注册 Azure AD 应用以便嵌入 Power BI 内容Register an Azure AD app to embed Power BI content

了解如何在 Azure Active Directory (Azure AD) 中注册应用程序,用于嵌入 Power BI 内容。Learn how to register an application within Azure Active Directory (Azure AD) for use with embedding Power BI content.

使用 Azure AD 注册应用程序后,应用程序将能够访问 Power BI REST API。You register your application with Azure AD to allow your application access to the Power BI REST APIs. 此操作能够为应用程序建立标识,并指定对 Power BI REST 资源的权限。This will allow you to establish an identity for your application and specify permissions to Power BI REST resources.

重要

注册 Power BI 应用之前,需要一个 Azure Active Directory 租户和一个组织用户Before you register a Power BI app you need an Azure Active Directory tenant and an organizational user. 如果尚未以租户中的用户身份注册 Power BI,则无法成功完成应用注册。If you haven't signed up for Power BI with a user in your tenant, the app registration will not complete successfully.

注册应用程序有两种方法。There are two ways to register your application. 第一种方法是使用 Power BI 应用注册工具,第二种方法是直接在 Azure 门户中注册。The first is with the Power BI App Registration Tool or you can do it directly within the Azure portal. Power BI 应用注册工具只需填充几个字段即可,是最简单的注册方式。The Power BI App Registration Tool is the easiest option since there are just a few fields to fill in. 若要更改应用,请使用 Azure 门户。If you want to make changes to your app, use the Azure portal.

使用 Power BI 应用注册工具注册Register with the Power BI App Registration Tool

需要在 Azure Active Directory 中注册你的应用程序,以便为应用程序建立标识,并指定对 Power BI REST 资源的权限。You need to register your application in Azure Active Directory to establish an identity for your application and specify permissions to Power BI REST resources. 注册控制台应用或网站等应用程序时,你会收到一个标识符,应用程序使用该标识符向被请求权限的用户标识自己的身份。When you register an application, such as a console app or a web site, you receive an identifier which is used by the application to identify themselves to the users that they are requesting permissions from.

下面介绍如何使用 Power BI 应用注册工具注册应用程序:Here's how to register your application with the Power BI App Registration Tool:

  1. 转到 dev.powerbi.com/appsGo to dev.powerbi.com/apps.
  2. 选择“使用现有帐户登录”。Select Sign in with your existing account.
  3. 提供“应用名称”。Provide an App Name.
  4. 应用类型选择将取决于你使用的应用程序的类型。The App type selection will depend on the type of application you are using.

    • 对 Web 应用或 Web API 使用“服务器端 Web 应用”。Use Server-side Web app for web apps or web APIs.
    • 对在客户端设备上运行的应用使用“本机应用”。Use Native app for apps that run on client devices. 若要为客户嵌入内容,而不考虑实际应用,也请选择“原生应用”。甚至对于 Web 应用,也是如此。You will also choose *Native app if you are embedding content for your customers regardless of what the actual application is. Even for web applications.***
  5. 为“重定向 URL”和“主页 URL”输入一个值。Enter a value for Redirect URL and Home Page URL. 任何有效的 URL 都可用。Any valid URL will work.

    只有将应用程序类型选择为“服务器端 Web 应用”,“主页 URL”才可用。Home Page URL is only available if you choose Server-side Web app for the applciation type.

    对于“为客户嵌入内容”和 integrate-dashboard-web-app 示例,重定向 URL 为 http://localhost:13526/redirectFor the embedding for your customers and integrate-dashboard-web-app samples, the redirect URL will be http://localhost:13526/redirect. 对于报表和磁贴示例,重定向 URL 为 http://localhost:13526/For the report and tile sample, the redirect URL will be http://localhost:13526/.

  6. 选择此应用程序将有权访问的 API。Choose the APIs that this application will have access to. 有关 Power BI 访问权限的详细信息,请参阅 Power BI 权限For more information about Power BI access permissions, see Power BI Permissions.

  7. 选择“注册应用”。Select Register App.

    你将收到一个“客户端 ID”。You will then be provided with a Client ID. 如果选择“服务器端 Web 应用”,还会收到“客户端密码”。If you selected Server-side Web app, you will also receive a Client Secret. 如有需要,稍后可以从 Azure 门户中检索客户端 ID。The Client ID can be retrieved from the Azure portal, at a later time, if needed. 如果忘记了客户端密码,将需要在 Azure 门户中新建一个密码。If you lose the Client Secret, you will need to create a new one within the Azure portal.

现在,可以将注册的应用用作自定义应用的一部分,从而与 Power BI 服务进行交互。You can now use the registered application as part of your custom application to interact with the Power BI service.

