Microsoft Entra ID application setup
To use the Authentication API, the ISV must first register an application in Microsoft Entra ID for each cloud to be supported, and preauthorize the Power BI applications with a dedicated scope for each visual. The tenant administrator then needs to grant consent. This article outlines all of these essential steps.
The Authentication API is supported in the following clouds:
- COM (Required) - Commercial Cloud
- CN - China Cloud
- GCC - US Government Community Cloud
- GCCHIGH - US Government Community Cloud High
- DOD - US Department of Defense Cloud
Register the app in Microsoft Entra ID
For each cloud the visual is intended to support, follow these steps:
Navigate to the respective Azure portal and go to App registrations.
Select + New Registration
On the Register an application page, do the following:
- Enter your desired application name in the Name section.
- Select Accounts in any organizational directory (Any Azure AD directory - Multitenant) in the Supported account types section.
- Select Register.
Once your application is successfully registered, select Expose an API on the left side menu.
In the Application ID URI field, select Add.
In the Edit Application ID URI field, enter your Verified Custom Domain, ensuring that it begins with "https://" and doesn't contain "onmicrosoft.com", and select Save.
To add a custom domain:
- Navigate to Microsoft Entra ID Custom domain names.
- Add your custom domain.
Note
The application URI can be manually added to the application manifest under the “identifierUris” array.
Select + Add a scope.
In the Scope name field, enter <visual_guid>_CV_ForPBI and add the required information. Fill in the Admin consent fields. Then select Add scope button. (There's a 40 characters scope length limitation, but you can manually modify the scope name in the registered application manifest to manage this limitation).
To preauthorize Power BI applications:
Select + Add a client application.
Enter the Power BI WFE application appId in the Client ID field of the right-hand window.
- COM (required) and CN: "871c010f-5e61-4fb1-83ac-98610a7e9110".
- GCC, GCCHIGH, and DOD: “ec04d7d8-0476-4acd-bce4-81f438363d37".
Select your desired scope.
Select Add application.
Repeat this process with:
Power BI Desktop:
- COM (required) and CN: "7f67af8a-fedc-4b08-8b4e-37c4d127b6cf".
- GCC, GCCHIGH, and DOD: “6807062e-abc9-480a-ae93-9f7deee6b470".
Power BI Mobile:
- COM (required) and CN: "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12".
- GCC, GCCHIGH and DOD: “ce76e270-35f5-4bea-94ff-eab975103dc6".
ISV consent
The tenant administrator can determine whether or not users are allowed to consent for themselves. This consent process takes place outside of Power BI.
ISV backend application (for example, https://contoso.com
) should be consented to Graph API and other dependencies (by users or tenant administrators) according to standard AAD rules:
If the ISV application is running on a different tenant than the visual consumer's tenant, grant consent for the ISV's application in one of the following ways:
Administrator preconsent:
Follow the instructions in Grant tenant-wide admin consent to an application. Replace the tenant-wide admin consent URL with the respective link for each cloud:
- COM and GCC:
https://login.microsoftonline.com/{organization}/adminconsent?client_id={clientId}
- CN:
https://login.partner.microsoftonline.cn/{organization}/adminconsent?client_id={clientId}
- GCCHIGH and DOD:
https://login.microsoftonline.us/{organization}/adminconsent?client_id={clientId}
- COM and GCC:
Interactive consent:
If the tenant administrator didn't preconsent, any user that uses a visual that triggers the API receives a one-time consent prompt when rendering the visual. See Application consent experience for more information.