Creating a Service Principal and Connecting to Power BI

Why should you use a Service Principal?

In order for Power BI Sentinel to access your Power BI API, Sentinel requires your users to log into the Sentinel portal. This generates a 'security token' that Sentinel can then use to call the Power BI APIs on that user's behalf.

These tokens expire, usually after 90 days, stopping Sentinel from working until the user logs in again.

To prevent this from happening, you can configure a service account (a Service Principal), which is a dedicated account specifically for Sentinel to use, and which has a much longer expiry timeframe of up to 2 years.

How to create a Service Principal

1. Navigate to ‘App Registrations’ in the Azure Portal and select ‘New Registration’

Power BI Sentinel Service Principal - Microsoft Azure

2. Set the name, ‘Accounts in this organizational directory only’ and select ‘Web’ in the Redirect URI dropdown:

Power BI Sentinel Service Principal - Register Application

3. When this has been created, make a note of the 'Application (client) ID' in the Overview page for the App Registration.

This is the 'Service Principal Client ID' required in step 12.

4. Then select ‘Certificates & Secrets’, ‘Client secrets’, and click 'New client secret'

Power BI Sentinel Service Principal - Certificates

5. Fill the details in the pop-up window on the right side with an appropriate description.

Change the Expiry duration to 24 months, or custom with an expiry date far into the future.

Note that you can choose less than this if you want, but Sentinel will stop working when this secret expires, and you'll need to create a new secret to resume functionality.

IMPORTANT – Copy the 'Value' from this page and store it for later, you cannot view it again once this page is closed. This 'Value' field is the 'Service Principal Secret' referred to in step 12.

Power BI Sentinel Service Principal - Security

6. Assign the API Permissions listed below

Power BI Sentinel Service Principal - API Permissions

o Microsoft Graph (1)
 User.Read (Required to log into Power BI Sentinel)
o Power BI Service (13)
 App.Read.All
 Capacity.Read.All
 Dashboard.Read.All
 Dataflow.Read.All
 Dataset.Read.All
 Dataset.ReadWrite.All (Required to back up your reports)
 Gateway.Read.All
 Report.Read.All
 Report.ReadWrite.All (Required to back up your reports)
 StorageAccount.Read.All
 StorageAccount.ReadWrite.All (Required to back up your reports/datasets)
 Tenant.Read.All (Note that this refers to the Power BI tenant only, not the entire tenant)
 Workspace.Read.All
 Workspace.ReadWrite.All (required to allow the service principal to grant itself access to your workspaces)

7. Navigate to ‘Groups’ in Active Directory within the Azure Portal and select ‘New Group’

Power BI Sentinel Service Principal - Microsoft Azure Groups

8. Give the group a Name and Add the App Registration (created in step 2 above) as a member

9. Go to PowerBI and open the Tenant Settings in your Power BI Admin portal https://app.powerbi.com/admin-portal/tenantSettings

10. Under Tennant Settings and then Developer settings – allow Service Principles and assign it to use the security group that you previously created.

Power BI Sentinel Service Principal - Admin Portal Power BI API

11. Do the same under the setting for Admin API Settings.

Power BI Sentinel Service Principal - Admin API Permissions

12. In your Power BI Sentinel portal, load the “Configure” page and under the “Server Config” header enable the option to 'Use Service Principal', and enter your Client ID and Secret for your Service Principal that you created earlier.

The Client ID and Secret were created in step 3 above.

Enter these into the relevant boxes, and set the options underneath to your preference, and click 'Save' at the very bottom of the screen.

Always Use Service Principal for Backups

This is recommended to be enabled.

Usually the backups will be taken using the account of whoever configured that specific report to be backed up.

With this option enabled, the Service Principal will be used as the primary account for all backups.

Only Use Service Principal

This is not recommended unless advised by Sentinel support.

By default, Sentinel will scan your lineage using the Service Principal. If the Service Principal doesn't have access to a particular workspace, then Sentinel will attempt using other accounts as a fall back.

With this option enabled, this fall back is disabled, and only the Service Principal will be used. If it does not have appropriate access then there may be a gap in your lineage.

Note that this situation can be avoided with the next option below.

Grant Service Principal "Contributor" access to all workspaces automatically

This is strongly recommended to be enabled.

The Service Principal can only gather lineage and take backups etc. if it has at least 'Contributor' permissions to all workspaces.

You can either grant this yourself manually, or with this option enabled, The Service Principal can grant itself the permissions.

This means that it will always have the correct permissions, even for new workspaces when they're created, without any manual admin. This will ensure that Sentinel always provides you with a full complete picture of your estate.

Click “Save” at the very bottom of the screen, from this point, Sentinel should use the Service Principal to perform
its operations.