Before ingesting Power BI metadata into Dawiso, prepare your account for authentication by configuring an Azure Application and granting the necessary permissions.

Supported Power BI versions

  • Dawiso reads metadata from the Power BI Admin API and is up to date with the lastest Power BI changes.

Connection prerequisites

  • An active Azure Portal subscription (you can create one for free).
  • Microsoft Entra ID administrative access.
  • Power BI Service tenant and account with administrative privileges. You can use this simple tutorial to configure it.

Connection configuration

Dawiso scans metadata from the Power BI Service API using the Admin API and a few user-level API endpoints. Authentication is performed via service principal instead of a dedicated administrative account. For more details refer to the Power BI official blog post.

In this guide, you will:

  1. Configure an Azure application.
  2. Generate a Client Secret.
  3. Test the application for a successful connection to Azure AD.
  4. Configure a Power BI Tenant to allow service principals to read the new Admin API.
  5. Allow the service principal access to individual workspaces.

Register a new application

You need to register a new application in Microsoft Entra ID.

  1. In your Azure Portal, navigate to Microsoft Entra ID.
  2. In the left menu, select the App Registrations. Click the + New Registration button. Register_New_Application.png
  3. Choose a name name for your application, e.g., Dawiso Integration. You can keep default values for the rest of the form.
  4. Click Register and wait for the deployment to finish. Register_New_Application_Form.png

Client and tenant IDs

On the Overview page, you can find important values that identify your application. These will be used in the connection setup in Dawiso:

  • Application (client) ID is the unique identification of the application.
  • Directory (tenant) ID is the unique identification of your tenant (organization).

Generate Client Secret

Now, you will need to generate a client secret to later authenticate the connection.

  1. In the left menu, select Certificates & secrets.
  2. Here, click + New client secret. Generate_New_Secret.png
  3. Choose a descriptive name for the client secret and select an expiration date that fits your organization’s requirements. Generate_New_Secret_Details.png
  4. Click Add to finish creating the secret.
  5. Once the secret is created, make sure to copy the value and store it somewhere safe for later use. The secret cannot be displayed twice. Generate_New_Secret_Copy_Value.png
Warning

The secret value is displayed only once. Copy and save it immediately, otherwise you will need to generate a new client secret if it is lost.

Create a security group in Microsoft Entra ID

To follow security best practices, assign Power BI Admin API access to the service principal via a Microsoft Entra ID security group only.

  1. In your Microsoft Entra ID, navigate to Groups. Groups.png
  2. Click New group. Groups_Add_New.png
  3. Choose the Security group type and choose a descriptive name, e.g., in this case, Power BI Service Principals. Groups_Create_New.png
  4. Click Create to finish the group configuration.

Add members to the group

  1. On the Groups page, click the name of the newly created group. Groups_Open.png
  2. Click + Add members. Groups_Add_Member.png
  3. Using the search box, find your application (in our case Dawiso Integration) and select it using the checkbox. Add_Members2.png
  4. Click Select to finish adding the application as a member.
  5. On the group’s page, you can double-check whether the application has been added successfully. Groups_Member_Added_View.png

Configure Power BI Tenant

Using an account with administrative privileges, navigate to your Power BI Admin Portal. Here, you can create a new Power Platform and Fabric Administrator or assign an existing user to the role. See more details in the Microsoft Fabric documentation.

  1. Select Tenant settings in the Portal. AdminPortal.png
  2. In the Developer settingssection:
    1. Find the Service principals can call Fabric public APIs item and enable it.
    2. Apply it to Specific security groups.
    3. Find the newly created security group (in our case Power BI Service Principals) and add it.
    4. Click Apply to save the configuration. sp_can_call_public_admin_apis.png
  3. In the Admin API settings section:
    1. Find the Allow service principals to use read-only admin APIs item and enable it.
    2. Apply it to Specific security groups.
    3. Find the newly created security group (in our case Power BI Service Principals) and add it.
    4. Click Apply to save the configuration. 2 AdminAPIs.png
  4. Also in the Admin API settingssection:
    1. Find the Enhance admin APIs responses with detailed metadata item and enable it.
    2. Apply it to Specific security groups.
    3. Find the newly created security group (in our case Power BI Service Principals) and add it.
    4. Click Apply to finish the configuration. 3 EnhancedMetadata.png
  5. Finally, again in the Admin API settingssection:
    1. find the Enhance admin APIs responses with DAX and mashup expressions item and enable it.
    2. Apply it to Specific security groups.
    3. Find the newly created security group (in our case Power BI Service Principals) and add it.
    4. Click Apply to save the configuration. 4 Admin_DAX.png

Allow Service Principal access to individual workspaces

To ingest certain assets (such as Report Pages), make sure the Service Principal has access to all workspaces from which you will ingest them.

  1. On your Power BI homepage, select the workspace for which you want to configure the access.
  2. Click Manage access. A ManageAccess.png
  3. Continue with clicking Add people or groups. B AddPeople.png
  4. Find the newly created security group (in our case Power BI Service Principals) and change its role to Viewer.
  5. Click Add to allow the security group to access your workspace with viewer rights. C AddPeopleDetail.png