To use Power BI embedded analytics, you need to register an Azure Active Directory (Azure AD) application in Azure. The Azure AD app establishes permissions for Power BI REST resources, and allows access to the Power BI REST APIs.
Determine your embedding solution
Before registering your app, decide which of the following solutions is best suited for you:
Embed for your customers
Embed for your organization
Embed for your customers
Use the embed for your customers solution, also known as app owns data, if you're planning to create an application that's designed for your customers. Users will not need to sign in to Power BI or have a Power BI license, to use your application. Your application will use one of the following methods to authenticate against Power BI:
Master user account (a Power BI Pro license used for signing in to Power BI)
The embed for your customers solution is usually used by independent software vendors (ISVs) and developers who are creating applications for a third party.
Embed for your organization
Use the embed for your organization solution, also known as user owns data, if you're planning to create an application that requires users to use their credentials to authenticate against Power BI.
The embed for your organization solution is usually used by enterprises and big organizations, and is intended for internal users.
Register an Azure AD app
The easiest way to register an Azure AD app, is by using the Power BI embedding setup tool. The tool offers a quick registration process for both embedding solutions, using a simple graphical interface.
If you're creating an embed for your organization application, and want more control over your Azure AD app, you can register it manually in the Azure portal.
In the Choose an embedding solution section, select Embed for your customers.
In Step 1 - sign in to Power BI, sign in with a user that belongs to your Power BI tenant. The Azure AD app will be registered under this user.
If you're already signed in, verify that you're signed in with the user you want to use for creating the Azure AD app. To change a user, select the sign out link and once the tool restarts, sign in again.
In Step 2 - Register your application, fill in the following fields:
Your Azure AD app Application ID is displayed in the Summary box. Copy this value for later use.
(Optional) In Step 3 - Create a workspace, you can create a workspace in Power BI service.
If you already have a Power BI workspace, select Skip.
To create a workspace, enter a name for your workspace and select Create workspace. Your Workspace name and ID appear in the Summary box. Copy these values for later use.
Note
For the embedded analytics sample app to work as expected, you have to create a workspace using the tool.
(Optional) In Step 4 - Import content, select one of following options:
If you have your own Power BI app, you can select Skip.
If you want to create a sample Power BI app using a sample report, select Sample Power BI report and then select Import.
If you want to create a sample Power BI app using your own report, select Upload a .pbix file, browse for your file and then select Import.
In Step 5 - Grant permissions, select Grant permissions and in the pop-up window select accept. This allows your Azure AD app to access the APIs you selected (also known as scopes) with your signed in user. This user is also known as the master user.
(Optional) If you created a Power BI workspace and uploaded content to it using the tool, you can now select Download sample application. Make sure you copy all the information in the Summary Box.
Note
If you skipped the optional stages, you can still download a sample Power BI app. However, the code in the downloaded app, will lack the properties that you didn't fill in during registration. For example, if you didn't create a workspace, the sample app will not include the workspace ID.
These steps describe how to register an Azure AD application for the Power BI embed for your organization solution.
In the Choose an embedding solution section, select Embed for your organization.
In Step 1 - sign in to Power BI, sign in with a user that belongs to your Power BI tenant. The Azure AD app will be registered under this user.
If you're already signed in, verify that you're signed in with the user you want to use for creating the Azure AD app. To change a user, select the sign out link and once the tool restarts, sign in again.
In Step 2 - Register your application, fill in the following fields:
Application Name - Give your application a name.
Home Page URL - Enter a URL for your home page.
Redirect URL - Upon singing in, your application users will be redirected to this address while your application receives an authentication code from Azure. Select one of these options:
Use a default URL - This option will automatically create and download a sample embedded analytics application. The default URL is http://localhost:13526/.
Use a custom URL - Select this option if you already have an embedded analytics application, and know what you want to use as a redirect URL.
Your Azure AD app Application ID and Application secret values are displayed in the Summary box. Copy these values for later use.
