We’re thrilled to announce that you can authenticate to Power BI with service principal (also known as app-only authentication), available by end of week in Public Preview.
Service principal is a local representation of your AAD application for use in a specific tenant and will allow you to access resources or perform operations using Power BI API without the need for a user to sign in or have a Power BI Pro license. For customers using Power BI Embedded it can significantly reduce other limitations and friction.
Service principal and Power BI Embedded
Today, Power BI Embedded customers need to create a master user – a Power BI Pro user that represents their application and serves as the admin of all the content.
This method has some limitations:
- Global administrator is needed to register each master user in AAD.
- It demands a Power BI Pro license to be purchased in an Office 365 tenant for each master user.
- The master user authentication is done with a password, an authentication method that isn’t aligned with AAD best practices. Also, managing multiple master users and associated passwords rotation can be challenging.
Service principal can replace master user and help customers build a more robust solution when going to production:
- Easier to create – applications can be registered automatically, and anyone with the appropriate permissions can add the new application to a security group allowed to use service principal.
- No need to purchase a Power BI Pro license for a service principal (though it is recommended to have a user with Pro license who can access Power BI portal).
Getting started with service principal
Follow these steps to get started with service principal:
- You need to register a server-side web application in AAD to use with Power BI. Note that AAD permissions are not required to be added, since service principal permissions are managed only through Power BI.
- A Power BI Admin need to enable the admin toggle in the Admin portal, as shown in the picture below, and apply it for specific security groups.
Note that the new AAD web application created in step 1 must be added to one of those security groups, to be able to authenticate to Power BI as a service principal.
From here you can use Power BI API or embed content with the service principal. Learn more on getting started with service principal.
How to migrate Power BI Embedded to work with service principal
If you already have integrated Power BI Embedded in your application and you wish to migrate from using a master user to a service principal, please follow these steps:
- Create and provision a service principal as described above in this blog post, or follow the steps in the documentation.
- Make sure all your workspaces are new workspaces. If not, make sure to create them and move all the content into the new workspaces. See a Powershell script example of how to move content automatically between workspaces.
- Add the service principal as an admin of the new workspaces. This can be done through the API in two ways:
- The service principal creates a new workspace through API. Please note that service principal cannot login to Power BI Portal.
- A workspace admin adds the service principal as an admin. To add a service principal to a workspace or to perform any other operation on a service principal, you need the service principal object ID.
Within few weeks, you will be able to add a service principal as an admin of the workspace through Power BI portal, just as it’s done today with Power BI users.