Power BI Service Principals

With the Power BI Embedded OnBoarding Tool you can easily embed applications. But the standard mode uses an users with a password. This users requires a Power BI Pro license and normally this users stands under some organizational standards, such as the password must be change after X days. But the biggest issue are, that the password is unencrypted at the web.config file.
These issues can be resolved by using a “service principal” account. Microsoft has documented the way at this page:https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal

But here are some missing hints to get the principal work, such as the API permissions. This Blog Post will show you step by step how you can configure a account and setup a demo application.

First you must enable at the Admin Portal of your Power BI tenant the use of the “service principals”. (in a productive scenario you should use groups, not the entire organization)

To configure our embedded application we need our workspace and report id. (needed to configure the config file)

1 = workspace id
2 = report id

Next we must create at the Azure tenant an “App registration”:

Then we must create the client secret

Important: After you left this page, you cannot get the secret again!

Now we must give the service principal API permissions for Power BI

Cgeck that you only grant the required permissions!
you must grant the permissions to your tenant!

After that, you must give the app registration user adin access to the workspace:

Now you must setup the web.config:

  1. Setup the Authentication Type to “Service Principal”
  2. Set the application Id, you will get it from the overview page of the created service principal
  3. Setup the workspace and report id (step 3 and 4)
  4. Paste here the secret
  5. Setup your tenant id, you will also get the id from the overview page of the service principal

Finally we can run our app by using the principal

That’s it! Enjoy!