As a BI Admin, use the following information to help you choose the correct authentication method for Power BI. You must authenticate to access your metadata. Collibra Data Lineage supports two authentication methods: Service principal, and username and password.
The method you choose determines how the lineage harvester retrieves the metadata. We recommend service principal authentication. This method enables detailed metadata scanning and improves security compared to using a username and password.
- You need access to the Power BI environment in which the data flow is stored.
- The semantic model in the data flow must exist in a premium workspace.
The service principal authentication method allows an Azure Active Directory application to automatically access Power BI content and APIs.
Service principal authentication relies on the Power BI Tenant ID and the Azure Active Directory application ID that you provide in the lineage harvester (deprecated) configuration file. The password you need to access Power BI is the client secret key of the Azure Active Directory application.
To use service principal authentication, you need to embed Power BI content with a Service Principal and an application secret. This entails the following steps:
In the Power BI Admin portal:
- Enable the Allow service principals to use read-only Power BI admin APIs option.
- Enable the Enhance admin APIs responses with detailed metadata option.
- Enable the Enhance admin APIs responses with DAX and mashup expressions option.
You need Power BI administrator rights to access the Power BI Admin portal.
The username and password authentication method relies on the username (an email address) and a password you provide to access the Power BI metadata. To use the username and password authentication method, you need to be an Azure Active Directory user with a Power BI admin role in Power BI.
When you become an Azure Active Directory user, a new email address is created. This email address is the username you use to sign in to Power BI.
Only Azure Administrators can create users and require them to authenticate via username and password. The Azure Administrator also assigns the user the Power BI admin role. This user is only created for the purpose of Power BI integration in Collibra Platform. The user in Azure should have a Member user type.
Important The Power BI application in Microsoft Azure must be granted administrator rights, such as Office 365 Global Administrator or Power BI Service Administrator. Delegated permissions are supported.
Check whether you can use username and password authentication
You can use a cURL command to check whether you can use username and password authentication.
Run the following command, where the bolded text refers to your information:curl -v “https://login.microsoftonline.com/<your environment>.onmicrosoft.com/oauth2/v2.0/token” -F client_id=<your ID> -F “username=<your username>” -F “password=<your password>” -F “scope=https://analysis.windows.net/powerbi/api/.default” -F grant_type=password
To check on Windows, follow these steps:
- Download and install the cURL Command-Line Tool.
-
In Windows, click Start > Run, and then enter cmd in the Run dialog box.
- Run the following command, where the bolded text refers to your information:
“https://login.microsoftonline.com/<your environment>.onmicrosoft.com/oauth2/v2.0/token” -F client_id=<your ID> -F “username=<your username>” -F “password=<your password>” -F “scope=https://analysis.windows.net/powerbi/api/.default” -F grant_type=password