Power BI
This guide walks through the steps required to configure a Service Principal for Solid's Power BI integration, grant the necessary permissions, and validate the setup.
Step 1: Create a Service Principal Account for Solid
Access required: Azure AD / Microsoft Entra ID app registration
App Registration
- In the Azure portal, navigate to Microsoft Entra ID > App Registrations > New Registration.
- You can sign in using existing Microsoft 365 / Power BI credentials — no Azure subscription is required.
- After creation, note the following from the Overview page:
- Application (Client) ID
- Directory (Tenant) ID
Client Secret
- In the app registration, go to Certificates & Secrets > New client secret.
- Copy the secret value immediately — it is shown only once.
- Set the expiry to 12–24 months.
Security Group
- In Entra ID > Groups > New Group, create a group of type Security.
- Add the app registration as a member of this group.
- This group is referenced in the Power BI tenant settings in Step 2.
Required Permissions to Complete This Setup
| Requirement | Details |
|---|---|
| Power BI Admin | Required to modify tenant settings in the Admin Portal (Fabric/Power BI Admin role) |
| Azure portal access | via Microsoft 365 / Entra credentials — no Azure subscription needed |
| App Registration creation | Requires one of: Application Administrator, Cloud Application Administrator, or Global Administrator |
| Security Group creation | Required only if enabling access for a subset of the organization (optional if enabling org-wide) |
Network / IP Considerations
Our integration connects to two Microsoft public endpoints over HTTPS (port 443):
login.microsoftonline.com(authentication)api.powerbi.com(metadata scanning)
If your organization has Conditional Access policies, IP-based restrictions, or Azure Private Link enabled for Power BI, access from our IPs may be blocked. Our outbound IPs are listed here: http://docs.getsolid.ai/docs/solids-static-ip-addresses
To check if any of these apply to you:
- Azure portal > Microsoft Entra ID > Security > Conditional Access — look for policies that restrict sign-ins by IP or location
- Azure portal > Microsoft Entra ID > Security > Named Locations — check for trusted location requirements
- Power BI Admin Portal > Tenant Settings > Advanced Networking — if "Block Public Internet Access" is enabled, public API access will not work and it must be disabled
If any of these restrictions are in place, please whitelist the IPs listed above.
Workspace GUID
Provide at least one Workspace GUID for initial validation. This can be found in the Power BI URL:
https://app.powerbi.com/groups/{WORKSPACE_GUID}/...
Output to Share with Solid
| Field | Description |
|---|---|
CLIENT_ID | Application/Client ID (GUID) |
CLIENT_SECRET | The client secret value |
ENTRA_TENANT_ID | Directory/Tenant ID (GUID) |
Step 2: Provide Solid with the Right Permissions
1. API Permissions — None Required
Critical: The app registration must NOT have any API permissions configured in the Azure portal (noTenant.Read.All, no delegated permissions). Adding permissions breaks admin API access.
2. Power BI Tenant Settings
Requires a Power BI Admin
In the Power BI Admin Portal > Tenant Settings, enable the following settings, applied to the security group created in Step 1:
| Setting | Location | Why |
|---|---|---|
| Service principals can access read-only admin APIs | Admin API settings | Allows the SP to call the Admin Scanner API |
| Enhance admin APIs responses with detailed metadata | Admin API settings | Returns table/column/measure names and descriptions |
| Enhance admin APIs responses with DAX and mashup expressions | Admin API settings | Returns DAX formulas and M (Power Query) source expressions |
Reference: Microsoft - Metadata scanning setup
Note: Changes to tenant settings can take up to 15 minutes to propagate. After enabling detailed metadata, datasets may need a refresh before the metadata appears in scan results.
3. Workspace-Level Access
The service principal (or its security group) must be added as a Member or Admin to each Power BI workspace that Solid needs to scan.
In Power BI Service > Workspace > Access, add the app name or security group as Member.
