Prerequisites

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Core Connector Core connectors are included with all Alation platform tiers (subject to each tier’s connector limits) and are fully supported by Alation.

Before you install the Power BI Scanner OCF connector, ensure that you have performed the following:

• Enable Network Connectivity

• Set Up the Azure Power BI Scanner

Enable Network Connectivity

Open outbound TCP port 443 on the Azure Power BI server for the REST API communication.

Set Up the Azure Power BI Scanner

Setting up the Azure Power BI Scanner involves these steps:

1. Register an Application with Microsoft Entra ID

2. Assign Workspace Permissions

3. Create a Security Group for Azure Power BI Scanner

4. Enable Azure Power BI Scanner Service Admin Settings

Register an Application with Microsoft Entra ID

To register an application with Microsoft Entra ID, refer Register app with Microsoft Entra ID for more information.

1. Log in to the Azure portal as Cloud Application Administrator or Application Administrator. If the creation of registered applications is not enabled for the entire organization, any one of the roles is required.

2. Select Microsoft Entra ID.

3. Click App registrations (on the left pane) > New registration.

4. Specify a name for your client application in the Name field. Retain the default values in the Supported account types and Redirect URI sections and then click Register.

5. From the App registrations screen, copy the value of Application (client) ID and store it in a secure location.

6. From the Overview screen of the new app, copy the value of Tenant ID and store it in a secure location.

7. Click Certificates & secrets from the left menu on the new app.

8. On the Certificates & secrets page, in Client secrets section, click + New client secret.

9. In the Add a client secret screen, specify the following information:

   • Description for your client secret.

   • Expiry

10. Click Add.

11. Copy the client secret value displayed under the Value column and store it in a secure location.

Set API Permissions

1. After you Register an Application with Microsoft Entra ID , click API permissions on the Azure portal.

   We recommend that you retain the default values in the API permissions table under the Configured permissions section.

2. Click API permissions and select Microsoft Graph.

   1. Click Application permissons and search and select the Directory.Read.All permission.

   2. Click Add permissions.

3. Click Add a permission and select Power BI Service.

   1. Click Application permissions and search and select the Tenant.Read.All permission.

   2. Click Add permissions.

Skip Granting Admin Consent

The permissions you added in the above steps do not require admin consent. Therefore, you don’t have to change the default permission status, which is set to not granted (Not granted for Alation, Inc).

Granting admin consent (Granted for Alation, Inc.) to these admin permissions, as shown below,

may result in the complete failure of preflight checks, which can obstruct subsequent processes, such as fetching workspaces and metadata extraction. Therefore, Alation recommends that you do not grant admin consent for these admin permissions.

Moreover, permissions granted in Azure may persist even after attempts to remove them later from the app registration. Create a new app registration and security group to resolve issues originating from incorrectly assigned permissions. Ensure that you don’t grant additional permissions in Azure during this new setup process.

Assign Workspace Permissions

Important

This step is not required if you perform the steps in Create a Security Group for Azure Power BI Scanner.

Grant the application you created in Step 1 member-level access to the workspaces you plan to catalog in Alation. Member-level permissions enable the connector to extract report dimensions and dataflows. For steps, refer to following Power BI documentation:

• Add a service principal or security group manually

• Add a service principal or security group by using PowerShell

• Groups - Add Group User

Important

The Power BI Admin must provide member-level access of service principal to at least one workspace.

To assign a Microsoft Power BI workspace role to the security group:

1. Open the Microsoft Power BI homepage.

2. From the left menu, click Workspaces and select your workspace.

3. click Access.

4. In the resulting panel, specify the email addresses and the name of the security group.

5. Depending on your workspace settings, set the following values:

   • For workspaces that do not have any parameters defined: Select Viewer from the dropdown.

   • If your workspace has any semantic models with parameters defined: Select Contributor from the dropdown to bring in the parameters to Alation. You must do this for all the existing workspaces for which parameters are defined.

   • To crawl and generate lineage for dataflows, in addition to crawling defined parameters for semantic models: Select Member from the dropdown.

6. Click Add.

Create a Security Group for Azure Power BI Scanner

Important

This step is not required if you perform the steps in Assign Workspace Permissions.

1. Log in to the Azure portal as Cloud Application Administrator or Application Administrator.

2. Select Microsoft Entra ID.

3. Go to Manage > Groups.

4. Click New group button.

5. Set the following values:

   • Set the Group type to Security.

   • Enter a Group name and a Group description.

   • Select No members selected link in Members.

   • For Service Principal authentication, search the application that you created in Register an Application with Microsoft Entra ID and click to select it.

6. Click Select.

7. Click Create.

Enable Azure Power BI Scanner Service Admin Settings

For an Azure application to be able to access the Power BI content and APIs, a Power BI admin needs to set Enable service principal access in the Power BI admin portal.

1. Login to Power BI.

2. From the Settings icon, select the Admin portal under the Governance and administration section.

   

3. Select Tenant Settings the left navigation pane and perform the following configuration:

   3.1 Enable Service principals can use Fabric APIs.

   3.2 Select the Specific security groups and select the security group created in Step 3.

   3.3 Click Apply to apply the settings.

   

4. Navigate to Tenant Settings > Admin API Settings and perform the following configuration:

   4.1 Enable Allow service principals to use read-only Power BI Admin APIs.

   4.2 Select the Specific security groups and select the security group created in Step 3.

   4.3 Click Apply to apply the settings.

   4.4 Similarly, enable the following flags:

   • Enhance admin APIs responses with detailed metadata

   • Enhance admin APIs responses with DAX and mashup expressions

   

5. In Tenant Settings, navigate to Gen1 Dataflow Settings:

   5.1 Enable Create and use Gen1 dataflows to extract the dataflow objects in Alation.

   5.2 Click Apply to save the settings.

   

   Note

   The service principle requires member-level access to workspaces in Power BI to extract dataflows. The dataflow connection missing error may occur during extraction when workspace permissions are not available.

6. Under Tenant Settings, navigate to Download Reports:

   6.1 Enabling Download Reports enables you to extract report fields into Alation. It is also required for Column Level Lineage.

   6.2 Click Apply to save the settings.