Connect to and manage a Power BI tenant in Azure Purview

This article outlines how to register a Power BI tenant, and how to authenticate and interact with the tenant in Azure Purview. For more information about Azure Purview, read the introductory article.

Supported capabilities

Metadata Extraction Full Scan Incremental Scan Scoped Scan Classification Access Policy Lineage
Yes Yes No No No No Yes

Note

If the Purview instance and the Power BI tenant are in the same Azure tenant, you can only use managed identity (MSI) authentication to set up a scan of a Power BI tenant.

Known limitations

  • For cross-tenant scenario, no UX experience currently available to register and scan cross Power BI tenant.
  • By Editing the Power BI cross tenant registered with PowerShell using Purview Studio will tamper the data source registration with inconsistent scan behavior.
  • Review Power BI Metadata scanning limitations.

Prerequisites

Register

This section describes how to register a Power BI tenant in Azure Purview in both same-tenant and cross-tenant scenarios.

Authentication for a same-tenant scenario

For both same-tenant and cross-tenant scenarios, to set up authentication, create a security group and add the Purview-managed identity to it.

  1. In the Azure portal, search for Azure Active Directory.

  2. Create a new security group in your Azure Active Directory, by following Create a basic group and add members using Azure Active Directory.

    Tip

    You can skip this step if you already have a security group you want to use.

  3. Select Security as the Group Type.

    Screenshot of security group type.

  4. Add your Purview-managed identity to this security group. Select Members, then select + Add members.

    Screenshot of how to add the catalog's managed instance to group.

  5. Search for your Purview-managed identity and select it.

    Screenshot showing how to add catalog by searching for its name.

    You should see a success notification showing you that it was added.

    Screenshot showing successful addition of catalog MSI.

Associate the security group with the tenant

  1. Log into the Power BI admin portal.

  2. Select the Tenant settings page.

    Important

    You need to be a Power BI Admin to see the tenant settings page.

  3. Select Admin API settings > Allow service principals to use read-only Power BI admin APIs (Preview).

  4. Select Specific security groups.

    Image showing how to allow service principals to get read-only Power BI admin API permissions.

  5. Select Admin API settings > Enhance admin APIs responses with detailed metadata > Enable the toggle to allow Purview Data Map automatically discover the detailed metadata of Power BI datasets as part of its scans.

    Important

    After you update the Admin API settings on your power bi tenant, wait around 15 minutes before registering a scan and test connection.

    Image showing the Power BI admin portal config to enable subartifact scan.

    Caution

    When you allow the security group you created (that has your Purview managed identity as a member) to use read-only Power BI admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Power BI artifacts in this tenant. Once the metadata has been pulled into the Azure Purview, Purview's permissions, not Power BI permissions, determine who can see that metadata.

    Note

    You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Purview account. You can delete it separately, if you wish.

Steps to register in the same tenant

Now that you've given the Purview-Managed Identity permissions to connect to the Admin API of your Power BI tenant, you can set up your scan from the Azure Purview Studio.

  1. Select the Data Map on the left navigation.

  2. Then select Register.

    Select Power BI as your data source.

    Image showing the list of data sources available to choose.

  3. Give your Power BI instance a friendly name.

    Image showing Power BI data source-friendly name.

    The name must be between 3-63 characters long and must contain only letters, numbers, underscores, and hyphens. Spaces aren't allowed.

    By default, the system will find the Power BI tenant that exists in the same Azure subscription.

    Image showing the registered Power BI data source.

    Note

    For Power BI, data source registration and scan is allowed for only one instance.

Steps to register cross-tenant

In a cross-tenant scenario, you can use PowerShell to register and scan your Power BI tenants. You can browse, and search assets of remote tenant using Azure Purview Studio through the UI experience.

