Service Principals are essential to using the Fabric REST API for automation. In this blog well show you how to create a service principle that can be used to automate API calls to PowerBI such as refresh.
Once you have created the service principle the next article shows you how to use the service principle to automate refresh, but we also use this for other APIs such as monitoring, accessing OneLake and launching Pipelines.
There are three key steps that must be accomplished to create your service principal and grant permissions to Fabric
- App Registration:
- Initiate the process by registering your application in the Azure portal. Define its properties, choose the appropriate account type, and set up any necessary configurations.
- Creation of Security Group:
- Establish a security group tailored to your application’s needs. This step is crucial for managing access and permissions efficiently.
- PowerBI Admin Portal Settings:
- Configure the PowerBI Admin Portal settings to align with your application’s requirements. This step ensures seamless integration and optimal functionality.
- Login to Azure client portal https://portal.azure.com/ and browse “App registrations” in the search bar and select “App registrations” from the Services highlighted in grey
- Click on “New registration” from the left-most corner to register the new application
- Fill in the new Application name and select the accounts authorized to access the app. Redirect URI can be added optionally to return the authentication response. Once all details are filled in, click on the “Register” button at the bottom left corner
- Once the App is registered, it will redirect you to the Overview page that displays the Client ID, Object ID and Tenant ID
- Generate a Client Secret by clicking on the “Certificates & Secrets” tab from the menu bar on the left under “Manage”
- Click on “New client secret” to generate a client secret and a new window will appear on the right to fill description and password expiration. Once done, then click on “Add” at the bottom of the screen
- Once the client secret is created, the value will only be exposed once and needs to be copied into Key-Vault or another appropriate password manager tool
- The next step would be to give appropriate API Permissions to the APP to enable accessing Power BI objects. Click on “API permissions” from the menu bar on the left under “Manage”
- To add permission, click on “Add a permission” and it will open a new window on the right. Scroll down to select the Power BI Service option from the list
- Once opened, click on “Delegated permissions” and select the appropriate permissions to be given to the App and click “Add permissions” from the bottom
- There are some permissions that require admin consent that can be granted using the “Grant admin consent for <OrganisationName>”. You will need to have admin privileges in AAD or can request someone who has admin privileges to approve permissions
Creation of Security Group
Once the App is registered, the next step is to create a Security Group that will have the App Id (Service Principal) as one of the members.
- Open Azure Portal and browse “Groups” to create a new security group. To create a security group, you will need at least “Group Creator” or higher permissions.
- Click on “New group” to create a new security group
- Select “Security” as “Group Type” and provide the appropriate group name under “Group name”. Next, click on “No members selected” from the bottom left to add Service Principal as a member. Once the App ID is selected then click on “Select” from the bottom to save the configuration
- Lastly, select “Create” after member selection
- It will a few minutes for the new security group to appear in the “Groups” list
PowerBI Admin Portal Settings
- Login to Power BI and navigate to “Admin portal” under Settings
- To update settings under “Admin portal”, you need to have the “Fabric Administrator” role assigned. That can be achieved by clicking on “Add assignments” within the “Fabric Administrators” role. Please note, the role assignment can take some time to reflect.
- Once the appropriate permissions are acquired, go to Admin Portal. Select Tenant settings from the menu bar on the left and browse for “Developer settings” on the right. Then add the new security group under “Allow service principals to use Power BI APIs” and click “Apply”.
- Once applied, go to the Workspace that needs to be accessed by the Rest API and add Service Principal as “Admin
Creating a service principal can be a daunting task, especially if you need to work with the AAD team, but hopefully these steps simplify the process.