Skip to content

Creating an Entra App in Azure

Tldr

  • Naming Convention:
    • Entra app: xxx-pwrp [application] where application is a human readable name of an application, e.g.
      • int-pwrp Automation Server
    • hbt-pwrp Power BI Proxy
  • Client Secret
    • max lifetime (720 days)
  • Redirect URI: https://localhost:44300/
  • Preferred flow: different libraries at pwrp use different flows. But if you have a choice, we recommend using the authorization-code flow for personalised workloads, and client-credentials for service-to-service calls.

Note on authentication

NOTE: here, we use delegated permissions (user impersonation, user owns data). Typically, the tech user is the impersonated user.

However, a nicer flow would be to
use a Service Principal. This would look like so:

  1. Azure Function has a service principal (SP)

  2. This SP is used already, for example to fetch the secrets from the Vault

  3. We could configure the API to also allow the Azure Function SP to access the API

However, this requires a Power BI Capacity (either Power BI Embedded or Power BI Premium).

App Registration with Delegated Permissions

There are (at least) two ways to create an app:

  1. manually

  2. with the embed wizard: https://app.powerbi.com/embedsetup

Here, we show the manual setup.

It consists of the following steps:

  1. create App

  2. create secret

  3. give permissions

  4. grant admin consent

At the end, you will have an App. The app is an OAuth2 construct. It defines the permissions needed by our library. Later, you will be able to authorize the API to make requests on behalf of your user.

Create App

  1. go to Entra (ex Azure AD)

  2. App Registrations

  3. make a new Registration

    create-app.png

  4. give it a name, e.g. Power BI Automation Server

  5. only for tenant users

  6. redirect URL: This is needed for our authentication scenario. Enter a localhost URL, e.g. https://localhost:44300/

    register-app-details.png

  7. Go to Certificates & secrets

  8. Add new secret

  9. Give it a name

  10. Set expiry to the maximum

  11. Add secret

    add-secret.png

  12. IMPORTANT: Copy the Value (this value will not be shown afterwards anymore)

    secret-value.png

  13. Go to API Permissions

  14. Add a permission

  15. Select Power BI Service, and add all permissions for Delegated permissions

  16. Later -> Repeat 13 - 18, this time with Azure Service Management

  17. Use Delegated Permission

  18. Expand

  19. Select all permissions you need (or all)
    delegated-permissions.png

  20. Grant admin consent if needed
    grant-admin-consent.png

The call will most likely result in an error, but you can copy the

Checklist

  • you have an app registered
  • you are the owner
  • the app has a secret
  • you have the value of the secret noted down
  • the app has all the Power BI Embed permissions
  • the app has all the Azure Management API permissions
  • you have a Refresh Token