Consider using this guide if the Azure AD tenant where Power BI tenant is located, is different than the Azure AD tenant where your Azure Purview account is being provisioned. Use the following steps to register and scan one or more Power BI tenants in Azure Purview in a cross-tenant scenario:

  1. Download the Managed Scanning PowerShell Modules, and extract its contents to the location of your choice.

  2. On your computer, enter PowerShell in the search box on the Windows taskbar. In the search list, select and hold (or right-click) Windows PowerShell, and then select Run as administrator.

  3. Install and import module in your machine if it has not been installed yet.

     Install-Module -name az
 Import-Module -name az
 Login-AzAccount

  4. Sign into your Azure environment using the Azure AD Administrator credential where your Power BI tenant is located.

     Login-AzAccount

  5. In the PowerShell window, enter the following command, replacing <path-to-managed-scanning-powershell-modules> with the folder path of the extracted modules such as C:\Program Files\WindowsPowerShell\Modules\ManagedScanningPowerShell

    dir -Path <path-to-managed-scanning-powershell-modules> -Recurse | Unblock-File

  6. Enter the following command to install the PowerShell modules.

    Import-Module 'C:\Program Files\WindowsPowerShell\Modules\ManagedScanningPowerShell\Microsoft.DataCatalog.Management.Commands.dll'

  7. Use the same PowerShell session to set the following parameters. Update purview_tenant_id with Azure AD tenant ID where Azure Purview is deployed, powerbi_tenant_id with your Azure AD tenant where Power BI tenant is located, and purview_account_name is your existing Azure Purview account.

    $azuretenantId = '<purview_tenant_id>'
$powerBITenantIdToScan = '<powerbi_tenant_id>'
$purviewaccount = '<purview_account_name>'

  8. Create a cross-tenant Service Principal.

    1. Create an App Registration in your Azure Active Directory tenant where Power BI is located. Make sure you update password field with a strong password and update app_display_name with a non-existent application name in your Azure AD tenant where Power BI tenant is hosted.

      $SecureStringPassword = ConvertTo-SecureString -String <'password'> -AsPlainText -Force
$AppName = '<app_display_name>'
New-AzADApplication -DisplayName $AppName -Password $SecureStringPassword

    2. From Azure Active Directory dashboard, select newly created application and then select App registration. Assign the application the following delegated permissions and grant admin consent for the tenant:

      • Power BI Service Tenant.Read.All
      • Microsoft Graph openid

      Screenshot of delegated permissions for Power BI Service and Microsoft Graph.

    3. From Azure Active Directory dashboard, select newly created application and then select Authentication. Under Supported account types select Accounts in any organizational directory (Any Azure AD directory - Multitenant).

      Screenshot of account type support multitenant.

    4. Under Implicit grant and hybrid flows, ensure to select ID tokens (used for implicit and hybrid flows)

      Screenshot of ID token hybrid flows.

    5. Construct tenant-specific sign-in URL for your service principal by running the following url in your web browser:

      https://login.microsoftonline.com/<purview_tenant_id>/oauth2/v2.0/authorize?client_id=<client_id_to_delegate_the_pbi_admin>&scope=openid&response_type=id_token&response_mode=fragment&state=1234&nonce=67890

      Make sure you replace the parameters with correct information:

      • <purview_tenant_id> is the Azure Active Directory tenant ID (GUID) where Azure Purview account is provisioned.
      • <client_id_to_delegate_the_pbi_admin> is the application ID corresponding to your service principal

    6. Sign-in using any non-admin account. This is required to provision your service principal in the foreign tenant.

    7. When prompted, accept permission requested for View your basic profile and Maintain access to data you have given it access to.

  9. Update client_id_to_delegate_the_pbi_admin with Application (client) ID of newly created application and run the following command in your PowerShell session:

    $ServicePrincipalId = '<client_id_to_delegate_the_pbi_admin>'

  10. Create a user account in Azure Active Directory tenant where Power BI tenant is located and assign Azure AD role, Power BI Administrator. Update pbi_admin_username and pbi_admin_password with corresponding information and execute the following lines in the PowerShell terminal:

    $UserName = '<pbi_admin_username>'
$Password = '<pbi_admin_password>'

    Note

    If you create a user account in Azure Active Directory from the portal, the public client flow option is No by default. You need to toggle it to Yes:
    Screenshot of public client flows.

