Setting up authentication for Power BI, Azure Data Factory and SharePoint Lists connectors

From Dataedo version 24.3, there are two methods to authenticate with Power BI, Azure Data Factory, and SharePoint Lists. The first method is Interactive mode, which requires user interaction each time a data source is imported. Because of this, import tasks using Interactive mode cannot be scheduled in Dataedo Scheduler. The second method is Service Principal, which uses a client secret from Azure Application Registration and does not require user interaction during import.

When using the Interactive authentication type without Advanced authentication settings, the only prerequisite is that the user you're connecting with has the appropriate permissions. However, when using the Interactive authentication type with Advanced authentication settings or the Service Principal authentication type, you must first have an Azure Application Registration created.

Interactive authentication type

In this authentication workflow we are using user impersonation against Azure Application Registration. In default mode we are using Dataedo’s Application Registration but when clicking Advanced authentication settings it is possible to provide connection details for your own Azure Application Registration.

Required permissions

Required permissions for Power BI

The user must have the following scopes:

• Report.Read.All
• Workspace.Read.All
• Dataset.Read.All
• Dataflow.Read.All
• Dashboard.Read.All

Additionally, the Tenant.Read.All scope is required to import usage statistics.

Required permissions for Azure Data Factory

The user must have Data Factory Contributor role.

Required permissions for SharePoint Lists

The user must have the Sites.Read.All scope.

Interactive authentication using default settings

To use interactive authentication Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be unchecked.

When you click Connect or select some details (workspace for Power BI or Site for SharePoint Lists or Subscription/Resource Group/Factory for Azure Data Factory) your default browser will be opened with Microsoft login screen. After succesfull login you can close browser and start import. In some cases for first time use there will be Azure Administrator consent required and there will be Administrator action needed as explained in Adding Azure Administrator consent to Azure Application Registration in this article.

Interactive authentication using advanced authentication settings

To use interactive authentication using advanced authentication settings. Authentication Type dropdown should be selected to Interactive and Advanced authentication settings checkbox should be checked. Then please enter your Application Registration Client Id to Client Id textbox. How to create Azure Application Registration and where is Application Registration Client Id is explained in Creating Azure Application Registration section below. When you are using not default settings in Application Registration or Azure Cloud Instance other than Azure Public please select proper values in Authority, Cloud Instance and Audience fields.

Creating Azure Application Registration

To create an Azure Application Registration:

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. From the toolbar, on the App registrations page, click + New registration.
4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.

5. Click Register.
6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo.

7. On the left sidebar of your created application page click on Manage and then click API permissions to assign proper permissions to the application.

8. In API permissions page click Add a permission.
9. On the right sidebar Request API permissions click on Azure Services Management.

10. On permissions list which will appear after clicking on Azure Service Management check the checkbox user_impersonation and click Add Permissions

Adding Azure Administrator consent to Azure Application Registration

In some Azure subscription configurations, Admin consent may be required for using Application Registration.

If the user encounters a screen like this, it means that requesting Admin consent is disabled for your Azure subscription:

To resolve this, the user needs to see a screen like this, where they can send a request for approval to the Azure Admin:

To enable sending Admin consent requests, the Azure Administrator needs to take the following steps in Azure Portal:

1. Open Enterprise applications in the Azure portal.
2. In the left sidebar, go to Security and click on the Consent and permissions menu.

3. In Consent and permissions, click Admin consent settings in the left sidebar and select YES for "Admin consent requests – Users can request admin consent to apps they are unable to consent to." Select one or more users, groups, or roles that can consent to applications.

Once consent requests are enabled, the user can send a request for approval:

After the request is sent, the Azure Administrator will see the request for review under Enterprise applications in the Azure Portal, within the Activity -> Admin consent requests menu. After reviewing and approving the requested permissions, the user will be able to log in and import the Power BI workspace with the Dataedo application.

Service Principal authentication type

To use service principal authentication type please select Service Principal in Authentication Type dropdown and fill Client Id, Client Secret and Tenant Id with proper values from your Azure Application Registration. How to create Azure Application Registration and where those values available is explained in Creating Azure Application Registration below.

