注册 Azure AD 应用程序以使用 Power BIRegister an Azure AD application to use with Power BI

了解如何在 Azure Active Directory (Azure AD) 中注册应用程序,用于嵌入 Power BI 内容。Learn how to register an application within Azure Active Directory (Azure AD) for use with embedding Power BI content.

在 Azure AD 中注册应用程序后,该应用程序将能够访问 Power BI REST APIYou register your application with Azure AD to allow your application access to the Power BI REST APIs. 注册应用后,可以建立应用标识,并指定对 Power BI REST 资源的权限。Once you register your application, you can establish an identity for your application and specify permissions to Power BI REST resources.

重要

注册 Power BI 应用之前,需要一个 Azure Active Directory 租户和一个组织用户Before you register a Power BI app you need an Azure Active Directory tenant and an organizational user. 如果尚未以租户中的用户身份注册 Power BI,则无法成功完成应用注册。If you haven't signed up for Power BI with a user in your tenant, the app registration doesn't complete successfully.

注册应用程序有两种方法。There are two ways to register your application. 第一种方法是使用 Power BI 应用注册工具,第二种方法是直接在 Azure 门户中注册。The first is with the Power BI App Registration Tool, or you can do it directly within the Azure portal. 使用 Power BI 应用注册工具时,只需填充几个字段即可,因此使用起来较为方便。The Power BI App Registration Tool is more convenient to use since there are just a few fields to complete. 若要更改应用,请使用 Azure 门户。Use the Azure portal if you want to make changes to your app.

使用 Power BI 应用程序注册工具注册Register with the Power BI Application Registration Tool

在 Azure Active Directory 中注册你的应用程序,以便为应用程序建立标识,并指定对 Power BI REST 资源的权限。Register your application in Azure Active Directory to establish an identity for your application and specify permissions to Power BI REST resources. 注册控制台应用或网站等应用程序时,用户会收到一个标识符,应用程序使用该标识符向被请求权限的用户标识自己的身份。When you register an application, such as a console app or a website, you receive an identifier, which is used by the application to identify themselves to the users that they're requesting permissions.

下面介绍如何使用 Power BI 应用注册工具注册应用程序:Here's how to register your application with the Power BI App Registration Tool:

  1. 转到 dev.powerbi.com/appsGo to dev.powerbi.com/apps.

  2. 选择“使用现有帐户登录”,然后选择“下一步”。Select Sign in with your existing account then select Next.

  3. 提供“应用程序名称”。Provide an Application Name.

  4. 提供“应用程序类型”。Provide an Application Type.

    以下说明了对于应用程序类型选择“本机”而不是“服务器端 Web 应用程序”的原因差别。Here are the differences for why you choose Native versus Server-side web applications for an application type.

    本机:Native:

    • 计划创建的应用程序设计用于客户,这些客户使用主用户帐户(用于登录 Power BI 的 Power BI Pro 许可证)进行身份验证。You plan on creating an application that is designed for your customers using a master user account (a Power BI Pro license used for signing in to Power BI) to authenticate.

    服务器端 Web 应用程序:Server-side web application:

    应用类型

  5. 如果对应用程序类型选择“服务器端 Web 应用程序”,然后继续输入“主页 URL”和“重定向 URL”的值。If you selected Server-side web application for the application type, then continue with entering a value for Home Page URL and Redirect URL. “重定向 URL”适用于任何有效 URL,并且应适合创建的应用程序。The Redirect URL works with any valid URL and should correspond with the application you've created. 如果已选择“本机”,则转至步骤 6。If you selected Native, then continue to step 6.

  6. 选择应用程序需要的 Power BI API。Choose the Power BI APIs that your application needs. 有关 Power BI 访问权限的详细信息,请参阅 Power BI 权限For more information about Power BI access permissions, see Power BI Permissions. 然后选择“注册”。Then select Register.

    选择要注册的 API

    重要

    如果使服务主体可用于 Power BI,则 Azure Active Directory 权限将不再有效。If you enable service principals to be used with Power BI, the Azure Active Directory permissions don't take effect anymore. 通过 Power BI 管理门户管理权限。The permissions are managed through the Power BI admin portal.

  7. 如果对应用程序类型选择“本机”,则系统会提供“应用程序 ID”。If you choose Native for the application type, then you're then provided an Application ID. 如果对应用程序类型选择“服务器端 Web 应用”,则系统会提供“应用程序 ID”和“应用程序密码”。If you select Server-side Web app for the application type, then you receive an Application ID and an Application secret.

    备注

    如有需要,稍后可以从 Azure 门户中检索应用程序 ID。The Application ID can be retrieved from the Azure portal, at a later time, if needed. 如果忘记了应用程序密码,则需要在 Azure 门户中新建一个密码。If you lose the Application secret, you need to create a new one within the Azure portal.