  11. In Azure Purview Studio, assign Data Source Admin to the Service Principal and the Power BI user at the root collection.

  12. To register the cross-tenant Power BI tenant as a new data source inside Azure Purview account, update service_principal_key and execute the following cmdlets in the PowerShell session:

    Set-AzDataCatalogSessionSettings -DataCatalogSession -TenantId $azuretenantId -ServicePrincipalAuthentication -ServicePrincipalApplicationId $ServicePrincipalId -ServicePrincipalKey '<service_principal_key>' -Environment Production -DataCatalogAccountName $purviewaccount

Set-AzDataCatalogDataSource -Name 'pbidatasource' -AccountType PowerBI -Tenant $powerBITenantIdToScan -Verbose

Scan

Follow the steps below to scan a Power BI tenant to automatically identify assets and classify your data. For more information about scanning in general, see our introduction to scans and ingestion

This guide covers both same-tenant and cross-tenant scanning scenarios.

Create and run scan for same-tenant Power BI

To create and run a new scan, do the following:

  1. In the Purview Studio, navigate to the Data map in the left menu.

  2. Navigate to Sources.

  3. Select the registered Power BI source.

  4. Select + New scan.

  5. Give your scan a name. Then select the option to include or exclude the personal workspaces. Notice that the only authentication method supported is Managed Identity.

    Image showing Power BI scan setup.

    Note

    Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of PowerBI source.

  6. Select Test Connection before continuing to next steps. If Test Connection failed, select View Report to see the detailed status and troubleshoot the problem

    1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.
    2. Assets (+ lineage) - Failed status means the Purview - Power BI authorization has failed. Make sure the Purview-managed identity is added to the security group associated in Power BI admin portal.
    3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - Enhance admin APIs responses with detailed metadata

    Screenshot of test connection status report page.

  7. Set up a scan trigger. Your options are Once, Every 7 days, and Every 30 days.

    Screenshot of the Purview scan scheduler.

  8. On Review new scan, select Save and Run to launch your scan.

    Screenshot of save and run Power BI source.

Create and run scan for cross-tenant Power BI

To create and run a new scan inside Azure Purview execute the following cmdlets in the PowerShell session:

Set-AzDataCatalogScan -DataSourceName 'pbidatasource' -Name 'pbiscan' -AuthorizationType PowerBIDelegated -ServicePrincipalId $ServicePrincipalId -UserName $UserName -Password $Password -IncludePersonalWorkspaces $true -Verbose

Start-AzDataCatalogScan -DataSourceName 'pbidatasource' -Name 'pbiscan'

View your scans and scan runs

To view existing scans, do the following:

  1. Go to the Purview Studio. Select the Data Map tab under the left pane.

  2. Select the desired data source. You will see a list of existing scans on that data source under Recent scans, or can view all scans under the Scans tab.

  3. Select the scan that has results you want to view.

  4. This page will show you all of the previous scan runs along with the status and metrics for each scan run. It will also display whether your scan was scheduled or manual, how many assets had classifications applied, how many total assets were discovered, the start and end time of the scan, and the total scan duration.

Manage your scans - edit, delete, or cancel

To manage or delete a scan, do the following:

  1. Go to the Purview Studio. Select the Data Map tab under the left pane.

  2. Select the desired data source. You will see a list of existing scans on that data source under Recent scans, or can view all scans under the Scans tab.

  3. Select the scan you would like to manage. You can edit the scan by selecting Edit scan.

  4. You can cancel an in progress scan by selecting Cancel scan run.

  5. You can delete your scan by selecting Delete scan.

Note

  • Deleting your scan does not delete catalog assets created from previous scans.
  • The asset will no longer be updated with schema changes if your source table has changed and you re-scan the source table after editing the description in the schema tab of Purview.

Next steps

Now that you have registered your source, follow the below guides to learn more about Purview and your data.