Microsoft Entra ID application setup

To use the Authentication API, the ISV must first register an application in Microsoft Entra ID for each cloud to be supported, and preauthorize the Power BI applications with a dedicated scope for each visual. The tenant administrator then needs to grant consent. This article outlines all of these essential steps.

The Authentication API is supported in the following clouds:

• COM (Required) - Commercial Cloud
• CN - China Cloud
• GCC - US Government Community Cloud
• GCCHIGH - US Government Community Cloud High
• DOD - US Department of Defense Cloud

Register the app in Microsoft Entra ID

For each cloud intended to be supported by the visual, follow the steps outlined below:

1. Navigate to the respective Azure portal and go to App registrations.

   • COM (required) and GCC
   • CN
   • GCCHIGH and DOD

2. Select + New Registration

   

3. On the Register an application page, do the following:

   1. Enter your desired application name in the Name section.
   2. Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) in the Supported account types section.
   3. Select Register.

   

4. Once your application is successfully registered, select Expose an API on the left side menu.

   

5. In the Application ID URI field, select Add.

   

6. In the Edit Application ID URI field, enter your Verified Custom Domain, ensuring that it begins with "https://" and does not contain "onmicrosoft.com", and select Save.

   To add a custom domain:

   1. Navigate to Microsoft Entra ID Custom domain names.
   2. Add your custom domain.

   

   Note

   The application URI can be manually added to the application manifest under the “identifierUris” array.

   

7. Select + Add a scope.

8. In the Scope name field, enter <visual_guid>_CV_ForPBI and add the required information. Fill in the Admin consent fields. Then select Add scope button. (There's a 40 characters scope length limitation, but you can manually modify the scope name in the registered application manifest to manage this limitation).

   

9. To pre-authorize Power BI applications:

   1. Select + Add a client application.

      

   2. Enter the Power BI WFE application appId "871c010f-5e61-4fb1-83ac-98610a7e9110" in the Client ID field of the right-hand window.

   3. Select your desired scope.

   4. Select Add application.

      

   5. Repeat this process with:

      • Power BI Desktop: "7f67af8a-fedc-4b08-8b4e-37c4d127b6cf".

      • Power BI Mobile:

        • COM (required) and CN: "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12".
        • GCC, GCCHIGH and DOD: “ce76e270-35f5-4bea-94ff-eab975103dc6".

ISV consent

The tenant administrator can determine whether or not users are allowed to consent for themselves. This consent process takes place outside of Power BI.

ISV backend application (for example, https://contoso.com) should be consented to Graph API and other dependencies (by users or tenant administrators) according to standard AAD rules:

If the ISV application is running on a different tenant than the visual consumer's tenant, grant consent for the ISV's application in one of the following ways:

• Administrator preconsent:

  Follow the instructions in Grant tenant-wide admin consent to an application. Replace the tenant-wide admin consent URL with the respective link for each cloud:

  • COM and GCC: https://login.microsoftonline.com/{organization}/adminconsent?client_id={clientId}
  • CN: https://login.partner.microsoftonline.cn/{organization}/adminconsent?client_id={clientId}
  • GCCHIGH and DOD: https://login.microsoftonline.us/{organization}/adminconsent?client_id={clientId}

• Interactive consent:

  If the tenant administrator didn't preconsent, any user that uses a visual that triggers the API receives a one-time consent prompt when rendering the visual. See Application consent experience for more information.

Related content

• Authentication API