How to refresh powerBI XMLA endpoint dataset using with system managed Identity?

Question

How to refresh powerBI XMLA endpoint dataset using with system managed Identity?

Nikunj Patel 61

In azure automation account we used below powershell script to refresh powerbi dataset using run as account. but now Microsoft retired this feature and we need to migrate using system identity. Can anyone help us how we can migrate below code using system identity to refresh powerbi dataset?

$servicePrincipalConnection = Get-AutomationConnection -Name "runasAccount" 
Invoke-ProcessASDatabase -ServicePrincipal -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint -TenantId $ServicePrincipalConnection.TenantId `
                                        -server $pbiInstanceName `
                                        -DatabaseName $pbiModelName `
                                        -RefreshType DataOnly `

VasimTamboli 5,215 Reputation points

2023-06-04T13:08:00.5766667+00:00

To refresh a Power BI dataset using the system-assigned managed identity of an Azure resource, you can follow these steps:

Enable system-assigned managed identity for the Azure resource (e.g., Azure VM, Azure Function, or Azure App Service) that will run the PowerShell script to refresh the Power BI dataset. This can usually be done through the Azure portal by navigating to the resource's Identity settings.

Grant the necessary permissions to the managed identity. You need to assign the "Contributor" role or specific Power BI roles to the managed identity on the Power BI dataset or workspace. This can be done in the Power BI portal or using the Power BI REST API.

Modify your PowerShell script to use the system-assigned managed identity. Replace the code related to the run as account with the code to authenticate using the managed identity.

Here's an example of how you can modify the script:

$tokenProvider = New-Object Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider

$accessToken = $tokenProvider.GetAccessTokenAsync("https://analysis.windows.net/powerbi/api").GetAwaiter().GetResult()

Invoke-ProcessASDatabase -AccessToken $accessToken -server $pbiInstanceName -DatabaseName $pbiModelName -RefreshType DataOnly

In the modified script, we are using the Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider class to obtain an access token for the Power BI API using the managed identity. The GetAccessTokenAsync method is called with the resource URI "https://analysis.windows.net/powerbi/api", which is the API endpoint for Power BI XMLA.

Make sure to replace $pbiInstanceName and $pbiModelName with the appropriate values for your Power BI dataset.

By using the system-assigned managed identity, you don't need to rely on the retired "run as account" feature in Azure Automation. The Azure resource will automatically authenticate using its system-assigned managed identity to refresh the Power BI dataset.

Remember to grant the necessary permissions to the managed identity on the Power BI dataset or workspace before running the script.
Nikunj Patel 61 Reputation points

2023-06-06T20:52:30.8633333+00:00

Thank you @VasimTamboli for your answer.

Let me just validate and let you know . Thank you once again
Nikunj Patel 61 Reputation points

2023-06-06T20:59:24.56+00:00

Getting following error in automation account while run this line New-Object Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider

Could not execute. Error Message was: Cannot find type [Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider]: verify that the assembly containing this type is loaded.

I used Az.Account module version 2.5.3
Nikunj Patel 61 Reputation points

2023-06-07T20:36:31.94+00:00

Can you please help us @VasimTamboli to fix above error asap?
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-06-21T05:47:14.2766667+00:00

@Nikunj Patel , Following-up to check if you had a chance to review my answer. If the answer did not help, please add more context/follow-up question for it, and we will help you out.

1 answer

Your answer

Nikunj Patel 61 Reputation points

2023-06-06T20:52:30.8633333+00:00

Thank you @VasimTamboli for your answer.

Let me just validate and let you know . Thank you once again
Nikunj Patel 61 Reputation points

2023-06-06T20:59:24.56+00:00

Getting following error in automation account while run this line New-Object Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider

Could not execute. Error Message was: Cannot find type [Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider]: verify that the assembly containing this type is loaded.

I used Az.Account module version 2.5.3
Nikunj Patel 61 Reputation points

2023-06-07T20:36:31.94+00:00

Can you please help us @VasimTamboli to fix above error asap?
AnuragSingh-MSFT 21,546 Reputation points Moderator

2023-06-21T05:47:14.2766667+00:00

@Nikunj Patel , Following-up to check if you had a chance to review my answer. If the answer did not help, please add more context/follow-up question for it, and we will help you out.

Answer 1

@Nikunj Patel , apologies for the delayed response. Please find below information related to this migration based on your use case.

Note that "Azure Managed Identity" can only be used in Azure and for Azure resource, i.e., if you are trying to use managed identity against resources in Azure, Managed Identity can help you. However, if you are planning to authenticate against resources which are not in Azure or not in same Azure tenant, managed identity would not work. For details, see managed identity to access a resource in a different directory/tenant.
For your specific requirement, where you used "RunAs Account" as auth mechanism to PowerBI services, managed identity might not be a better choice. The suggestion as provided above by Vasim uses "Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider" which is available as a .NET library (and not PowerShell module). Therefore, it might work locally on your machine but not in Azure Automation account where you do not have access to the installed .NET dlls and everything has to be PS module. For it to work, you would have to follow the steps as mentioned here - Get a token using PowerShell. This method uses the REST API method to get the token.
For your scenario, an easier approach would be to use Azure Automation Connections. These are available under "Shared Resources" for Azure Automation (along with credentials, certificates and variables etc.) You can create a connection of Type "AzureServicePrincipal" which closely resembles the RunAs Account.
Using this method, you do not have to change much in the code and only the -Name "runasAccount" will change with the new ConnectionName.

To beging with, you would have to create

Create an Azure Active Directory application and service principal that can access resources. As you are already using certificate based auth with RunAs, use that method when creating Service Principal.
Make sure that you have assigned the required access to this new service principal in the PowerBI workspace/dataset.
Create connection in Azure Automation Account under "Shared Resource --> Connection" and give it a new name.
Update the first line in your code with the name of the new connection.

You could also use the script available below to create the Connection automatically with a new self-signed certificate - https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/Create-RunAsAccount-Updated.ps1 - The permission assignment will still need to be done.

Hope this helps.

Share via

How to refresh powerBI XMLA endpoint dataset using with system managed Identity?

1 answer

Your answer