Understanding the Power BI service administrator role
Learn how you can use the Power BI service administrator role in your organization. Users in this role have full control over a Power BI tenant and its administrative features, except for licensing.
The Power BI service administrator role can be assigned to users who need access to the Power BI Admin portal without also granting those users complete Office 365 administrative access.
Office 365 user management administrators assign users to the Power BI service administrator role in the Microsoft 365 admin center, or by using a PowerShell script. Once a user is assigned, they can access the Power BI admin portal. There, they have access to tenant-wide usage metrics, and can control tenant-wide usage of Power BI features.
Limitations and considerations
The Power BI service administrator role does not provide the following capabilities:
Ability to modify users and licenses within the Microsoft 365 admin center,
Access to the audit logs. For more information, see Using auditing within your organization.
Assign users to the admin role in Office 365
To assign users to the Power BI admin role in the Microsoft 365 admin center, follow these steps.
In the Microsoft 365 admin center, select Users > Active Users.
Select the user that you want to assign the role to.
Under Roles, select Edit.
Select Customized administrator > Power BI service administrator.
Select Save, then Close.
You should see Power BI service administrator listed for the role of that user.
Assign users to the admin role with PowerShell
You can also assign users to roles by using PowerShell. Users are managed in Azure Active Directory (Azure AD). If you don't already have the Azure AD PowerShell module, download and install the latest version.
First, connect to Azure AD:
PS C:\Windows\system32> Connect-AzureAD
Second, get the ObjectId for the Power BI Service Administrator role. You can run Get-AzureADDirectoryRole to get the ObjectId
PS C:\Windows\system32> Get-AzureADDirectoryRole ObjectId DisplayName Description -------- ----------- ----------- 00f79122-c45d-436d-8d4a-2c0c6ca246bf Power BI Service Administrator Full access in the Power BI Service. 250d1222-4bc0-4b4b-8466-5d5765d14af9 Helpdesk Administrator Helpdesk Administrator has access to perform.. 3ddec257-efdc-423d-9d24-b7cf29e0c86b Directory Synchronization Accounts Directory Synchronization Accounts 50daa576-896c-4bf3-a84e-1d9d1875c7a7 Company Administrator Company Administrator role has full access t.. 6a452384-6eb9-4793-8782-f4e7313b4dfd Device Administrators Device Administrators 9900b7db-35d9-4e56-a8e3-c5026cac3a11 AdHoc License Administrator Allows access manage AdHoc license. a3631cce-16ce-47a3-bbe1-79b9774a0570 Directory Readers Allows access to various read only tasks in .. f727e2f3-0829-41a7-8c5c-5af83c37f57b Email Verified User Creator Allows creation of new email verified users.
In this case, the role's ObjectId is 00f79122-c45d-436d-8d4a-2c0c6ca246bf.
Next, get the user's ObjectId. You can find that by running Get-AzureADUser.
PS C:\Windows\system32> Get-AzureADUser -ObjectId 'firstname.lastname@example.org' ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- 6a2bfca2-98ba-413a-be61-6e4bbb8b8a4c Tim email@example.com Member
To add the member to the role, run Add-AzureADDirectoryRoleMember.
Parameter Description ObjectId The Role ObjectId. RefObjectId The members ObjectId.
Add-AzureADDirectoryRoleMember -ObjectId 00f79122-c45d-436d-8d4a-2c0c6ca246bf -RefObjectId 6a2bfca2-98ba-413a-be61-6e4bbb8b8a4c
More questions? Try asking the Power BI Community