# PowerBI

{% hint style="info" %}
**Required role to configure:** [Admin](/external-docs/fundamentals/settings/user-roles.md) or higher.

Users with lower roles can view this feature but cannot change its configuration.
{% endhint %}

### Register application in Microsoft Entra ID

1. Log in to the Azure portal: <https://portal.azure.com/>
2. Open the menu and click **Azure Active Directory**.
3. In the left menu, under the *Manage* section, click **App Registrations**.
4. At the top of the page, click the **New registration** button.
5. In the resulting page, enter the following information:
   * For *Name* enter a name for the integration. For example, `SeemorePowerBIIntegration`.
   * For *Supported account types* select **Accounts in this organizational directory only (\<directory> only - Single tenant)**.
6. At the bottom of the page, click the **Register** button.

### Client secret <a href="#create-a-client-secret-0-2" id="create-a-client-secret-0-2"></a>

1. In the left menu of the app registration, under the *Manage* section, click **Certificates & secrets**.
2. Under the *Client secrets* tab, click the **New client secret** button.
3. Enter a description and set the expiration.
4. At the bottom of the page click the **Add** button.
5. For your create secret, under the *Value* column, click the copy icon to copy the secret value.

### Security group <a href="#create-a-security-group-0-4" id="create-a-security-group-0-4"></a>

1. Open the menu and click **Azure Active Directory**.
2. In the left menu, under the *Manage* section, click **Groups**.
3. At the top of the page, click the **New group** button.
4. Set the *Group type* to **Security**.
5. Enter a *Group name* and (optionally) a *Group description*.
6. Under *Members* click the **No members selected** link.
7. Add the appropriate member:
   * **For Delegated User authentication**: search for the user and select it.
   * **For Service Principal authentication**: search for the application registration created earlier and select it.
8. Click **Select** and then **Create**.

*By the end of these steps, you have registered an application with Microsoft Entra ID and created a Security Group with the appropriate member.*

## Configure authentication options

Seemore supports two authentication methods for fetching metadata from Microsoft Power BI:

### Service principal authentication (recommended)

When using Service Principal authentication, you must decide how the connector shall access metadata to catalog assets and build lineage. There are two supported options:

### Admin API <a href="#enable-extra-admin-api-settings-0-5" id="enable-extra-admin-api-settings-0-5"></a>

This option grants permissions that let the service principal to access only admin-level Power BI APIs. In this mode, Seemore extracts metadata exclusively using administrative endpoints. This option is recommended for stricter access control environments.<br>

1. Log in to the Power BI admin portal: <https://app.powerbi.com/admin-portal>
2. From the menu under *Admin portal* click **Tenant settings**.
3. Under the *Developer settings* heading, expand the **Allow service principals to use Power BI APIs** expandable and ensure this is **Enabled**.
   1. Under *Specific security groups (Recommended)* add the security group created above.
   2. At the bottom of the expanded section click the **Apply** button.
4. Under the *Admin API settings* heading, expand the **Allow service principals to use read-only Power BI admin APIs** expandable and ensure this is **Enabled**.
   1. Under *Specific security groups* add the security group created above.
   2. At the bottom of the expanded section click the **Apply** button.
5. Still under the *Admin API settings* heading, expand the **Enhance admin APIs responses with detailed metadata** expandable and ensure this is **Enabled**.
   1. Under *Specific security groups* add the security group created above.
   2. At the bottom of the expanded section click the **Apply** button.
6. Still under the *Admin API settings* heading, expand the **Enhance admin APIs responses with DAX and mashup expressions** expandable and ensure this is **Enabled**.
   1. Under *Specific security groups* add the security group created above.
   2. At the bottom of the expanded section click the **Apply** button.

