Authenticate against the PowerBI API using Azure AD Application Registration

Posted on 1/13/2022

The PowerBI API enables you to perform certain actions in the PowerBI Service. As an example, you can refresh PowerBI Datasets, retrieve workspaces, update parameters, etc.

While PowerBI offers itself the capability to an register application to authenticate against the API, it might be a better idea to use a centralized governed Application Registration from Azure Active Directory.

Prepare your Tenant

Enable Tenant Settings

To enable Azure Apps for authentication you need to enable this capability in the PowerBI Admin Portal Tenant Settings. You need at least PowerBI Service Administrator permissions to modify the Tenant Settings.

PowerBI Tenant Settings - Enable Allow service principals to use Power BI APIs in the Developer section

In the Tenant Settings, you need to enable "Allow service principals to use Power BI APIs". You'll find this in the "Developer Settings" Section.

Recommended: for improved security and better control you might want to select "Apply to" "Specific security groups". This way you can control which Application Registrations are allowed to access the PowerBI Service API. For this, you need to create an Azure AD Group and add the Application Registration as a member.

After you applied the settings it will take up to 15minutes for PowerBI to apply those changes.

Create an Azure AD Application Registration

Within the Azure Portal open Azure AD and go to the Application registrations option.

Set an appropriate Name for the Registration and create it.

In the Overview Panel of the created Application Registration copy and save the Application ID and Directory ID for later.

Go to the "Certificates and Secret" Panel, create a new Client Secret, and save the value for later.

No additional API Permissions need to be granted in Azure AD.

Add Permissions in Power BI

Within PowerBI you need to grant the Service Principal permissions to the Workspaces. Choose the permissions depending on your scenario. E.g. DataRefresh will require more permissions than just a retrial of a report page.

In your desired Workspace open the Access Panel and enter the Name of the Azure App Registration. You can find a script to automate the permissions in the Microsoft Docs

Create an Application

You can use any programming language which is capable to create HTTP requests. For some languages such as C# and Python SDKs are available.

In this example, I will focus on C#

public async Task GetGroupDatasets(Guid groupId)
{
      // Authentication and Token retrieval
      string authority = "https://login.microsoftonline.com/{your tenant id}";

      string scope = "https://analysis.windows.net/powerbi/api";

      string clientId = "{enter your application client id}";
      string clientSecret = "{enter your secret}";

      AuthenticationContextauthContext = new AuthenticationContext(authority);
      ClientCredentials credentials = new ClientCredentials(clientId, clientSecret);

      AuthenticationResult authResult = await authContext.AcquireTokenAsync(scope, credentials);
      TokenCredentials tokenCredentials = new TokenCredentials(authResult.AccessToken, authResult.AccessTokenType);

     // Build PowerBI Client
    PowerBIClient client = new PowerBIClient(new Uri("https://api.powerbi.com"), tokenCredentials);

    // Call PowerBI API
    // Update with your desired logic
    await client.Datasets.GetDatasetsAsync(groupId);
}

Update the values for authority, clientId, and clientSecret with the values we copied earlier from the Azure AD Portal.