There are many applications that can use the Power BI API: reports embedded in a web application, tools to browse reports and datasets of a workspace, automation of deployment and maintenance activities, and many more. Many of these applications can rely on the interactive user authenticated by Azure Active Directory, but there are cases where the application must use its own authentication rather than impersonating an existing user.

We can use an Azure Service Principal Account to access the Power BI API from an application. This way, a dedicated account is available for the application to access the Power BI API. However, the Power BI administrator must enable the setting “Allow service principals to use Power BI APIs” in the admin portal because this feature is not enabled by default.

Assuming you have already followed the steps of the Microsoft documentation and you are used to the Power BI API, the biggest obstacle at this point is to find the best way to manage the authentication of the service principal in your application. Although there are several articles online describing the process, the authentication part is not included in the Power BI API. It must use Azure Active Directory services that are available through several different libraries.

The goal of the video included in this article is to explain:

  • How to correctly configure Azure Active Directory for your application.
  • What library to include in your code to manage the authentication of the service principal.
  • How to use the authentication API in order to get a proper authentication token.

The reason we chose to record a video is that there are a few concepts to understand and several manual activities required when configuring the Azure Active Directory. These topics may be completely new to a developer who has never had to deal with the Azure Active Directory authentication. For sure, they were new to me, and I asked Paolo Pialorsi for help. Paolo writes real code that deals with Azure and SharePoint.

The video is almost 30 minutes long, so it is useful to recap the content here:

  • 00:00 Presentation
  • 01:00 Description of the demo: an application pushes data in real-time onto a dataset. We already have the code of the application, but we need the authentication token for the service principal account of the application.
  • 04:40 Description of the access token required
  • 05:00 Registering the application in Azure Active Directory
  • 07:10 Retrieving the Client ID to use in the authentication API
  • 08:14 Retrieving the Tenant ID to use in the authentication API
  • 08:45 Creating and retrieving the Client Secret to use in the authentication API
  • 11:25 Setting the API permission for the application in Azure Active Directory
  • 16:09 Introduction to MSAL (Microsoft Authentication Library)
  • 17:29 Introducing the code to obtain the access token
  • 18:09 Using the ConfidentialClientiApplicationBuilder class
  • 18:53 Recap of how to use Client ID, Tenant ID, and Client Secret in the code
  • 19:52 Declaring permission scopes required in the access token
  • 21:20 Recap of permission scopes required by Power BI API
  • 23:47 Sending the request and acquiring the token
  • 25:40 First run of the application; description of the access token content and its caching.
  • 29:08 Final demo, report updated in real-time!

You can download the sample project available at the end of this article and replace all the identifiers with the information retrieved from your Power BI tenant and Azure Active Directory. Ultimately, you can obtain the authentication token with the following C# code:

    IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
        .Create(clientId)
        .WithClientSecret(clientSecret)
        .WithAuthority(new Uri(authority))
        .Build();

    string[] scopes = new string[] { $"{resource}/.default" };

    AuthenticationResult result = null;
    result = app.AcquireTokenForClient(scopes).ExecuteAsync().Result;
    var tokenCredentials = new TokenCredentials(result.AccessToken, "Bearer");
    _powerBIClient = new PowerBIClient(new Uri(ApiUrl), tokenCredentials);

However, it is not enough to copy and paste the code – you also need to properly configure your application in Azure Active Directory to create and authorize the service principal required to run the code. I strongly suggest you watch the entire video to understand the meaning of every element involved in this authorization process. My experience is that it could be very hard to troubleshoot any error if you are not familiarized with the elements involved. I hope the video can clarify these concepts to those new to Azure Active Directory API and to authentication concepts – I sure was new to these before I asked Paolo for help!