### Configure Admin and Non-Admin API Access in PowerBI Service Portal <a href="#configure-api-access-powerbi-service-portal-0-7" id="configure-api-access-powerbi-service-portal-0-7"></a>

To enable both admin and non-admin API access:

1. Log in to the Power BI admin portal.
2. Click **Tenant settings** under *Admin portal*.
3. Under *Developer settings*:
   1. Expand **Service principals can use Fabric APIs** and set to **Enabled**.
   2. Add your security group under *Specific security groups*.
   3. Click **Apply**.
4. Under *Admin API settings*:

   1. Expand **Enable service principals to use read-only Power BI admin APIs** and set to **Enabled**.
   2. Add your security group.
   3. Click **Apply**.
   4. Expand **Enhance admin APIs responses with detailed metadata** and set to **Enabled**.
   5. Add your security group.
   6. Click **Apply**.
   7. Expand **Enhance admin APIs responses with DAX and mashup expressions** and set to **Enabled**.
   8. Add your security group.
   9. Click **Apply**.

   After making these changes, you typically need to wait 15-30 minutes for the settings to take effect across Microsoft's services.

### Service principal as a workspace viewer <a href="#add-service-principal-as-a-workspace-viewer-0-6" id="add-service-principal-as-a-workspace-viewer-0-6"></a>

1. Log in to the Power BI portal and go to the [homepage](https://app.powerbi.com/home).
2. From the menu on the left, open **Workspaces** and then the workspace you want to access from Seemore.
3. Above the table, click the **Access** button.
4. In the resulting panel:
   1. Inside the text box that says *Enter email addresses* enter the name of the security group you created above.
   2. Change the drop-down below this to **Viewer**.
   3. Below the drop-down, click the **Add** button.

#### &#x20;<a href="#delegated-user-authentication" id="delegated-user-authentication"></a>

### Delegated user authentication

### **Adding Permissions:**

In your app’s dashboard, go to **API permissions** from the left-side menu.

<figure><img src="/files/zlOpxTbdsHYZ1Mp7eDdi" alt=""><figcaption></figcaption></figure>

1. Click **"Add a permission"**.
2. **Add Power BI Service Permissions**

   * Select **"Power BI Service"** from the Microsoft APIs list.

   <figure><img src="/files/4alBZwEpRxfVwPeUaV9O" alt=""><figcaption></figcaption></figure>

   * Under **Delegated permissions**, add the following:
     * **Tenant.Read.All**
   * Click **Add permissions**.
3. **Add Microsoft Graph Permissions**

{% hint style="info" %}
The Microsoft Graph API Permissions is required In order to generate insights regarding inactive user accounts.
{% endhint %}

* Go back to **"Add a permission"**.
* Select **Microsoft Graph**.

<figure><img src="/files/m2fB4rW4LV5IM7XSSSWW" alt=""><figcaption></figcaption></figure>

* Under **Application permissions**, add the following:
  * **`Directory.Read.All`** under Directory.
  * **`User.Read.All`** under User.
  * Click **`Add permissions`**.

4. **Grant Admin Consent**

* After adding the permissions, an **Admin Consent** button may appear
* Click **Grant admin consent** to finalize the configuration.

***

***Note:** Ensure that the service principal and the security group have been set up and configured properly to avoid access issues when using the Power BI APIs and workspaces.*

***

{% hint style="success" %}
**Verify Permissions**

<img src="/files/gAaIUrinSeDUINtEagB0" alt="" data-size="original">

1. Go back to the **API permissions** page.
2. Ensure the permissions list includes:
   * Power BI Service: `Tenant.Read.All`
   * Microsoft Graph: `Directory.Read.All` and `User.Read.All`
3. Confirm the **status** shows that admin consent has been granted if needed.
   {% endhint %}

**Admin API settings configuration**

To enable the Microsoft Power BI admin API:

1. Log in to the [Power BI admin portal](https://app.powerbi.com/admin-portal).
2. Click **Tenant settings** under Admin portal.
3. Under **Admin API settings**:
   * Expand **Enhance admin APIs responses with detailed metadata** and set to **Enabled**
     * Add your security group
     * Click **Apply**
   * Expand **Enhance admin APIs responses with DAX and mashup expressions** and set to **Enabled**
     * Add your security group
     * Click **Apply**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.seemoredata.io/external-docs/fundamentals/getting-set-up/setting-integrations/powerbi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.