(Optional) In Step 3 - Create a workspace, you can create a workspace in Power BI service.
If you already have a Power BI workspace, select Skip.
To create a workspace, enter a name for your workspace and select Create workspace. Your Workspace name and ID appear in the Summary box. Copy these values for later use.
Note
For the embedded analytics sample app to work as expected, you have to create a workspace using the tool.
(Optional) In Step 4 - Import content, select one of following options:
If you have your own Power BI app, you can select Skip.
If you want to create a sample Power BI app using a sample report, select Sample Power BI report and then select Import.
If you want to create a sample Power BI app using your own report, select Upload a .pbix file, browse for your file and then select Import.
(Optional) If you created a Power BI workspace and uploaded content to it using the tool, you can now select Download sample application. Make sure you copy all the information in the Summary Box.
Note
If you skipped the optional stages, you can still download a sample Power BI app. However, the code in the downloaded app, will lack the properties that you didn't fill in during registration. For example, if you didn't create a workspace, the sample app will not include the workspace ID.
Use the Azure AD manual app registration only if you're creating one of the following solutions:
An embed for your organization application.
An embed for your customers application with a service principal.
Note
If you choose this option, after you register your Azure AD app you'll have to add Power BI permissions to it.
Select your Azure AD tenant by selecting your account in the upper right corner of the page.
Select App registrations. If you can't see this option, search for it.
From the Owned applications tab, select your app. The application opens in the Overview tab, where you can review the Application ID.
Select the API permissions tab.
To add permissions, follow these steps:
Select Add a permission and then select Power BI service.
Select Delegated Permissions and add or remove the specific permissions you need.
When you're done, select Add permissions to save your changes.
To remove a permission, follow these steps:
Select the ellipsis (...) to the right of the permission.
Select Remove permission.
In the Remove permission pop-up window, select Yes, remove.
To change your Azure AD app permissions programmatically, you'll need to get the existing service principals (users) within your tenant. For information on how to do that, see servicePrincipal.
To get all the service principals within your tenant, call the Get servicePrincipal API without {ID}.
Check for a service principal with your app's application ID as the appId property.
Grant Power BI permissions to your app, by assigning one of these values to consentType:
AllPrincipals - Can only be used by a Power BI admin to grant permissions on behalf of all the users in the tenant.
Principal - Use to grant permissions on behalf of a specific user. If you're using this option, add the principalId={User_ObjectId} property to the request body.
If you're using a master user, to avoid being prompted for consent by Azure AD, you need to grant permissions to the master account.
The resourceIdc78a3685-1ce7-52cd-95f7-dc5aea8ec98e is tenant dependent and not universal. This value is the objectId of the Power BI Service application in Azure AD. To get this value from the Azure portal, navigate to Enterprise applications > All applications, and search for Power BI Service.
Grant app permissions to Azure AD, by assigning a value to consentType.
You can also change your Azure AD app permissions using C#. For more information see the oAuth2PermissionGrant API. This method can be useful if you're considering to automate some of your processes.
For more information regarding the HTTP requests, refer to the HTTP tab.
var graphClient = GetGraphClient();
currentState.createdApp = await graphClient.Applications
.Request()
.AddAsync(application);
System.Threading.Thread.Sleep(2000);
var passwordCredential = new PasswordCredential
{
DisplayName = "Client Secret Created in C#"
};
currentState.createdSecret = await graphClient.Applications[currentState.createdApp.Id]
.AddPassword(passwordCredential)
.Request()
.PostAsync();
var servicePrincipal = new ServicePrincipal
{
AppId = currentState.createdApp.AppId
};
currentState.createdServicePrincipal = await graphClient.ServicePrincipals
.Request()
.AddAsync(servicePrincipal);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
// Use oAuth2PermissionGrant to change permissions
var oAuth2PermissionGrant = await graphClient.Oauth2PermissionGrants["{id}"]
.Request()
.GetAsync();
