Register Power BI in Microsoft Azure and set permissions

Before you set up the lineage harvester, make sure that the harvester can reach Power BI by registering Power BI in Azure and setting the necessary permission to harvest the metadata.

We highly recommend that you read about supported authentication methods before you register Power BI in Microsoft Azure.

Warning  This procedure is performed outside of Collibra. A third-party might change the software without notification, which can render this documentation out-of-date. We highly recommend that you carefully read the source documentation.

Steps

Tip 

The content in this topic differs according to the authentication method.

  1. Follow the instructionsinstructions in the Microsoft Azure documentation to register Power BI in the Azure Portal using the following settings:

    Setting

    Description

    NameThe name of your Power BI application.
    Supported account types

    The type of tenant. This indicates who can access the Power BI application.

    In this case, the supported account type must be Single tenant.

    Redirect URI

    The location to which a user's client is redirected and where security tokens are sent after a successful authorization.

    In this case, the redirected URI must be Web, but you do not have to specify any web location.

    When you have registered Power BI, the Azure portal creates two important IDs that you need in the lineage harvester configuration file:
    • The Application (client) ID
    • The Directory (tenant) ID
    Note We highly recommend that you store these IDs for further use. You can find the IDs in the Overview pane on the Azure portal or in the top right menu.
  2. Create a user with the Power BI Administrator role.
    Note 
    • The user must have administrator rights (such as Office 365 Global Administrator or Power BI Service Administrator) in Power BI.
    • Delegated permissions are supported.
  3. In the Azure portal, go to the Authentication pane and do the following:
    1. Go to the Advanced settings section.
    2. Set the Treat application as a public client to Yes.
      Note When Power BI is registered in Microsoft Azure, the Treat application as a public client setting label changes to Allow public client flows.
  4. Go to the API permissions pane and do the following:
    1. Select Delegated permissions as permission type.
    2. Grant the Power BI application in Microsoft Azure the Microsoft Graph User.Read permission.
    3. Grant the Power BI application in Microsoft Azure all Power BI Service permissions.
    4. Set Admin consent required for Tenant.ReadAll permission to Yes.
      Note Also ensure that the user who runs the lineage harvester has been granted the Admin consent.
    The user now has the following permissions:
    • Microsoft Graph
      • User.Read
      Important You cannot have any API permissions with Admin consent set to Yes.
    • Power BI Service
      • App.Read.All
      • Capacity.Read.All
      • Dashboard.Read.All
      • Dataflow.Read.All
      • Group.Read.All
      • Report.Read.All
      • Workspace.Read.All
      • Tenant.Read.All: You need explicit Admin consent. If you have explicit Admin consent, "granted for" is shown in the Status column.
  5. In the Power BI Admin portal, do the following:
    1. Enable the Allow service principals to use read-only admin APIs option.
    2. Enable the Allow service principals to use Power BI APIs option in the Developer settings.
      Note This option is no longer required. You can leave it enabled, but you can also safely disable it, if you prefer.
    3. Enable the Enhance admin APIs responses with detailed metadata option.
    4. Enable the Enhance admin APIs responses with DAX and mashup expressions option.
    5. Apply the option to specific security groups.
    6. Enter the name of the security group to which you want to add the service principal.
    Warning The Power BI APIs do not support mail-enabled security groups.
    Note You need Power BI administrator rights to access the Power BI Admin portal.
  6. In the Power BI Admin portal, do the following:
    Note Apply the integration setting to the entire organization (default) or to the specific security group to which your workspaces belong.
    1. Enable the Enhance admin APIs responses with detailed metadata option.
    2. Enable the Enhance admin APIs responses with DAX and mashup expressions option.