Creating Azure Application Registration

To create an Azure Application Registration:

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. From the toolbar, on the App registrations page, click + New registration.
4. On the Register page for Name, enter a name of your client application, select supported account types, and Redirect URI as Public client/native, with http://localhost redirect URI.

5. Click Register.
6. On the homepage of your created application, from the Overview screen, copy the values for the Application (client) ID field - this value needs to be pasted into Client Id field in Dataedo and Tenant Id into Tenant Id in Dataedo.

7. From the left menu of your created application registration page, click Certificates & secrets.

8. On the Certificates & secrets page, under Client secrets, click + New client secret.

9. In the Add client secret screen, enter the description, expiry and click Add
10. On the certificates & secrets page, under Client secrets click the clipboard icon to copy it and paste it in Client secret field in Dataedo.

Setting up Service Principal for Power BI

To set up Power BI import using service principal authetication in addition to application registration it is required to create security group and assign this group to proper roles in Microsoft Power BI workspace and set up additional settings in Power BI Admin Portal. Each of those steps are explained in Creating security group and Assigning security group and role in Microsoft Power BI below. After setting it up you are ready to import Power BI using service principal authentication.

Creating security group

1. Login to the Azure Portal.
2. In the search bar enter Microsoft Entra ID and select it from the list.
3. In the left menu under Manage section, click Groups.
4. Click the New group.
5. Set the Group type to Security.
6. Enter Group name and description.
7. Under Members, click the No members selected link.
8. Search for application registration created before and click to select it.
9. Click Select.
10. Click Create.

Assigning security group and role in Microsoft Power BI

1. Open https://app.powerbi.com/home
2. Open Workspaces and then select workspace which you wish to import.
3. Click Manage Access button.
4. Inside box Enter email addresses enter the name of the security group you created before.
5. To generate lineage for dataflows in addition to importing defined parameters for semantic models set it to Member.
6. Click Add belof the dropdown.

Enable admin API settings in Microsoft Power BI

1. Login to https://app.powerbi.com/admin-portal
2. From the menu under Admin portal click Tenant settings.
3. Under the Developer settings, click Service principals can use Fabric APIs and select Enabled. Under security groups add the security group created before and click Apply.
4. Under the Admin API settings, click Allow service principals to use read-only Power BI admin APIs and click Enabled. Under security groups add the security group created before and click Apply.
5. Under the Enhance admin APIs responses with detailed metadata click Enabled. Under security groups add the security group created before and click Apply.
6. Under the Enhance admin APIs responses with DAX and mashup expressions select Enabled. Under security groups add the security group created before and click Apply.

Setting up Service Principal authentication for Azure Data Factory

To set up Azure Data Factory import using service principal authentication in addition to application registration it is required to assign Data Factory Contributor role to this application registration for proper resources as explained in After setting it up you are ready to import Azure Data Factory using service principal authentication.

Assigning Data Factory Contributor role to application registration for Azure Data Factory

1. Log in to the Azure Portal.
2. In the search bar, search for Data factories and select it from the list.
3. Choose the Data Factory to which you want to assign a role.
4. On the selected Data Factory click on Access control (IAM) in the left menu.
5. Under Grant access to this resource click Add role assignment.
6. Select Data Factory Contributor from the list.
7. Click on Members tab.
8. Click Select members.
9. Enter your application registration name and click Select.
10. Click Review and assign.

Setting up Service Principal authentication for SharePoint Lists

To set up SharePoint Lists import using service principal authetication in addition to application registration it is required to assign proper permissions to that application as explained in Assigning permissions to application registration for SharePoint Lists. After setting it up you are ready to import SharePoint Lists using service principal authentication.

Assigning permissions to application registration for SharePoint Lists

1. Log in to the Azure Portal.
2. In the search bar, search for App registrations and select it from the list.
3. Choose application registration which will be used for authentication.
4. On the left sidebar of your application page click on Manage and then click API permissions to assign proper permissions to the application.

5. Click Add a permission
6. Click on Application permissions

7. In search bar under Select permissions caption enter "Site".
8. Check the checkbox with Sites.Read.All and Sites.Read.Selected scopes.
9. Click Add permissions.

8. In API permissions page click Add a permission.