Register and scan a Power BI tenant (preview)

This article shows how to use Azure Purview portal to register and scan a Power BI tenant.


If the Purview instance and the Power BI tenant are in the same Azure tenant, you can only use managed identity (MSI) authentication to set up a scan of a Power BI tenant.

Create a security group for permissions

To set up authentication, create a security group and add the Purview managed identity to it.

  1. In the Azure portal, search for Azure Active Directory.

  2. Create a new security group in your Azure Active Directory, by following Create a basic group and add members using Azure Active Directory.


    You can skip this step if you already have a security group you want to use.

  3. Select Security as the Group Type.

    Security group type

  4. Add your Purview managed identity to this security group. Select Members, then select + Add members.

    Add the catalog's managed instance to group.

  5. Search for your Purview managed identity and select it.

    Add catalog by searching for it

    You should see a success notification showing you that it was added.

    Add catalog MSI success

Associate the security group with the tenant

  1. Log into the Power BI admin portal.

  2. Select the Tenant settings page.


    You need to be a Power BI Admin to see the tenant settings page.

  3. Select Admin API settings > Allow service principals to use read-only Power BI admin APIs (Preview).

  4. Select Specific security groups.

    Image showing how to allow service principals to get read-only Power BI admin API permissions


    When you allow the security group you created (that has your Purview managed identity as a member) to use read-only Power BI admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Power BI artifacts in this tenant. Once the metadata has been pulled into the Azure Purview, Purview's permissions, not Power BI permissions, determine who can see that metadata.


    You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Purview account. You can delete it separately, if you wish.

Register your Power BI and set up a scan

Now that you've given the Purview Managed Identity permissions to connect to the Admin API of your Power BI tenant, you can set up your scan from the Azure Purview Studio.

First, add a special feature flag to your Purview URL

  1. Select the Management Center icon.

    Management center icon.

  2. Then select + New on Data sources.

    Image of new data source button

    Select Power BI as your data source.

    Image showing the list of data sources available to choose

  3. Give your Power BI instance a friendly name.

    Image showing Power BI data source-friendly name

    The name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

    By default, the system will find the Power BI tenant that exists in the same Azure subscription.

    Power BI data source registered


    For Power BI, data source registration and scan is allowed for only one instance.

  4. Give your scan a name. Notice that the only authentication method supported is Managed Identity.

    Image showing Power BI scan setup

    The scan name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

  5. Set up a scan trigger. Your options are Once, Every 7 days, and Every 30 days.

    Scan trigger image

  6. On Review new scan, select Save and Run to launch your scan.

    Save and run Power BI screen image

Next steps