Delegating Permissions
Part 1 will be an introduction to Scanner APIs and how you delegate permissions in order to now have to use the power BI Admin Account
Power BI Scanner APIs are fairly new and there have been a lot of updates happening in the September October 21 Power BI Updates.
These scanner APIS scan, catalog and report on all the metadata of your organisations Power BI artifacts.
Scanner APIs are the Admin REST APIs that can extract tenant level meta data that support the Power PI good Governance Pillar of Discoverability and Monitoring
So the scanner APIs are a set of Admin REST APIs.
What is an API?
“API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other”
What is a REST API?
“an application programming interface that conforms to the constraints of REST. REST = Representational state transfer“
Scanner APIs
When you look at the list of Power BI APIs these are the ones specific to the Scanner API group
Your Power BI Admin needs to set this up. I have used the following information for this
And as usual I’m extremely thankful to everyone providing such fantastic information.
Service Principal support for read-only Admin APIs
Service Principal Support to the Scanner admin APIS became available September 21.
“Service Principal is an authentication method that can be used to let an Azure AD applications access Power BI APIs. This removes the need to maintain a service account with an admin role. To allow your app to use the admin API’s, you need to provide your approval once as part of the tenant settings configuration.”
The Scanner API’s and Service Principal Support could well be a game changer for governance if everything is actually in place.
So we are able to delegate permissions to use the APIs
I followed the documentation https://powerbi.microsoft.com/en-us/blog/power-bi-september-2021-feature-summary/#post-17174-_Toc819…
https://docs.microsoft.com/en-gb/power-bi/admin/read-only-apis-service-principal-authentication
So as a prerequisite here is my list of everything that needs to be done based on the documentation read
Prerequisites
Create Azure AD App
- Go to Azure AD
- App registration – New Registration
- Make sure its a web application
Assign Role
- You will need to choose an Azure Area for this project (Subscription and resource group)
- Go to Azure Level (In my case the level is at resource group not subscription)
- go to IAM. Add Role to the app
- I selected contributor
Get Tenant and AppID
- Go back to App
- Get tenant ID
- Get Application (Client ID)
- These will be store both in the Application Code at a later date so keep this in mind.
Create Application Secret
- App Registration – Select the app again
- Client Secret – New Secret
- I have added the secret to key vault for use later (the Key Vault is in the same Resource group as selected above)
Configure Access Policies on Resources
- I have a Key vault.
- Added the Service principal of the app in Access Policies with Get and List on Secrets
Create Security Group in Azure ADÂ
- Go to Azure AD Groups
- New Security Group
- Add the App as a member in Members
Enable Power BI service Admin Settings
- Power BI Admin – tenant Settings (Must be Power BI admin)
- Allow Service principal to use ReadOnly Power BI admin APIs
- Add the Security Group created above which has the service principal as a member
Start using read only admin APIs?
The documentation finishes at this point so how do you use these APIS?
We will look at this in part 2 but at this point we want to be able to set up and use in a Data factory.
Linked Service
Note that here we use the AAD Service Principal
We added the App Secret into Key Vault which we used here
The Service Principal ID (Blanked out here) Is taken from the App. Azure Active Directory
App registrations
And after a test its successful.
We can go onto swap out the authentication type of web services later in the process. Like this one for getting Workspace Info (Scanner API 2)
Later we will look at how to set up the Scanner API in a data factory, But in the meantime, Here is a possible error you can get when attempting to work with the Service Principal
Operation on target Post WorkspaceInfo failed: GetSpnAuthenticationToken: Failed while processing request for access token with error: Failed to get access token by using service principal. Error: unauthorized_client, Error Message: AADSTS700016: Application with identifier 'IDENTIFIER DETAILS' was not found in the directory 'Peak Indicators'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
After closer inspection, I had missed the last number from the Application /Client ID so this was a quick fix.
When you use the Scanner APIs in Data factory you use all 4 in sequence. Lots more to think about here. The data factory Set up. How you switch modified workspaces to only take updates after a certain time.
so lots more to come
Debbies Microsoft Power BI, SQL and Azure Blog 