Using Power BI Service with Token-Based Authentication

If you manage users with Microsoft Entra ID and OpenID Connect, you can switch to token-based authentication for Microsoft Power BI. This simplifies report consumption for Power BI Service users, since they only need their Power BI online account to access reports published by model designers.

note

If you manage AtScale users with Entra ID and either Kerberos or NTLM, see Using Power BI Service with Windows Authentication.

Prerequisites

In order to perform this procedure, AtScale must be configured to use Entra ID with OpenID Connect as its IdP. For instructions, see Configuring Microsoft Entra ID with OpenID Connect.

Additionally, the AtScale administrator involved in this procedure must have the superuser_user role assigned in the Identity Broker. For information on viewing and assigning roles, see Managing Users with the Identity Broker.

Enable token-based authentication in AtScale​

To initiate the process of token-based authentication, the AtScale administrator must first enable tokens in the engine. To do this, enable the xmla.auth.token.enabled global setting. You do not need to restart the engine after changing this setting.

For more information on changing global settings, see Configuring Global Settings.

Configure the AtScale application in Entra ID​

Next, the administrator must configure the AtScale application in Entra ID:

1. Log in to the Azure portal and open Microsoft Entra ID.

2. Open the App Registration for AtScale.

3. In the left-hand navigation, select Authentication.

4. Under Advanced Settings, enable the Allow public client flows option.

5. In the left-hand navigation, select API permissions.

6. In the Configured permissions section, add the following Power BI Service permissions:

   • Dataset.Read.All
   • Dataset.ReadWrite.All
   • Report.Execute.All
   • Report.Read.All
   • Report.ReadWrite.All
   • Report.Reshare.All
   • Workspace.GitCommit.All
   • Workspace.GitUpdate.All
   • Workspace.Read.All
   • Workspace.ReadWrite.All

7. In the left-hand navigation, select Expose an API.

8. In the Scopes defined by this API section, add the user_impersonation scope.

9. Navigate to the App roles page and add the following roles:

   • role_user_impersonation
   • login_on_behalf_of_user

Configure the Identity Broker​

Once Entra ID has been configured, the AtScale administrator needs to make the following changes in the Identity Broker:

1. In Design Center, click the main menu and select Security. The Identity Broker opens.

2. In the left-hand navigation, click Users.

3. Select the xmla-service-account user.

4. Go to the Attributes tab and copy the XMLA_TOKEN value. You will need this later for configuring Power BI Gateway.

5. Go to the Role mapping tab and assign the impersonation_user role.

6. In the left-hand navigation, click Identity providers, then open the IdP for Entra ID.

7. On the Settings tab, edit the following fields:

   • Alias: azure-ad-oidc
   • Disable user info: On
   • Scopes: https://analysis.windows.net/powerbi/api/.default
   • Store tokens: On
   • Store tokens readable: On

8. Click Save.

Configure Power BI Gateway​

The AtScale administrator next needs to configure Power BI Gateway:

1. Install Power BI Gateway on a Windows machine in the same domain as your Directory server.

   This server should be reachable from Power BI Service via a secure connection (for example, IP Sec Tunnel), and should be able to access your AtScale server. For more information, refer to the Power BI Gateway documentation.

2. Log in to Power BI Service as a pbi service admin and go to Settings > Manage Gateways. Follow the Microsoft documentation instructions to connect to your Gateway.

3. In the Manage Gateways screen, click Add Datasource.

4. Give your AtScale datasource a name and select Analysis Services as the data source type.

5. Enter the connection information for AtScale:

   1. In Design Center, obtain the connection string for the catalog you want to connect to:

      1. Click the profile icon in the top right corner of Design Center. The Account panel opens.
      2. Click Generate XMLA token.
      3. Open the Deployed Catalogs panel, then open the catalog you want to connect to.
      4. On the Connect tab, copy the MDX + Token connection string.

   2. Replace the personal token at the end of the connection string with the XMLA_TOKEN value copied from the Identity Broker.

   3. Enter this URL in the Server field.

6. Click Add.

A connection confirmation indicates that Power BI Service successfully completed the authentication.

Create and publish a report in Power BI​

Once the administrator has completed the configuration steps above, the model designer must create a report using the AtScale model in Power BI Desktop and publish it to Power BI Service:

1. In Design Center, deploy the catalog that contains the model report users will connect to. For instructions, see Deploying a Catalog.

2. Obtain the connection string for the deployed catalog:

   1. Click the profile icon in the top right corner of Design Center. The Account panel opens.
   2. Click Generate XMLA token.
   3. Open the Deployed Catalogs panel, then open the catalog you want to connect to.
   4. On the Connect tab, copy the MDX + Token connection string.

3. In Power BI Desktop, create a report connected to the AtScale model. This should be done using the connection string copied above.

4. Publish the report to Power BI Service by clicking the Publish button (must be logged in to Power BI Service). Note that at this point, the report is still not executable by end users.

5. Request approval from the AtScale administrator for the report to be activated in the portal (for example, by saving the report as a .pbix file and sending it to the administrator).

Approve and share the report with users​

Next, the administrator must approve and share the report:

1. Open and review the model designer's report in Power BI Desktop.
2. Go to Transform data > Data source settings and replace the personal token in the URL with the XMLA_TOKEN value copied from the Identity Broker.
3. Share the report.

Then the model designer can share the report with other users:

1. Log in to Power BI Service using the same account that you used to author the report.
2. Find the new report in the workspace you selected when publishing and click the Share icon.
3. Enter the names of the users you want to share the report with, then click Share.

Once the report is approved and shared, report users can simply log in to Power BI Service and run it. For details, see Tutorial: Get started creating in the Power BI service in the Microsoft documentation.

Additionally, report users' identities will be used to enforce runtime model security and will be displayed on the AtScale Query page.

Additional information

• Learn how to connect Power BI Desktop to AtScale.
• Learn how to build reports in Power BI. For details, see Create reports and dashboards in Power BI.
• Review the list of known issues and limitations.