重要

若要为客户嵌入内容,需要在 Azure 门户中配置其他权限。If you are embedding content for your customers, you will need to configure additional permissions within the Azure portal. 有关详细信息,请参阅向应用授予权限For more information, see Apply permissions to your application.

使用 Azure 门户注册Register with the Azure portal

注册应用程序还有另一种选择,即直接在 Azure 门户中注册。Your other option for registering your application is to do so directly in the Azure portal. 请按照下列步骤注册你的应用程序。To register your application, follow these steps.

  1. 接受 Microsoft Power BI API 条款Accept the Microsoft Power BI API Terms.
  2. 登录到 Azure 门户Sign into the Azure portal.
  3. 在页面右上角选择你的帐户,从而选择你的 Azure AD 租户。Choose your Azure AD tenant by selecting your account in the top right corner of the page.
  4. 在左侧导航窗格中,依次选择“更多服务”、“安全性 + 标识”下的“应用注册”和“新应用注册”。In the left-hand navigation pane, choose More Services, select App Registrations under Security + Identity and select New application registration.

  5. 按照提示进行操作,并创建新的应用程序。Follow the prompts and create a new application.

    • 对于 Web 应用,请输入“登录 URL”,即用户可以登录的应用基 URL(例如,http://localhost:13526)。For Web Applications, provide the Sign-On URL, which is the base URL of your app, where users can sign in e.g http://localhost:13526.
    • 对于本机应用程序,请提供“重定向 URI”,Azure AD 用其返回令牌响应。For Native Applications, provide a Redirect URI, which Azure AD uses to return token responses. 输入应用的专属值(例如,http://myapplication/redirect)Enter a value specific to your application, .e.g http://myapplication/redirect

有关如何在 Azure Active Directory 中注册应用程序的详细信息,请参阅 Azure Active Directory 集成应用程序For more information about how to register applications in Azure Active Directory, see Integrating applications with Azure Active Directory

如何获取客户端 IDHow to get the client id

注册应用程序时,你将收到一个“客户端 ID”。When you register an application, you receive a Client ID. 应用程序使用客户端 ID 向其请求权限的用户标识其自身。The Client ID is used by the application to identify themselves to the users that they are requesting permissions from.

下面介绍了如何获取客户端 ID:Here's how to get a client id:

  1. 登录到 Azure 门户Sign into the Azure portal.
  2. 在页面右上角选择你的帐户,从而选择你的 Azure AD 租户。Choose your Azure AD tenant by selecting your account in the top right corner of the page.
  3. 在左侧导航栏中,选择依次“更多服务”和“应用注册”。In the left-hand navigation pane, choose More Services and select App Registrations.
  4. 选择需为其检索客户端 ID 的应用程序。Select the application that you want to retrieve the client id for.
  5. 此时,“应用 ID”列为 GUID。You will see Application ID listed as a GUID. 这就是该应用程序的客户端 ID。This is the client id for the application.

    “应用注册”内列为应用 ID 的客户端 ID

在 Azure AD 中向应用授予权限Apply permissions to your application within Azure AD

重要

此部分只适用于为组织嵌入内容的应用。This section only applies to applications that are embedding content for your organization.

除了应用注册页中提供的权限之外,还需要对应用程序启用其他权限。You will need to enable additional permissions to your application in addition to what was provided in app registration page. 可以通过 Azure AD 门户或以编程方式完成此操作。You can accomplish this through the Azure AD portal, or programmatically.

需要使用用于嵌入内容的主帐户登录,或使用全局管理员帐户登录。You will want to be logged in with either the master account, used for embedding, or a Global admin account.

使用 Azure AD 门户Using the Azure AD portal

  1. 在 Azure 门户中,转到应用注册,再选择要用于嵌入内容的应用。Browse to App registrations within the Azure portal and select the app that you are using for embedding.

  2. 在“API 访问权限”下选择“所需权限”。Select Required permissions under API Access.

  3. 选择“Windows Azure Active Directory”并请务必选中“以登录用户身份访问目录”。Select Windows Azure Active Directory and then make sure Access the directory as the signed-in user is selected. 选择“保存”。Select Save.

  4. 在“所需权限”中,选择“Power BI 服务 (Power BI)”。Within Required permissions, select Power BI Service (Power BI).

    备注

    如果直接在 Azure AD 门户中创建了应用,可能看不到“Power BI 服务(Power BI)”。If you created the app directly in the Azure AD portal, Power BI Service (Power BI) may not be present. 如果不存在,请选择“+ 添加”,然后选择“1 选择和 API”。If it is not, select + Add and then 1 Select and API. 在 API 列表中选择“Power BI 服务”,然后选择“选择”。Select Power BI Service in the API list and select Select. 如果“+ 添加”中没有“Power BI 服务(Power BI)”,请至少使用一个用户注册 Power BI。If Power BI Service (Power BI) is not available within + Add, sign up for Power BI with at least one user.

