Enable service principal authentication for read-only admin APIs
Service principal is an authentication method that can be used to let an Azure Active Directory (Azure AD) application access Power BI service content and APIs. When you create an Azure AD app, a service principal object is created. The service principal object, also known simply as the service principal, allows Azure AD to authenticate your app. Once authenticated, the app can access Azure AD tenant resources.
To enable service principal authentication for Power BI read-only APIs, follow these steps:
Create an Azure AD app. You can skip this step if you already have an Azure AD app you want to use. Take note of the App-Id for later steps.
Make sure the app you use doesn't have any Power BI admin roles set on it in Azure portal.
Create a new Security Group in Azure Active Directory. Read more about how to create a basic group and add members using Azure Active Directory. You can skip this step if you already have a security group you would like to use. Make sure to select Security as the Group type.
Add your App-Id as a member of the security group you created. To do so:
Navigate to Azure portal > Azure Active Directory > Groups, and choose the security group you created in Step 2.
Select Add Members. Note: Make sure the app you use doesn't have any Power BI admin roles set on it in Azure portal. To check the assigned roles:
- Sign into the Azure portal as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.
- Select Azure Active Directory, then Enterprise applications.
- Select the application you want to grant access to Power BI.
- Select Permissions.
Make sure there are no Power BI admin-consent-required permissions set on this application. For more information, see Managing consent to applications and evaluating consent requests.
Enable the Power BI service admin settings:
Log into the Power BI admin portal. You need to be a Power BI admin to see the tenant settings page.
Under Admin API settings, you'll see Allow service principals to use read-only Power BI admin APIs. Set the toggle to Enabled, and then select the Specific security groups radio button and add the security group you created in Step 2 in the text field that appears below it, as shown in the figure below.
Start using the read-only admin APIs. See the list of supported APIs below.
Once you enable the service principal to be used with Power BI, the application's Azure AD permissions no longer have any effect. The application's permissions are then managed through the Power BI admin portal.
Service principal currently supports the following APIs:
- GetGroupsAsAdmin with $expand for dashboards, datasets, reports, and dataflows
- GetDashboardsAsAdmin with $expand tiles
- Get Power BI Encryption Keys
- Get Refreshable For Capacity
- Get Refreshables
- Get Refreshables For Capacity
Considerations and limitations
- You can't sign into the Power BI portal using service principal.
- Power BI admin rights are required to enable service principal in the Admin API settings in the Power BI admin portal.