Connect to and manage a Power BI tenant in Microsoft Purview (Same Tenant)

This article outlines how to register a Power BI tenant in a same-tenant scenario, and how to authenticate and interact with the tenant in Microsoft Purview. For more information about Microsoft Purview, read the introductory article.

Note

Starting from September 18th 2023, the Power BI data source in Microsoft Purview will be renamed to Fabric in all regions. You can still use “Power BI” as the keyword to quickly locate the source to register a Power BI tenant and set up a scan. Together with the change of data source name, the Power BI Capacity and Power BI Workspace will be renamed to Fabric Capacity and Fabric Workspace accordingly. Besides the renaming related changes on UI, there are no changes to the existing functionalities and user experience for data source registration or setting up scans. All existing sources or scans for Power BI will continue to work with no changes needed and currently only Power BI items can be scanned in Fabric tenants.

Supported capabilities

Metadata Extraction	Full Scan	Incremental Scan	Scoped Scan	Classification	Labeling	Access Policy	Lineage	Data Sharing	Live view
Yes	Yes	Yes	No	No	No	No	Yes	No	No

When scanning Power BI source, Microsoft Purview supports:

• Extracting technical metadata including:

  • Workspaces
  • Dashboards
  • Reports
  • Datasets including the tables and columns
  • Dataflows
  • Datamarts

• Fetching static lineage on assets relationships among above Power BI artifacts as well as external data source assets. Learn more from Power BI lineage.

For a list of metadata available for Power BI, see our available metadata documentation.

Supported scenarios for Power BI scans

Scenarios	Microsoft Purview public access allowed/denied	Power BI public access allowed /denied	Runtime option	Authentication option	Deployment checklist
Public access with Azure IR	Allowed	Allowed	Azure Runtime	Microsoft Purview Managed Identity	Review deployment checklist
Public access with Self-hosted IR	Allowed	Allowed	Self-hosted runtime	Delegated authentication / Service principal	Review deployment checklist
Private access	Allowed	Denied	Self-hosted runtime	Delegated authentication / Service principal	Review deployment checklist
Private access	Denied	Allowed	Self-hosted runtime	Delegated authentication / Service principal	Review deployment checklist
Private access	Denied	Denied	Self-hosted runtime	Delegated authentication / Service principal	Review deployment checklist

Known limitations

• If Microsoft Purview or Power BI tenant is protected behind a private endpoint, Self-hosted runtime is the only option to scan.
• Delegated authentication and service principal are the only supported authentication options when self-hosted integration runtime is used during the scan.
• You can create only one scan for a Power BI data source that is registered in your Microsoft Purview account.
• If Power BI dataset schema isn't shown after scan, it's due to one of the current limitations with Power BI Metadata scanner.
• Empty workspaces are skipped.
• Payload is currently limited to 2MB and 800 columns when scanning an asset.

Prerequisites

Before you start, make sure you have the following prerequisites:

• An Azure account with an active subscription. Create an account for free.

• An active Microsoft Purview account.

Authentication options

• Managed Identity
• Delegated Authentication
• Service Principal

Deployment checklist

Use any of the following deployment checklists during the setup or for troubleshooting purposes, based on your scenario:

Public access with Azure IR

Scan same-tenant Power BI using Azure IR and Managed Identity in public network

1. Make sure Power BI and Microsoft Purview accounts are in the same tenant.

2. Make sure Power BI tenant ID is entered correctly during the registration.

3. Make sure your Power BI Metadata model is up to date by enabling metadata scanning.

4. From Azure portal, validate if Microsoft Purview account Network is set to public access.

5. From Power BI tenant Admin Portal, make sure Power BI tenant is configured to allow public network.

6. In Azure Active Directory tenant, create a security group.

7. From Azure Active Directory tenant, make sure Microsoft Purview account MSI is member of the new security group.

8. On the Power BI Tenant Admin portal, validate if Allow service principals to use read-only Power BI admin APIs is enabled for the new security group.

