Creating a Service Principal and Connecting to Power BI
Why should you use a Service Principal?
In order for Power BI Sentinel to access your Power BI API, Sentinel requires your users to log into the Sentinel portal. This generates a 'security token' that Sentinel can then use to call the Power BI APIs on that user's behalf.
These tokens expire, usually after 90 days, stopping Sentinel from working until the user logs in again.
To prevent this from happening, you can configure a service account (a Service Principal), which is a dedicated account specifically for Sentinel to use, and which has a much longer expiry timeframe of up to 2 years.
2. Set the name, ‘Accounts in this organizational directory only’ and select ‘Web’ in the Redirect URI dropdown:
3. When this has been created, make a note of the 'Application (client) ID' in the Overview page for the App Registration.
This is the 'Service Principal Client ID' required in step 12.
4. Then select ‘Certificates & Secrets’, ‘Client secrets’, and click 'New client secret'
5. Fill the details in the pop-up window on the right side with an appropriate description.
Change the Expiry duration to 24 months, or custom with an expiry date far into the future.
Note that you can choose less than this if you want, but Sentinel will stop working when this secret expires, and you'll need to create a new secret to resume functionality.
IMPORTANT – Copy the 'Value' from this page and store it for later, you cannot view it again once this page is closed. This 'Value' field is the 'Service Principal Secret' referred to in step 12.
6. Assign the API Permissions listed below
o Microsoft Graph (1)
User.Read (Required to log into Power BI Sentinel)
o Power BI Service (13)
Dataset.ReadWrite.All (Required to back up your reports)
Report.ReadWrite.All (Required to back up your reports)
StorageAccount.ReadWrite.All (Required to back up your reports/datasets)
Tenant.Read.All (Note that this refers to the Power BI tenant only, not the entire tenant)
Tenant.ReadWrite.All (Note that this refers to the Power BI tenant only, required to allow the service principal to grant itself access to your workspaces )
Workspace.ReadWrite.All (required to allow the service principal to grant itself access to your workspaces)
8. Give the group a Name and Add the App Registration (created in step 2 above) as a member
9. Go to PowerBI and open the Tenant Settings in your Power BI Admin portal https://app.powerbi.com/admin-portal/tenantSettings
10. Under Tennant Settings and then Developer settings – allow Service Principles and assign it to use the security group that you previously created.
11. Do the same under the setting for Admin API Settings.
12. In your Power BI Sentinel portal, load the “Configure” page and under the “Server Config” header enable the option to 'Use Service Principal', and enter your Client ID and Secret for your Service Principal that you created earlier.
The Client ID and Secret were created in step 3 above.
Enter these into the relevant boxes, and set the options underneath to your preference, and click 'Save' at the very bottom of the screen.
Always Use Service Principal for Backups
This is recommended to be enabled.
Usually the backups will be taken using the account of whoever configured that specific report to be backed up.
With this option enabled, the Service Principal will be used as the primary account for all backups.
Only Use Service Principal
This is not recommended unless advised by Sentinel support.
By default, Sentinel will scan your lineage using the Service Principal. If the Service Principal doesn't have access to a particular workspace, then Sentinel will attempt using other accounts as a fall back.
With this option enabled, this fall back is disabled, and only the Service Principal will be used. If it does not have appropriate access then there may be a gap in your lineage.
Note that this situation can be avoided with the next option below.
Grant Service Principal "Contributor" access to all workspaces automatically
This is strongly recommended to be enabled.
The Service Principal can only gather lineage and take backups etc. if it has at least 'Contributor' permissions to all workspaces.
You can either grant this yourself manually, or with this option enabled, The Service Principal can grant itself the permissions.
This means that it will always have the correct permissions, even for new workspaces when they're created, without any manual admin. This will ensure that Sentinel always provides you with a full complete picture of your estate.
Click “Save” at the very bottom of the screen, from this point, Sentinel should use the Service Principal to perform