# Power BI (Cloud) This article outlines the integration with the Power BI Cloud connector, enabling efficient data management through features such as crawling, report preview, and lineage building (both automatic and manual). It also ensures secure authentication via Credential Manager. Power BI Cloud connector supports the following authentication types: * **Service User (Username and Password) Authentication**\ Service User Authentication uses a **Power BI user account**. Access to workspaces, reports, and datasets is based on the permissions assigned to the service user. * **Service Principal Authentication**\ Service Principal Authentication uses an **Azure Entra ID application**. Access is based on the Azure AD app configuration and workspace role assignment. It is configured to call **read-only admin APIs**, the Azure AD application must not have any **admin-consent required Power BI permissions** configured in the Azure portal.

## **Overview** ### **Connector Details** | Connector Category | Report System | | ------------------------------------------------------------------------------ | ------------------------------ | | OvalEdge Release Connector Version | Release6.3.X | |

Connectivity

\[How OvalEdge connects to Power BI Cloud ]

| REST APIs | | OvalEdge Releases Supported (Available from) | Release3.0 | | Power BI Cloud Versions | 1.1.6513.3500 - 1.22.9153.7886 | {% hint style="info" %} The Power BI Cloud connector has been validated with the mentioned "Verified Power BI Cloud Versions" and is expected to be compatible with other supported Power BI Cloud versions. If there are any issues with validation or metadata crawling, please submit a support ticket for investigation and feedback. {% endhint %} ### **Connector Features** | Feature | Availability | | -------------------------------------------------------------------------------------------------------------------------------- | :----------: | | Crawling | ✅ | | Delta Crawling | ✅ | | Profiling | ❌ | | Query Sheet | ❌ | | Report Preview | ✅ | | Auto Lineage | ✅ | | Manual Lineage | ✅ | | Secure Authentication via Credential Manager | ✅ | | Data Quality | ❌ | | DAM (Data Access Management) | ❌ | | Bridge | ✅ | | [Chrome Extension Supported](https://docs.ovaledge.com/home/browser-extension/features-and-operations#view-certification-status) | ✅ | ### Metadata Mapping The metadata objects that can be extracted from Power BI Cloud using REST APIs include tenant, workspace, report, page, and semantic model metadata. For more details, click [here](https://docs.ovaledge.com/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/power-bi-rest-apis-metadata). The following objects are crawled from Power BI Cloud and mapped to the corresponding UI assets. | Source Object | Source Attribute | OvalEdge Attribute | OvaEdge Category | OvalEdge Type | | ---------------------------------- | --------------------- | ------------------ | ---------------- | ----------------------------------------- | | Workspaces | Workspace | Report Group | Reports | Workspaces | | Workspaces | Workspace description | source description | description | Workspaces | | Reports | Reports Name | Report Name | Reports | Reports | | Reports | Report description | source description | description | Reports | | Reports | Report Type | type | Reprots | Dashboard, Report, Tile, Paginated report | | Reports | webUrl | contentUrl | Reports | Reports | | Pages | Page Name | Report Name | Reports | Page | | Pages | Page description | source description | Reports | Page | | Pages | Page type | type | Reports | Page | | Dataset/Semantic Model | Dataset Name | Dataset Name | Reports | Dataset, Dataflow | | Dataset/Semantic Model | Dataset Description | source description | description | Dataset, Dataflow | | Dataset/Semantic Model | Dataset Type | type | Reports | Dataset, Dataflow | | Datset/Semantic Model Tables | Table Name | Table name | Table | | | Datset/Semantic Model Tables | Description | source description | | | | Datset/Semantic Model Table Fields | Field Name | Column name | Column | Measure, TField | | Datset/Semantic Model Table Fields | Description | source description | Column | Measure, TField | | Datset/Semantic Model Table Fields | Field Type | type | Column | Measure, TField | | Datset/Semantic Model Table Fields | Expression | Formula | Column | Measure, TField | The following metadata information can be extracted only from the PBIX file: | Source Object | Source Attribute | OvalEdge Attribute | OvaEdge Category | OvalEdge Type | | ------------- | ----------------- | ------------------ | ---------------- | -------------------------- | | Visual | Visual Name | Report Name | Reports | Visual | | Visual | Visual type | type | Reports | Bar chart, pie chart etc.. | | Visual Fields | Visual Field Name | Column name | Report Field | Measure, TField | | Visual Fields | Description | source description | Report Field | Measure, TField | | Visual Fields | Visual Field Type | type | Report Field | Measure, TField | | Visual Fields | Expression | Formula | Report Field | Measure, TField | ## Set up a Connection ### Prerequisites The following are the prerequisites to establish a connection: For detailed prerequisite configuration steps in **Azure** and **Power BI** (including **App Registration**, **Security Group creation**, and **Power BI Admin Portal settings**), refer to the [**Power BI Cloud System Configuration**](https://docs.ovaledge.com/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/power-bi-cloud-system-configuration)**.** #### **Service Account User Permissions** {% hint style="warning" %} It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions. {% endhint %} {% hint style="info" %} 👨‍💻Who can provide these permissions? These permissions are typically granted by the Power BI Cloud administrator, as users may not have the required access to assign them independently. {% endhint %}