Public access with Self-hosted IR

Scan same-tenant Power BI using self-hosted IR with Delegated Authentication or Service Principal in public network

1. Make sure Power BI and Microsoft Purview accounts are in the same tenant.

2. Make sure Power BI tenant ID is entered correctly during the registration.

3. Make sure your Power BI Metadata model is up to date by enabling metadata scanning.

4. From Azure portal, validate if Microsoft Purview account Network is set to public access.

5. From Power BI tenant Admin Portal, make sure Power BI tenant is configured to allow public network.

6. Check your Azure Key Vault to make sure:

   1. There are no typos in the password or secret.
   2. Microsoft Purview Managed Identity has get/list access to secrets.

7. Review your credential to validate:

   1. Client ID matches Application (Client) ID of the app registration.
   2. Username includes the user principal name such as johndoe@contoso.com.

8. Validate App registration settings to make sure:

   1. App registration exists in your Azure Active Directory tenant.

   2. If service principal is used, under API permissions, the following delegated permissions are assigned with read for the following APIs:

      • Microsoft Graph openid
      • Microsoft Graph User.Read

   3. If delegated authentication is used, under API permissions, the following delegated permissions and grant admin consent for the tenant is set up with read for the following APIs:

      • Power BI Service Tenant.Read.All
      • Microsoft Graph openid
      • Microsoft Graph User.Read

   4. Under Authentication, Allow public client flows is enabled.

9. If delegated authentication is used, validate Power BI admin user settings to make sure:

   1. User is assigned to Power BI Administrator role.
   2. At least one Power BI license is assigned to the user.
   3. If user is recently created, sign in with the user at least once to make sure password is reset successfully and user can successfully initiate the session.
   4. There's no MFA or Conditional Access Policies are enforced on the user.

10. Validate Self-hosted runtime settings:

    1. Latest version of Self-hosted runtime is installed on the VM.

    2. Network connectivity from Self-hosted runtime to Power BI tenant is enabled. The following endpoints must be reachable from self-hosted runtime VM:

       • *.powerbi.com
       • *.analysis.windows.net

    3. Network connectivity from Self-hosted runtime to Microsoft services is enabled.

    4. JDK 8 or later is installed. Restart the machine after you newly install the JDK for it to take effect.

11. In Azure Active Directory tenant, create a security group.

12. From Azure Active Directory tenant, make sure Service Principal is member of the new security group.

13. On the Power BI Tenant Admin portal, validate if Allow service principals to use read-only Power BI admin APIs is enabled for the new security group.

Private access

Scan same-tenant Power BI using self-hosted IR with Delegated Authentication or Service Principal in a private network

1. Make sure Power BI and Microsoft Purview accounts are in the same tenant.

2. Make sure Power BI tenant ID is entered correctly during the registration.

3. Make sure your Power BI Metadata model is up to date by enabling metadata scanning.

4. Check your Azure Key Vault to make sure:

   1. There are no typos in the password.
   2. Microsoft Purview Managed Identity has get/list access to secrets.

5. Review your credential to validate:

   1. Client ID matches Application (Client) ID of the app registration.
   2. Username includes the user principal name such as johndoe@contoso.com.

6. If Delegated Authentication is used, validate Power BI admin user settings to make sure:

   1. User is assigned to Power BI Administrator role.
   2. At least one Power BI license is assigned to the user.
   3. If user is recently created, sign in with the user at least once to make sure password is reset successfully and user can successfully initiate the session.
   4. There's no MFA or Conditional Access Policies are enforced on the user.

7. Validate Self-hosted runtime settings:

   1. Latest version of Self-hosted runtime is installed on the VM.
   2. JDK 8 or later is installed. Restart the machine after you newly install the JDK for it to take effect.

