Edit

Enable service principal authentication for read-only admin APIs

  • Article

Service principal is an authentication method that can be used to let a Microsoft Entra application access Power BI service content and APIs. When you create a Microsoft Entra app, a service principal object is created. The service principal object, also known simply as the service principal, allows Microsoft Entra ID to authenticate your app. Once authenticated, the app can access Microsoft Entra tenant resources.

Method

To enable service principal authentication for Power BI read-only APIs, follow these steps:

  1. Create a Microsoft Entra app. You can skip this step if you already have a Microsoft Entra app you want to use. Take note of the App-Id for later steps.

    Important

    Make sure the app you use doesn't have any admin-consent required permissions for Power BI set on it in the Azure portal. See how to check whether your app has any such permissions.

  2. Create a new Security Group in Microsoft Entra ID. Read more about how to create a basic group and add members using Microsoft Entra ID. You can skip this step if you already have a security group you would like to use. Make sure to select Security as the Group type.

    Screenshot of new group creation dialog in Azure portal.

  3. Add your App-Id as a member of the security group you created. To do so:

    1. Navigate to Azure portal > Microsoft Entra ID > Groups, and choose the security group you created in Step 2.
    2. Select Add Members.

    Important

    Make sure the app doesn't have any admin-consent required permissions for Power BI set on it in the Azure portal. See how to check whether your app has any such permissions.

  4. Enable the Power BI service admin settings:

    1. Log in to the Power BI admin portal. You need to be a Power BI admin to see the tenant settings page.

    2. Under Admin API settings, you'll see Allow service principals to use read-only Power BI admin APIs. Set the toggle to Enabled, and then select the Specific security groups radio button and add the security group you created in Step 2 in the text field that appears below it, as shown in the figure below.

      Screenshot of allow service principals tenant setting.

  5. Start using the read-only admin APIs. See the list of supported APIs below.

Important

An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal. See how to check whether your app has any such permissions.

Supported APIs

Service principal authentication is currently supported for the following read-only admin APIs.

An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal. To check the assigned permissions:

  1. Sign into the Azure portal as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.
  2. Select Microsoft Entra ID, then Enterprise applications.
  3. Select the application you want to grant access to Power BI.
  4. Select Permissions. There must be no admin-consent required permissions of type Application registered for the app.

Considerations and limitations

  • You can't sign into the Power BI portal using service principal.
  • Power BI admin rights are required to enable service principal in the Admin API settings in the Power BI admin portal.