Set up Microsoft Power BI

Atlan connects to Microsoft Power BI using a secure, least-privilege model. The integration reads metadata using Microsoft’s recommended metadata (scanner) APIs. It doesn't modify any content or settings in your Power BI environment.

This guide outlines the steps required to enable metadata extraction using a service principal.

Prerequisites

Before you begin, confirm you have access to the required roles.

Who can do this?

Depending on your organization’s setup, you may need a combination of admin roles to complete these steps. You may not have access yourself.

• Cloud Application Administrator or Application Administrator (Microsoft Entra ID)
• Microsoft 365 administrator (Microsoft 365)
• Fabric Administrator (Power BI tenant settings)
• Workspace Admin or Member (workspace access, if needed)

Register service principal in Azure

Atlan connects using a service principal. This enables secure, automated access to metadata.

1. Go to the Azure portal and navigate to Microsoft Entra ID.
2. Select App registrations and then select New registration.
3. Name the application (for example, Atlan-PowerBI-Connector) and complete the registration.
4. Copy and securely store:
   • Application (client) ID
   • Directory (tenant) ID
5. Go to Certificates & secrets and create a New client secret.
6. Save the client secret Value securely.
7. For simpler permission management, create a security group in Entra ID and add the service principal to it.

Create security group in Azure

Create a security group and add the correct application registration to it.

1. Log in to the Azure portal.
2. Search for Microsoft Entra ID and select it.
3. Select Groups under the Manage section.
4. Select New group.
5. Set Group type to Security.
6. Enter the group name and optional description.
7. Select No members selected.
8. Add the appropriate member:
   • Service Principal Authentication: Search for the application registration you created earlier and select it.
9. Select Select and then Create.

Enable metadata access in Power BI

A Power BI tenant admin must enable metadata access.

1. Open the Power BI admin portal and select Tenant settings.
2. Under Developer Settings, enable Service principals can call Fabric public APIs.
3. Under Admin API settings, enable Service principals can use read-only Power BI admin APIs.
4. Under Enhanced metadata, enable:
   • Detailed metadata responses
   • DAX and mashup expression metadata
5. Add the security group containing your service principal to each setting you enabled.

These settings enable Atlan to read metadata from Power BI workspaces, datasets, dashboards, and reports.

Grant workspace access

Add the security group to each workspace you want Atlan to scan. Workspaces that don't have the security group won't appear in the Include/Exclude Workspaces metadata filters during crawl configuration.

Alternative for large environments

If your organization has many workspaces, you can skip adding the security group to individual workspaces by enabling the Scanner APIs Only Access toggle during crawl credential configuration. When the toggle is enabled, workspaces appear in the metadata filters using only scanner APIs -> no workspace-level access is required.

However, using only scanner APIs has limitations, including no Pages catalog and no downstream column/measure-to-page lineage. For a full comparison, see How does the scanner API toggle affect catalog coverage and lineage?.

1. In Power BI, go to Workspaces, select a workspace, and then select Access.
2. Add the security group containing your service principal.
3. Assign the role based on your metadata requirements:
   • Viewer: Dashboards and reports
   • Contributor: Datasets with parameters
   • Member: Dataflows and full lineage
4. Repeat for every workspace you want Atlan to scan.

Verify setup

Before you configure the connection in Atlan, confirm you have:

• Client ID
• Tenant ID
• Client secret value (stored securely)
• Power BI tenant settings updated to include your security group for the scanner API settings
• Workspace access granted to the security group for each workspace you want to scan, or plan to enable the Scanner APIs Only Access toggle during crawl configuration

If you run into connectivity issues, see Troubleshooting connectivity.

Next steps

• Crawl Microsoft Power BI: Configure and run the crawler to extract metadata from Microsoft Power BI.