8. Validate App registration settings to make sure:

   1. App registration exists in your Azure Active Directory tenant.

   2. If service principal is used, under API permissions, the following delegated permissions are assigned with read for the following APIs:

      • Microsoft Graph openid
      • Microsoft Graph User.Read

   3. If delegated authentication is used, under API permissions, the following delegated permissions and grant admin consent for the tenant is set up with read for the following APIs:

      • Power BI Service Tenant.Read.All
      • Microsoft Graph openid
      • Microsoft Graph User.Read

   4. Under Authentication, Allow public client flows is enabled.

9. Review network configuration and validate if:

   1. If your Power BI doesn't allow public access, make sure private endpoint for Power BI tenant is deployed.

   2. All required private endpoints for Microsoft Purview are deployed.

   3. Network connectivity from Self-hosted runtime to Power BI tenant is enabled. The following endpoints must be reachable from self-hosted runtime VM:

      • *.powerbi.com
      • *.analysis.windows.net

   4. Network connectivity from Self-hosted runtime to Microsoft services is enabled through private network.

10. In Azure Active Directory tenant, create a security group.

11. From Azure Active Directory tenant, make sure Service Principal is member of the new security group.

12. On the Power BI Tenant Admin portal, validate if Allow service principals to use read-only Power BI admin APIs is enabled for the new security group.

Register Power BI tenant

This section describes how to register a Power BI tenant in Microsoft Purview for same-tenant scenario.

1. Select the Data Map on the left navigation.

2. Then select Register.

   Select Power BI as your data source.

   

3. Give your Power BI instance a friendly name.

   

   The name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

   By default, the system will find the Power BI tenant that exists in the same Azure Active Directory tenant.

   

Scan same-tenant Power BI

Tip

To troubleshoot any issues with scanning:

1. Confirm you have completed the deployment checklist for your scenario.
2. Review our scan troubleshooting documentation.

Authenticate to Power BI tenant

In Azure Active Directory Tenant, where Power BI tenant is located:

1. In the Azure portal, search for Azure Active Directory.

2. Create a new security group in your Azure Active Directory, by following Create a basic group and add members using Azure Active Directory.

   Tip

   You can skip this step if you already have a security group you want to use.

3. Select Security as the Group Type.

   

4. Add relevant user to the security group:

   • If you are using Managed Identity as authentication method, add your Microsoft Purview managed identity to this security group. Select Members, then select + Add members.

     

   • If you are using delegated authentication or service principal as authentication method, add your service principal to this security group. Select Members, then select + Add members.

5. Search for your Microsoft Purview managed identity or service principal and select it.

   

   You should see a success notification showing you that it was added.

   

Associate the security group with Power BI tenant

1. Log into the Power BI admin portal.

2. Select the Tenant settings page.

   Important

   You need to be a Power BI Admin to see the tenant settings page.

3. Select Admin API settings > Allow service principals to use read-only Power BI admin APIs (Preview).

4. Select Specific security groups.

   

5. Select Admin API settings > Enhance admin APIs responses with detailed metadata and Enhance admin APIs responses with DAX and mashup expressions > Enable the toggle to allow Microsoft Purview Data Map automatically discover the detailed metadata of Power BI datasets as part of its scans.

   Important

   After you update the Admin API settings on your power bi tenant, wait around 15 minutes before registering a scan and test connection.

   

   Caution

   When you allow the security group you created (that has your Microsoft Purview managed identity as a member) to use read-only Power BI admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Power BI artifacts in this tenant. Once the metadata has been pulled into the Microsoft Purview, Microsoft Purview's permissions, not Power BI permissions, determine who can see that metadata.

   Note

   You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.

Create scan for same-tenant Power BI using Azure IR and Managed Identity

This is a suitable scenario, if both Microsoft Purview and Power BI tenant are configured to allow public access in the network settings.

To create and run a new scan, do the following:

1. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

2. Navigate to Sources.

3. Select the registered Power BI source.

4. Select + New scan.

5. Give your scan a name. Then select the option to include or exclude the personal workspaces.

   

   Note

   Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

6. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem.

   1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
   2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
   3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

   

7. Set up a scan trigger. Your options are Recurring, and Once.

   

8. On Review new scan, select Save and run to launch your scan.

   

Create scan for same-tenant using self-hosted IR with service principal

This scenario can be used when Microsoft Purview and Power BI tenant or both, are configured to use private endpoint and deny public access. Additionally, this option is also applicable if Microsoft Purview and Power BI tenant are configured to allow public access.