Objects	Access Permission
Connector Validation	Service Principal with Admin API Access or Service User with Admin rights
Crawling	Service Principal with Admin API Access or Service User with Admin rights
Lineage	Service Principal with Admin API Access or Service User with Admin rights
Delta Crawl	Service Principal with Admin API Access or Service User with Admin rights
Semantic Model / Dataset	Service Principal with Admin API Access or Service User with Admin rights
Report	Service Principal with Admin API Access or Service User with Admin rights
Pages	Service Principal with Admin API Access or Service User with Admin rights
Visuals	Service Principal with Admin API Access or Service User with Admin rights

#### Service Principal Configuration When Service Principal authentication is used, the service principal must be added to the Power BI workspace with one of the following roles: * Admin * Member {% hint style="info" %} For Service Principal authentication, API-level administrative permissions alone are insufficient. Viewer and Contributor workspace roles do not support PBIX export operations. {% endhint %} **OAuth-Based Authentication Using Service Principal** Service Principal authentication in OvalEdge uses the Microsoft-recommended **OAuth 2.0** framework secured by **Microsoft Entra ID (Azure Active Directory)** to access Power BI REST APIs. Power BI REST APIs are protected by Microsoft Entra ID and require OAuth authentication for application integrations. OvalEdge supports this through Service Principal authentication, which is Microsoft’s standard non-interactive authentication approach for system integrations. At a high level, the authentication process works as follows: * An application is registered in Microsoft Entra ID (Azure AD). * Required Power BI API permissions are configured for the application. * An OAuth 2.0 access token is generated. * Power BI REST API calls are executed using the generated secure access token. This method does not require storage of user credentials and aligns with enterprise security standards for automated integrations. {% hint style="warning" %} OAuth token generation is handled internally by OvalEdge. Users only need to provide the Azure application details during connection configuration. {% endhint %} #### Service User Configuration When **Service User (Username and Password) authentication** is used, the service user must be added to the Power BI workspace with one of the following roles: * **Contributor** * **Viewer** {% hint style="info" %} Access to workspaces, reports, and datasets is based on the permissions assigned to the service user in Power BI. {% endhint %} ### Connection Configuration Steps {% hint style="info" %} Users are required to have the Connector Creator role in order to configure a new connection. {% endhint %} 1. Log into **OvalEdge**, go to **Administration > Connectors**, click **+ (New Connector)**, search for **Power BI**, and complete the required parameters. {% hint style="info" %} Fields marked with an asterisk (\*) are mandatory for establishing a connection. {% endhint %}

Field Name	Description
Connector Type	By default, "PowerBI Cloud" is displayed as the selected connector type.
Server Type*	From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.
Authentication*	Power BI Cloud supports two types of authentication. Username and Password (Service User) Service Principal Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.

Field Name

Description

Connector Type

By default, "PowerBI Cloud" is displayed as the selected connector type.

Server Type*

From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.

Authentication*

Power BI Cloud supports two types of authentication.

Username and Password (Service User)
Service Principal

Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.

{% tabs %} {% tab title="Username and Password (Service User)" %}

Field Name	Description
Credential Manager*	Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection. Supported Credential Managers: OE Credential Manager AWS Secrets Manager HashiCorp Azure Key Vault
License Add Ons	Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT Source*	Enter the PBIX/PBIT Source. It has two options. Local Drive One Drive
Connector Name*	Enter a unique name for the Power BI Cloud connection (Example: "PowerBICloud").
Connector Environment	Select the environment (Example: PROD, STG) configured for the connector.
Connector Description	Enter a brief description of the connector.
One Drive Connection*	Provide the OneDrive connector ID. Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
OneDrive Folder Name	Provide the OneDrive folder Name. Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
Client Id*	A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*	A confidential key is generated during app registration and used to authenticate the app securely.
Tenant	An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*	A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Username*	Enter the service account username set up to access the Power BI Cloud (Example: "oesauser").
Password*	Enter the password associated with the service account user (Example: "password").
Files Path*	Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)	Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)	If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)	To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)	To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)	To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’. Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Proxy Enabled*	Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.

