Set up Microsoft Power BI
Depending on the authentication method you choose, you may need a combination of your Cloud Application Administrator or Application Administrator for Microsoft Entra ID, Microsoft 365 administrator for Microsoft 365, and Fabric Administrator (formerly known as Power BI Administrator) for Microsoft Power BI to complete these tasks -> you may not have access yourself.
This guide outlines how to set up Microsoft Power BI so it can connect with Atlan for metadata extraction and lineage tracking.
Before you begin
Register application in Microsoft Entra ID
You need your Cloud Application Administrator or Application Administrator to complete these steps—> you may not have access yourself. This is required if the creation of registered applications isn't enabled for the entire organization.
To register a new application in Microsoft Entra ID:
- Log in to the Azure portal.
- Search for Microsoft Entra ID and select it.
- Click App registrations from the left menu.
- Click + New registration.
- Enter a name for your client application and click Register.
- From the Overview screen, copy and securely store:
- Application (client) ID
- Directory (tenant) ID
- Click Certificates & secrets from the left menu.
- Under Client secrets, click + New client secret.
- Enter a description, select an expiry time, and click Add.
- Copy and securely store the client secret Value.
Create security group in Microsoft Entra ID
You need your Cloud Application Administrator or Application Administrator to complete these steps - you may not have access yourself.
To create a security group for your application:
- Log in to the Azure portal.
- Search for Microsoft Entra ID and select it.
- Click Groups under the Manage section.
- Click New group.
- Set the Group type to Security.
- Enter a Group name and optional description.
- Click No members selected.
- Add the appropriate member:
- For Delegated User authentication: search for the user and select it.
- For Service Principal authentication: search for the application registration created earlier and select it.
- Click Select and then Create.
By the end of these steps, you have registered an application with Microsoft Entra ID and created a Security Group with the appropriate member.
Configure authentication options
Atlan supports two authentication methods for fetching metadata from Microsoft Power BI:
Service principal authentication (recommended)
When using Service Principal authentication, you must decide how the connector shall access metadata to catalog assets and build lineage. There are two supported options:
Admin API only
This option grants permissions that let the service principal to access only admin-level Power BI APIs. In this mode, Atlan extracts metadata exclusively using administrative endpoints. This option is recommended for stricter access control environments.
You need your Fabric Administrator (formerly known as Power BI Administrator) to complete these tasks - you may not have access yourself.
To configure admin API access:
- Log in to the Power BI admin portal.
- Click Tenant settings under Admin portal.
- Under Admin API settings:
- Expand Enable service principals to use read-only Power BI admin APIs and set to Enabled
- Add your security group under Specific security groups
- Click Apply
- Expand Enhance admin APIs responses with detailed metadata and set to Enabled
- Add your security group
- Click Apply
- Expand Enhance admin APIs responses with DAX and mashup expressions and set to Enabled
- Add your security group
- Click Apply
- Expand Enable service principals to use read-only Power BI admin APIs and set to Enabled
Admin and non-admin APIs
This option grants permissions that let the service principal to access both admin and non-admin Power BI APIs. This enables Atlan to extract richer metadata and build detailed lineage across Power BI assets.
Assign security group to Power BI workspaces in PowerBI service portal
You need to be at least a member of the Microsoft Power BI workspace to which you want to add the security group to complete these steps - you may not have access yourself. Make sure that you add the security group from the homepage and not the admin portal.
To assign a Microsoft Power BI workspace role to the security group:
- Open the Microsoft Power BI homepage.
- Open Workspaces and select the workspace you want to access from Atlan.
- Click Access.
- In the panel:
- Enter the name of your security group where it says Enter email addresses
- Choose one of the following roles:
- Viewer: For workspaces without parameters
- Contributor: For workspaces with semantic models containing parameters or to generate lineage for measures
- Member: To generate lineage for dataflows
- Click Add.
Configure admin and non-admin API access in PowerBI Service Portal
You need your Fabric Administrator (formerly known as Power BI Administrator) to complete these tasks - you may not have access yourself.
To enable both admin and non-admin API access:
- Log in to the Power BI admin portal.
- Click Tenant settings under Admin portal.
- Under Developer settings:
- Expand Service principals can use Fabric APIs and set to Enabled
- Add your security group under Specific security groups
- Click Apply
- Expand Service principals can use Fabric APIs and set to Enabled
- Under Admin API settings:
- Expand Enable service principals to use read-only Power BI admin APIs and set to Enabled
- Add your security group
- Click Apply
- Expand Enhance admin APIs responses with detailed metadata and set to Enabled
- Add your security group
- Click Apply
- Expand Enhance admin APIs responses with DAX and mashup expressions and set to Enabled
- Add your security group
- Click Apply
- Expand Enable service principals to use read-only Power BI admin APIs and set to Enabled
After making these changes, you typically need to wait 15-30 minutes for the settings to take effect across Microsoft's services.
Delegated user authentication
Atlan doesn't recommend using delegated user authentication as it's also not recommended by Microsoft.
Fabric administrator role assignment
You need your Microsoft 365 administrator to complete these steps - you may not have access yourself.
To assign the delegated user to the Fabric Administrator role:
- Open the Microsoft 365 admin portal.
- Click Users and then Active users from the left menu.
- Select the delegated user.
- Under Roles, click Manage roles.
- Expand Show all by category.
- Under Collaboration, select Fabric Administrator.
- Click Save changes.
API permissions
You need your Cloud Application Administrator or Application Administrator to complete these steps, you may not have access yourself.
The following permissions are only required for delegated user authentication. If using service principal authentication, you don't need to configure any delegated permissions for a service principal—it's recommended that you avoid adding these permissions. These are never used and can cause errors that may be hard to troubleshoot.
To add permissions for the registered application:
- In your app registration, click API permissions under the Manage section.
- Click Add a permission.
- Search for and select Power BI Service.
- Click Delegated permissions and select:
Capacity.Read.AllDataflow.Read.AllDataset.Read.AllReport.Read.AllTenant.Read.AllWorkspace.Read.All
- Click Grant Admin consent (If you only see the Add permissions button, you aren't an administrator).
Admin API settings configuration
You need your Fabric Administrator (formerly known as Power BI Administrator) to complete these tasks, you may not have access yourself.
To enable the Microsoft Power BI admin API:
- Log in to the Power BI admin portal.
- Click Tenant settings under Admin portal.
- Under Admin API settings:
- Expand Enhance admin APIs responses with detailed metadata and set to Enabled
- Add your security group
- Click Apply
- Expand Enhance admin APIs responses with DAX and mashup expressions and set to Enabled
- Add your security group
- Click Apply.
- Expand Enhance admin APIs responses with detailed metadata and set to Enabled