  5. 选择“委派权限”下的所有权限。Select all permissions under Delegated Permissions. 需要逐一选中这些选项才能保存所做的选择。You will need to select them one by one in order to save the selections. 完成时选择“保存”。Select Save when done.

  6. 在“所需权限”中,选择“授予权限”。Within Required permissions, select Grant Permissions.

    必须为“主帐户”调用“授予权限”操作,以免 Azure AD 提示提供内容。The Grant Permissions action is needed for the master account to avoid being prompted for consent by Azure AD. 如果执行此操作的帐户是全局管理员,将向组织内此应用的所有用户授予权限。If the account performing this action is a Global Admin, you will grant permissions to all users within your organization for this application. 如果执行此操作的帐户是主帐户,而不是全局管理员,将仅向此应用的主帐户授予权限。If the account performing this action is the master account and is not a Global Admin, you will grant permissions only to the master account for this application.

    “必需权限”对话框中的“授予权限”

以编程方式应用权限Applying permissions programmatically

  1. 需要获取租户中的现有服务主体(用户)。You will need to get the existing service principals (users) within your tenant. 有关如何执行该操作的信息,请参阅 Get servicePrincipalFor information on how to do that, see Get servicePrincipal.

    你可以调用 Get servicePrincipal API 而无需使用 {id},这将使你获取租户中的所有服务主体。You can call the Get servicePrincipal api without {id} and it will get you all of the service principals within the tenant.

  2. 使用作为 appId 属性的应用客户端 ID 检查服务主体。Check for a service principal with you app client id as appId property.
  3. 如果应用缺少服务计划,请新建一个。Create a new service plan if missing for your app.

    Post https://graph.microsoft.com/beta/servicePrincipals
    Authorization: Bearer ey..qw
    Content-Type: application/json
    {
    "accountEnabled" : true,
    "appId" : "{App_Client_ID}",
    "displayName" : "{App_DisplayName}"
    }
    
  4. 向 Power BI API 授予应用权限Grant App Permission to PowerBI API

    Post https://graph.microsoft.com/beta/OAuth2PermissionGrants
    Authorization: Bearer ey..qw
    Content-Type: application/json
    { 
    "clientId":"{Service_Plan_ID}",
    "consentType":"AllPrincipals",
    "resourceId":"c78b2585-1df6-41de-95f7-dc5aeb7dc98e",
    "scope":"Dataset.ReadWrite.All Dashboard.Read.All Report.Read.All Group.Read Group.Read.All Content.Create Metadata.View_Any Dataset.Read.All Data.Alter_Any",
    "expiryTime":"2018-03-29T14:35:32.4943409+03:00",
    "startTime":"2017-03-29T14:35:32.4933413+03:00"
    }
    
  5. 向 AAD 授予应用权限Grant App Permission to AAD

    “consentType”的值具体取决于执行请求的用户。The value for consentType will depend on the user performing the request. 可以提供 AllPrincipals 或 Principal。You can supply either AllPrincipals or Principal. AllPrincipals 只能由管理员使用,用于向所有用户授予权限。AllPrincipals can only be used by an administrator to grant permission to all users. Principal 用于向特定用户授予权限。Principal is used to grant permission to a specific user.

    必须为“主帐户”调用“授予权限”操作,以免 Azure AD 提示提供内容。The permission grant is needed for the master account to avoid being prompted for consent by Azure AD.

    如果使用的是现有租户,并且不希望向所有租户用户授予权限,可以将 contentType 值替换为 Principal,向特定用户授予权限。If you are using an existing tenant, and not interested in granting permissions on behalf of all tenant users, you can grant permissions to a specific user by replacing the value of contentType to Principal.

    Post https://graph.microsoft.com/beta/OAuth2PermissionGrants
    Authorization: Bearer ey..qw
    Content-Type: application/json
    { 
    "clientId":"{Service_Plan_ID}",
    "consentType":"AllPrincipals",
    "resourceId":"61e57743-d5cf-41ba-bd1a-2b381390a3f1",
    "scope":"User.Read Directory.AccessAsUser.All",
    "expiryTime":"2018-03-29T14:35:32.4943409+03:00",
    "startTime":"2017-03-29T14:35:32.4933413+03:00"
    }
    

后续步骤Next steps

至此,已在 Azure AD 中注册了应用,需要在应用中对用户进行身份验证了。Now that you have registered your application within Azure AD, you will need to authenticate users within your application. 若要了解详细信息,请参阅对用户进行身份验证,并获取 Power BI 应用的 Azure AD 访问令牌Have a look at Authenticate users and get an Azure AD access token for your Power BI app to learn more.

更多问题?More questions? 尝试咨询 Power BI 社区Try asking the Power BI Community