Service principal is an authentication method that can be used to let an Microsoft Entra application access Power BI service content and APIs.
When you create a Microsoft Entra app, a service principal object is created. The service principal object, also known simply as service principal, allows Microsoft Entra ID to authenticate your app. After it's authenticated, the app can access Microsoft Entra tenant resources.
To authenticate, the service principal uses the Microsoft Entra app's application ID and one of the following:
- A certificate
- An application secret
This article describes service principal authentication using an application ID and an application secret.
To use service principal and an application ID for embedded analytics, you take the following steps. Subsequent sections describe these steps in detail.
Create an Microsoft Entra app.
- Create a secret for your Microsoft Entra app.
- Get the app's application ID and application secret.
Create a Microsoft Entra security group.
Enable the Power BI service admin settings.
Add the service principal to your workspace.
Embed your content.
You can create a Microsoft Entra app from the Azure portal or by using Powershell:
Your service principal doesn't have access to any of your Power BI content and APIs. To give the service principal access, create a security group in Microsoft Entra ID. Then add the service principal you created to that security group.
There are two ways to create a Microsoft Entra security group:
- Manually (in Azure)
- Use PowerShell
To create an Azure security group manually, follow the instructions in Create a basic group. Don't add members to the group at this time.
The following sample script creates a new security group. It also adds the service principal that you created earlier to the new security group.
- Before you run the script, replace with the client ID that you recorded earlier for your new app.
- After you run the script, make a note of the object ID of the new security group, which you can find in the script output.
For a Microsoft Entra app to access the Power BI content and APIs, a Power BI admin needs to enable the following settings:
- Embed content in apps
- Allow service principals to use Power BI APIs
In the Power BI Admin portal, go to Tenant settings, and scroll down to Developer settings.
Enable Embed content in apps either for the entire organization or for the specific security group you created in Microsoft Entra ID.
Enable Allow service principals to use Power BI APIs either for the entire organization or for the specific security group you created in Microsoft Entra ID.
Your Microsoft Entra app can access your Power BI reports, dashboards, and semantic models only when it has access to your Power BI workspace as a member or admin. You provide that access by adding the app's service principal or its security group to your workspace.
There are three ways to add a service principal or its security group to your workspace:
- Manually
- Use PowerShell
- Use the Groups - add group user API
In the Power BI service, scroll to the workspace you want to enable access for. From its More menu, select Workspace access.
In the Access pane, under Add admins, members, or contributors, add one of the following:
- Your service principal. The name of your service principal is the Display name of your Microsoft Entra app, as it appears in your Microsoft Entra app's overview tab.
- The security group that includes your service principal.
On the dropdown menu, select Member or Admin.
Select Add.
The following sections provide sample PowerShell scripts for adding a service principal and a security group to a Power BI workspace as a member.
Add a service principal as a workspace member by using PowerShell
The following script adds a service principal as a workspace member. Before you run the script:
- Replace with the object ID that you recorded earlier for your new service principal.
- Replace with the name of the workspace that you'd like to give the service principal access to.
Add a security group as a workspace member by using PowerShell
The following script adds a security group as a workspace member. Before you run the script:
- Replace with the object ID that you recorded earlier for your new security group.
- Replace with the name of the workspace that you'd like to give the security group access to.
You can embed your content within a sample application, or within your own application.