For more information related to Power BI network, see How to configure private endpoints for accessing Power BI.

For more information about Microsoft Purview network settings, see Use private endpoints for your Microsoft Purview account.

To create and run a new scan, do the following:

1. In the Azure portal, select Azure Active Directory and create an App Registration in the tenant. Provide a web URL in the Redirect URI. For information about the Redirect URI see this documentation from Azure Active Directory.

   

2. Take note of Client ID(App ID).

   

3. From Azure Active Directory dashboard, select newly created application and then select App registration. From API Permissions, assign the application the following delegated permissions:

   • Microsoft Graph openid
   • Microsoft Graph User.Read

   

4. Under Advanced settings, enable Allow Public client flows.

5. Under Certificates & secrets, create a new secret and save it securely for next steps.

6. In Azure portal, navigate to your Azure key vault.

7. Select Settings > Secrets and select + Generate/Import.

   

8. Enter a name for the secret and for Value, type the newly created secret for the App registration. Select Create to complete.

   

9. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection

10. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

11. Navigate to Sources.

12. Select the registered Power BI source.

13. Select + New scan.

14. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

15. Select your self-hosted integration runtime from the drop-down list.

    

16. For the Credential, select service principal and select + New to create a new credential.

17. Create a new credential and provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Service principal
    • Tenant ID: Your Power BI tenant ID
    • Client ID: Use Service Principal Client ID (App ID) you created earlier

    

18. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    

19. Set up a scan trigger. Your options are Recurring, and Once.

    

20. On Review new scan, select Save and run to launch your scan.

Create scan for same-tenant using self-hosted IR with delegated authentication

This scenario can be used when Microsoft Purview and Power BI tenant or both, are configured to use private endpoint and deny public access. Additionally, this option is also applicable if Microsoft Purview and Power BI tenant are configured to allow public access.

For more information related to Power BI network, see How to configure private endpoints for accessing Power BI.

For more information about Microsoft Purview network settings, see Use private endpoints for your Microsoft Purview account.

To create and run a new scan, do the following:

1. Create a user account in Azure Active Directory tenant and assign the user to Azure Active Directory role, Power BI Administrator. Take note of username and sign in to change the password.

2. Assign proper Power BI license to the user.

3. Navigate to your Azure key vault.

4. Select Settings > Secrets and select + Generate/Import.

   

5. Enter a name for the secret and for Value, type the newly created password for the Azure AD user. Select Create to complete.

   

6. If your key vault isn't connected to Microsoft Purview yet, you'll need to create a new key vault connection

7. Create an App Registration in your Azure Active Directory tenant. Provide a web URL in the Redirect URI.

   

8. Take note of Client ID(App ID).

   

9. From Azure Active Directory dashboard, select newly created application and then select App registration. Assign the application the following delegated permissions, and grant admin consent for the tenant:

   • Power BI Service Tenant.Read.All
   • Microsoft Graph openid
   • Microsoft Graph User.Read

   

10. Under Advanced settings, enable Allow Public client flows.

11. In the Microsoft Purview Studio, navigate to the Data map in the left menu.

12. Navigate to Sources.

13. Select the registered Power BI source.

14. Select + New scan.

15. Give your scan a name. Then select the option to include or exclude the personal workspaces.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

16. Select your self-hosted integration runtime from the drop-down list.

    

17. For the Credential, select Delegated authentication and select + New to create a new credential.

18. Create a new credential and provide required parameters:

    • Name: Provide a unique name for credential
    • Authentication method: Delegated auth
    • Client ID: Use Service Principal Client ID (App ID) you created earlier
    • User name: Provide the username of Power BI Administrator you created earlier
    • Password: Select the appropriate Key vault connection and the Secret name where the Power BI account password was saved earlier.

    

19. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    

20. Set up a scan trigger. Your options are Recurring, and Once.

    

21. On Review new scan, select Save and run to launch your scan.

    

Next steps

Now that you've registered your source, follow the below guides to learn more about Microsoft Purview and your data.

• Data Estate Insights in Microsoft Purview
• Lineage in Microsoft Purview
• Search Data Catalog