Power BI

This guide walks through the steps required to configure a Service Principal for Solid's Power BI integration, grant the necessary permissions, and validate the setup.


Step 1: Create a Service Principal Account for Solid

Access required: Azure AD / Microsoft Entra ID app registration

App Registration

  1. In the Azure portal, navigate to Microsoft Entra ID > App Registrations > New Registration.
    • You can sign in using existing Microsoft 365 / Power BI credentials — no Azure subscription is required.
  2. After creation, note the following from the Overview page:
    • Application (Client) ID
    • Directory (Tenant) ID

Client Secret

  1. In the app registration, go to Certificates & Secrets > New client secret.
  2. Copy the secret value immediately — it is shown only once.
  3. Set the expiry to 12–24 months.

Security Group

  1. In Entra ID > Groups > New Group, create a group of type Security.
  2. Add the app registration as a member of this group.
    • This group is referenced in the Power BI tenant settings in Step 2.

Required Permissions to Complete This Setup

RequirementDetails
Power BI AdminRequired to modify tenant settings in the Admin Portal (Fabric/Power BI Admin role)
Azure portal accessvia Microsoft 365 / Entra credentials — no Azure subscription needed
App Registration creationRequires one of: Application Administrator, Cloud Application Administrator, or Global Administrator
Security Group creationRequired only if enabling access for a subset of the organization (optional if enabling org-wide)

Network / IP Considerations

Our integration connects to two Microsoft public endpoints over HTTPS (port 443):

  • login.microsoftonline.com (authentication)
  • api.powerbi.com (metadata scanning)

If your organization has Conditional Access policies, IP-based restrictions, or Azure Private Link enabled for Power BI, access from our IPs may be blocked. Our outbound IPs are listed here: http://docs.getsolid.ai/docs/solids-static-ip-addresses

To check if any of these apply to you:

  • Azure portal > Microsoft Entra ID > Security > Conditional Access — look for policies that restrict sign-ins by IP or location
  • Azure portal > Microsoft Entra ID > Security > Named Locations — check for trusted location requirements
  • Power BI Admin Portal > Tenant Settings > Advanced Networking — if "Block Public Internet Access" is enabled, public API access will not work and it must be disabled

If any of these restrictions are in place, please whitelist the IPs listed above.

Workspace GUID

Provide at least one Workspace GUID for initial validation. This can be found in the Power BI URL:

https://app.powerbi.com/groups/{WORKSPACE_GUID}/...

Output to Share with Solid

FieldDescription
CLIENT_IDApplication/Client ID (GUID)
CLIENT_SECRETThe client secret value
ENTRA_TENANT_IDDirectory/Tenant ID (GUID)

Step 2: Provide Solid with the Right Permissions

1. API Permissions — None Required

⚠️

Critical: The app registration must NOT have any API permissions configured in the Azure portal (no Tenant.Read.All, no delegated permissions). Adding permissions breaks admin API access.

2. Power BI Tenant Settings

Requires a Power BI Admin

In the Power BI Admin Portal > Tenant Settings, enable the following settings, applied to the security group created in Step 1:

SettingLocationWhy
Service principals can access read-only admin APIsAdmin API settingsAllows the SP to call the Admin Scanner API
Enhance admin APIs responses with detailed metadataAdmin API settingsReturns table/column/measure names and descriptions
Enhance admin APIs responses with DAX and mashup expressionsAdmin API settingsReturns DAX formulas and M (Power Query) source expressions
⏱️

Note: Changes to tenant settings can take up to 15 minutes to propagate. After enabling detailed metadata, datasets may need a refresh before the metadata appears in scan results.

3. Workspace-Level Access

The service principal (or its security group) must be added as a Member or Admin to each Power BI workspace that Solid needs to scan.

In Power BI Service > Workspace > Access, add the app name or security group as Member.