needs to grant consent. This article outlines all of these essential steps.

The Authentication API is supported in the following clouds:

  • COM (Required) - Commercial Cloud
  • CN - China Cloud
  • GCC - US Government Community Cloud
  • GCCHIGH - US Government Community Cloud High
  • DOD - US Department of Defense Cloud

Register the app in Microsoft Entra ID

For each cloud the visual is intended to support, follow these steps:

  1. Navigate to the respective Azure portal and go to App registrations.

  2. Select + New Registration

    Screenshot of Microsoft Entra app new registration UI.

  3. On the Register an application page, do the following:

    1. Enter your desired application name in the Name section.
    2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) in the Supported account types section.
    3. Select Register.

    Screenshot of the Register an app page of the Microsoft Entra ID registration app.

  4. Once your application is successfully registered, select Expose an API on the left side menu.

    Screenshot of the Expose an API page of the Microsoft Entra ID registration app.

  5. In the Application ID URI field, select Add.

    Screenshot of the Expose an API page with the option to add an application ID URI.

  6. In the Edit Application ID URI field, enter your Verified Custom Domain, ensuring that it begins with "https://" and doesn't contain "onmicrosoft.com", and select Save.

    To add a custom domain:

    1. Navigate to Microsoft Entra ID Custom domain names.
    2. Add your custom domain.

    Screenshot of the Expose an API page with the Edit application ID URI page open.

    Note

    The application URI can be manually added to the application manifest under the “identifierUris” array.

    Screenshot showing an example of code for adding an application URI.

  7. Select + Add a scope.

  8. In the Scope name field, enter <visual_guid>_CV_ForPBI and add the required information. Fill in the Admin consent fields. Then select Add scope button. (There's a 40 characters scope length limitation, but you can manually modify the scope name in the registered application manifest to manage this limitation).

    Screenshot of the edit a scope window with fields for scope name and other information.

  9. To preauthorize Power BI applications:

    1. Select + Add a client application.

      Screenshot of the edit a scope window with fields for adding a client application.

    2. Enter the Power BI WFE application appId in the Client ID field of the right-hand window.

      • COM (required) and CN: "871c010f-5e61-4fb1-83ac-98610a7e9110".
      • GCC, GCCHIGH, and DOD: “ec04d7d8-0476-4acd-bce4-81f438363d37".
    3. Select your desired scope.

    4. Select Add application.

      Screenshot showing the UI to add a client application.

    5. Repeat this process with:

      • Power BI Desktop:

        • COM (required) and CN: "7f67af8a-fedc-4b08-8b4e-37c4d127b6cf".
        • GCC, GCCHIGH, and DOD: “6807062e-abc9-480a-ae93-9f7deee6b470".
      • Power BI Mobile:

        • COM (required) and CN: "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12".
        • GCC, GCCHIGH and DOD: “ce76e270-35f5-4bea-94ff-eab975103dc6".

The tenant administrator can determine whether or not users are allowed to consent for themselves. This consent process takes place outside of Power BI.

ISV backend application (for example, https://contoso.com) should be consented to Graph API and other dependencies (by users or tenant administrators) according to standard AAD rules:

If the ISV application is running on a different tenant than the visual consumer's tenant, grant consent for the ISV's application in one of the following ways:

  • Administrator preconsent:

    Follow the instructions in Grant tenant-wide admin consent to an application. Replace the tenant-wide admin consent URL with the respective link for each cloud:

    • COM and GCC: https://login.microsoftonline.com/{organization}/adminconsent?client_id={clientId}
    • CN: https://login.partner.microsoftonline.cn/{organization}/adminconsent?client_id={clientId}
    • GCCHIGH and DOD: https://login.microsoftonline.us/{organization}/adminconsent?client_id={clientId}
  • Interactive consent:

    If the tenant administrator didn't preconsent, any user that uses a visual that triggers the API receives a one-time consent prompt when rendering the visual. See Application consent experience for more information.