本地Native 服务器端 Web 应用程序Server-side web application
本机成功 服务器端 Web 应用成功

现在,可以将注册的应用程序作为自定义应用程序使用,以与 Power BI 服务和 Power BI Embedded 应用程序交互。You can now use the registered application as part of your custom application to interact with the Power BI service and with your Power BI Embedded application.

使用 Azure 门户注册Register with the Azure portal

注册应用程序还有另一种选择,即直接在 Azure 门户中注册。Your other option for registering your application is to do so directly in the Azure portal. 请按照下列步骤注册你的应用程序。To register your application, follow these steps.

  1. 接受 Microsoft Power BI API 条款Accept the Microsoft Power BI API Terms.

  2. 登录到 Azure 门户Sign into the Azure portal.

  3. 在页面右上角选择你的帐户,从而选择你的 Azure AD 租户。Choose your Azure AD tenant by selecting your account in the top-right corner of the page.

  4. 在左侧导航窗格中,转到“所有服务”,选择“应用注册”,然后选择“新注册”。In the left-hand navigation pane, go to All services, select App Registrations and then select New registration.

  5. 按照提示进行操作,并创建新的应用程序。Follow the prompts and create a new application.

    有关如何在 Azure Active Directory 中注册应用程序的详细信息,请参阅向 Azure Active Directory 注册应用For more information about how to register applications in Azure Active Directory, see Register an app with the Azure Active Directory

如何获取应用程序 IDHow to get the Application ID

注册应用程序时,你将收到一个应用程序 IDWhen you register an application, you receive an Application ID. 应用程序 ID 请求应用程序用户的权限以标识其自身。The Application ID requests permissions to the users by the application to identify themselves.

如何获取服务主体对象 IDHow to get the service principal object ID

使用 Power BI API 时,请务必使用服务主体对象 ID 定义操作以引用服务主体 - 例如,以管理员身份将服务主体应用于工作区。When using the Power BI APIs, make sure to define operations using the service principal object ID to reference the service principal - for example, applying a service principal as an admin to a workspace.

在 Azure AD 中向应用授予权限Apply permissions to your application within Azure AD

除了应用注册页中提供的权限之外,还需要对应用程序启用其他权限。Enable additional permissions to your application in addition to what the app registration page provides. 可以通过 Azure AD 门户或以编程方式完成此任务。You can accomplish this task through the Azure AD portal, or programmatically.

需要使用用于嵌入内容的主帐户登录,或使用全局管理员帐户登录。You want to be logged in with either the master account, used for embedding, or a Global admin account.

使用 Azure AD 门户Using the Azure AD portal

  1. 在 Azure 门户中,转到应用注册,然后选择要用于嵌入内容的应用。Browse to App registrations within the Azure portal and select the app that you're using for embedding.

  2. 选择“管理”****** 下的“API 权限”**。Select API permissions under Manage.

  3. 在“API 权限”中,选择“添加权限”,然后选择“Power BI 服务”。Within API permissions, select Add a permission, then select Power BI Service.

    应用权限 03

  4. 在“委派权限”下选择所需的特定权限。Select the specific permissions you need under Delegated Permissions. 逐一选中这些选项以保存所做的选择。Select them one by one to save the selections. 完成时选择“保存”。Select Save when done.

  5. 选择“授予同意”。Select Grant Consent.

    需要为“主帐户”调用“授予同意”操作,以免 Azure AD 提示提供内容。The Grant Consent action needs for the master account to avoid being prompted for consent by Azure AD. 如果执行此操作的帐户是全局管理员,会向组织内此应用的所有用户授予权限。If the account performing this action is a Global Admin, you grant permissions to all users within your organization for this application. 如果执行此操作的帐户是主帐户,而不是全局管理员,将仅向此应用程序的主帐户授予权限。If the account performing this action is the master account and isn't a Global Admin, you grant permissions only to the master account for this application.

以编程方式应用权限Applying permissions programmatically

  1. 需要获取租户中的现有服务主体(用户)。You need to get the existing service principals (users) within your tenant. 有关如何执行该操作的信息,请参阅 servicePrincipalFor information on how to do that, see servicePrincipal.

    可以调用 Get servicePrincipal API 而无需使用 {ID},这将使你获取租户中的所有服务主体。You can call the Get servicePrincipal API without {ID}, and it gets you all of the service principals within the tenant.

  2. 使用作为“appId”属性的应用的应用程序 ID 检查服务主体。Check for a service principal with your app application ID as appId property.

  3. 如果应用缺少服务计划,请新建一个。Create a new service plan if missing from your app.

