Admin Permissions Required


In order for Sentinel to backup your Power BI documents, and scan your tenant to generate documentation and data lineage, it is necessary to request permission for Sentinel to access your Power BI tenant.

There are three levels of access that you can choose from:

Limited access

To access this, use 'My Sentinel' at

This allows you to access all functionality of Power BI Sentinel, with the exception of:

  • No visibility of Personal Workspaces
  • Sentinel will not be able to automatically grant admins access to all workspaces (for backup purposes)

When you first sign in, you will be presented with the list of permissions in the following screenshot.

This only needs to be done once.

Full access

To access this, use 'Portal' at

This access can only be granted by an Office 365 Global Administrator so you will need to get a Admin to grant this using the above link before you sign up to Sentinel.

Note: Some Power BI datacentres now allow a Power BI Service Admin to authorise this. Power BI Service Admin is a new permission level, which is different from (and superior to) a Power BI Workspace Admin. 

The process is:

  1. Ask your Admin to authorize Sentinel by signing in at
  2. If you are shown a tick box asking to provide "consent on behalf of your organisation", please select it. This enables other users in your organisation to use Sentinel, and may be shown in some tenants. This only needs to happen once.
  3. You can then log into the same portal and sign up for Sentinel

This only needs to be done once.

Note that all of the permissions requested ONLY apply to PowerBI, and not your entire organisation, despite the ambiguous wording in the request message.

Given the risk associated with Personal Workspaces, and the risk of not knowing whether you're backing everything up or not, we strongly recommend that you grant the full Admin permissions.

What's the risk of not doing this?

  • You will have no visibility of what reports or data are being stored in Personal Workspaces. You will not know which data sources are being accessed by these reports, or whether users are hoarding critical reports in an area that only they have access to.
  • Even though you may be a Power BI Administrator, you will not automatically have access to see all workspaces. If you're responsible for governance and disaster recovery it's important that you can see everything. Sentinel has an option where it can automatically grant you access to new workspaces ensuring you always have full visibility, but this only works with this Admin approval.

For more details about Microsoft Consent, please see Microsoft's consent explanation page here.

For details about Power BI Service Administrators, please see this page

Usage Analysis

Power BI's internal usage logs are stored in o365 and not Power BI, so it needs a different type of authorization.

This needs to be authorized by an Office 365 Global Administrator, which is one time only process.

Your o365 Global Admin can do this by navigating to and accepting the prompt.

If you experience problems in doing this, please try again in an in-private/incognito browser window.

Once authorized by an o365 Global Admin, you need to decide which account will be used to import the logs on an ongoing basis. This user will need "View-Only Audit Logs" permission, or be a member of the "Audit Logs" role. This user needs to log into the same URL, enter the database connection string, and click save.

This user will need to open the URL again whenever their authorization token expires, which should be every 2-3 months in most organisations, depending on your organisations internal security policy. The user will receive an email reminder, so if you use a dedicated service account, please remember to forward emails to a monitored inbox!

Why are permissions requested by Purple Frog Systems?

Power BI Sentinel is a service created and run by Purple Frog Systems Ltd, a Business Intelligence consultancy with over a decade of experience helping large global organisations with their Microsoft Data Platform analytics needs. Power BI Sentinel is a brand name that operates within the Purple Frog company, and it is hosted in Azure, within the Purple Frog tenant.

Power BI Sentinel is a shared SaaS platform that is hosted outside of your Azure/o365 tenant. Sentinel therefore needs to request permission in order to give you access to the information it generates.

What happens if I don't grant permissions?

In order for Sentinel to work it has to have access to your Power BI tenant.

It is however up to you which of the above permission levels you grant the application.

If you're unable to grant any permissions then there is an option (at additional cost) to have your own corporate 'Self-Host' copy of Sentinel deployed into your own Azure tenant. If you would like to discuss this please get in touch with us.