    Post https://graph.microsoft.com/beta/servicePrincipals
    Authorization: Bearer ey..qw
    Content-Type: application/json
    {
    "accountEnabled" : true,
    "appId" : "{App_Client_ID}",
    "displayName" : "{App_DisplayName}"
    }
    
  4. 向 Power BI API 授予应用权限Grant App Permissions to Power BI API

    如果使用的是现有租户,并且不希望向所有租户用户授予权限,可以将 contentType 值替换为 Principal,向特定用户授予权限。If you're using an existing tenant, and not interested in granting permissions on behalf of all tenant users, you can grant permissions to a specific user by replacing the value of contentType to Principal.

    consentType 值可提供 AllPrincipals 或 Principal。The value for consentType can supply either AllPrincipals or Principal.

    • AllPrincipals 仅可由租户管理员使用,用于代表租户中的所有用户授予权限。AllPrincipals can only be used by a tenant admin to grant permissions on behalf of all users in the tenant.

    • Principal 用于代表特定用户授予权限。Principal is used to grant permissions on behalf of a specific user. 在此情况下,应将附加属性添加到请求正文 - principalId={User_ObjectId}。In this case, an additional property should be added to the request's body - principalId={User_ObjectId}.

      主帐户若要避免收到获取 Azure AD 同意的提示,需要“获取权限”,而这在进行非交互式登录情况下是不可能的。You need to Grant permissions for the master account to avoid being prompted for consent by Azure AD, which isn't possible when doing non-interactive sign-in.

      Post https://graph.microsoft.com/beta/OAuth2PermissionGrants
      Authorization: Bearer ey..qw
      Content-Type: application/json
      {
      "clientId":"{Service_Plan_ID}",
      "consentType":"AllPrincipals",
      "resourceId":"c78a3685-1ce7-52cd-95f7-dc5aea8ec98e",
      "scope":"Dataset.ReadWrite.All Dashboard.Read.All Report.Read.All Group.Read Group.Read.All Content.Create Metadata.View_Any Dataset.Read.All Data.Alter_Any",
      "expiryTime":"2018-03-29T14:35:32.4943409+03:00",
      "startTime":"2017-03-29T14:35:32.4933413+03:00"
      }
      

    resourceId c78a3685-1ce7-52cd-95f7-dc5aea8ec98e 不是通用的,但它与租户相关。The resourceId c78a3685-1ce7-52cd-95f7-dc5aea8ec98e isn't universal but it's tenant dependant. 此值是 Azure Active Directory (AAD) 租户中“Power BI 服务”应用程序的 objectId。This value is the objectId of the “Power BI Service” application in the Azure Active Directory (AAD) tenant.

    用户可在 Azure 门户中快速获取此值:The user can quickly get this value in the Azure portal:

    1. https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps

    2. 在搜索框中搜索“Power BI 服务”Search for “Power BI Service” in the SearchBox

  5. 向 Azure Active Directory (AAD) 授予应用权限Grant App Permissions to Azure Active Directory (AAD)

    consentType 值可提供 AllPrincipals 或 Principal。The value for consentType can supply either AllPrincipals or Principal.

    • AllPrincipals 只能由租户管理员用于向租户中的所有用户授予权限。AllPrincipals can only be used by a tenant admin to grant permissions for all users in the tenant.
    • Principal 用于向特定用户授予权限。Principal is used to grant permissions for a specific user. 在此情况下,应将附加属性添加到请求正文 - principalId={User_ObjectId}。In this case, an additional property should be added to the request's body - principalId={User_ObjectId}.

    主帐户若要避免收到获取 Azure AD 同意的提示,需要“获取权限”,而这在进行非交互式登录情况下是不可能的。You need to Grant permissions for the master account to avoid being prompted for consent by Azure AD, which isn't possible when doing non-interactive sign-in.

    Post https://graph.microsoft.com/beta/OAuth2PermissionGrants
    Authorization: Bearer ey..qw
    Content-Type: application/json
    { 
    "clientId":"{Service_Plan_ID}",
    "consentType":"AllPrincipals",
    "resourceId":"61e57743-d5cf-41ba-bd1a-2b381390a3f1",
    "scope":"User.Read Directory.AccessAsUser.All",
    "expiryTime":"2018-03-29T14:35:32.4943409+03:00",
    "startTime":"2017-03-29T14:35:32.4933413+03:00"
    }
    

后续步骤Next steps

至此,已在 Azure AD 中注册了应用程序,需要在应用程序中对用户进行身份验证。Now that you've registered your application within Azure AD, you need to authenticate users within your application. 若要了解详细信息,请参阅对用户进行身份验证,并获取 Power BI 应用的 Azure AD 访问令牌Have a look at Authenticate users and get an Azure AD access token for your Power BI app to learn more.

更多问题?More questions? 尝试咨询 Power BI 社区Try asking the Power BI Community