{% endtab %} {% tab title="Service Principal" %}

Field Name	Description
Credential Manager*	Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection. Supported Credential Managers: OE Credential Manager AWS Secrets Manager HashiCorp Azure Key Vault
License Add Ons	Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT Source*	Enter the PBIX/PBIT Source. It has two options. Local Drive One Drive
Connector Name*	Enter a unique name for the Power BI Cloud connection (Example: "PowerBICloud").
Connector Environment	Select the environment (Example: PROD, STG) configured for the connector.
Connector Description	Enter a brief description of the connector.
One Drive Connection*	Provide the OneDrive connector ID. Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
OneDrive Folder Name	Provide the OneDrive folder Name. Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
Client Id*	A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*	A confidential key is generated during app registration and used to authenticate the app securely.
Tenant	An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*	A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Files Path*	Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)	Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)	If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)	To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)	To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)	To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’. Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Proxy Enabled*	Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.

{% endtab %} {% endtabs %} **Default Governance Roles**


Default Governance Roles*	Select the appropriate users or teams for each governance role from the drop-down list. All users configured in the security settings are available for selection.

**Admin Roles**


Admin Roles*	Select one or more users from the drop-down list for Integration Admin and Security & Governance Admin. All users configured in the security settings are available for selection.

**No of Archive Objects**


No Of Archive Objects*	This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive. Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.

No Of Archive Objects*

This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.

Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.

**Bridge**


Select Bridge*	If applicable, select the bridge from the drop-down list. The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.

Select Bridge*

If applicable, select the bridge from the drop-down list.

The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.

2. After entering all connection details, the following actions can be performed: 1. Click **Validate** to verify the connection. 2. Click **Save** to store the connection for future use. 3. Click **Save & Configure** to apply additional settings before saving. 3. The saved connection will appear on the Connectors home page. ## Manage Connector Operations ### Crawl {% hint style="warning" %} To perform crawl operations, users must be assigned the Integration Admin role. {% endhint %} The **Crawl/Profile** button allows users to select one or more **schemas** for crawling. 1. Navigate to the **Connectors** page and click **Crawl/Profile**. 2. Select the schemas to be crawled. 3. The Crawl option is selected by default. 4. Click **Run** to collect metadata from the connected source and load it into the **Data Catalog**. 5. After a successful crawl, the information appears in the **Data Catalog > Report / Report Column** tab. The Schedule checkbox allows automated crawling and profiling at defined intervals, from a minute to a year. 1. Click the **Schedule** checkbox to enable the **Select Period drop-down**. 2. Select a time period for the operation from the drop-down menu. 3. Click **Schedule** to initiate metadata collection from the connected source. 4. The system will automatically execute the **crawl** operation at the scheduled time. #### **Other Operations** The Connectors page provides a centralized view of all configured connectors, along with their health status. **Managing connectors includes:** * **Connector Health**: Displays the current status of each connector using a **green** icon for active connections and a **red** icon for inactive connections, helping to monitor the connectivity with data sources. * **Viewing**: Click the **Eye icon** next to the connector name to view connector details, including databases, tables, columns, and codes. **Nine Dots Menu Options:** To view, edit, validate, build lineage, configure, or delete connectors, click on the **Nine Dots menu**. * **Edit Connector:** Update and revalidate the data source. * **Validate Connector**: Check the connection's integrity. * **Settings**: Modify connector settings. * **Crawler**: Configure data extraction. * **Access Instructions:** Add notes on how data can be accessed. * **Business Glossary Settings**: Manage term associations at the connector level. * **Lineage**: Configure Server Dialects for source code parsing and Connector Priority for table lineage connection. * **Others**: Configure notification recipients for metadata changes. * **Build Lineage**: Automatically build data lineage using source code parsing. * **Delete Connector**: Remove a connector with confirmation. ## Limitations ### Power BI Embedded – Embed Token Limitations

Sl. No.	Scenario	Limitation
1	Dedicated Capacity (A, EM, P SKU)	No published limit on the number of embed tokens that can be generated. Embed token usage can be monitored using the “Available Features” API.
2	Shared Capacity / Pro / PPU Licensing	Embed token generation is limited (not published) and intended only for development/testing. Users may receive the error: “You have exceeded the amount of embed token that can be generated on a shared or ProPlus capacity.”
3	Shared Capacity / Pro / PPU Licensing	Microsoft states embed tokens generated under Pro/PPU are meant only for development testing. To avoid limitations, dedicated capacity (A/EM/P SKU) is required for production embedding.

### Power BI REST API – PBIX Export Limitations

Sl. No.	Limitation Type	Limitation
1	Report Type Limitation	Reports created directly in Power BI Service (online editing) cannot be exported as .pbix using REST API.
2	Report Type Limitation	Reports using Live Connection / DirectQuery to another dataset do not support PBIX export.
3	Report Type Limitation	Reports using Dataflows, Analysis Services live connection, or composite models cannot be exported using REST API.
4	File Size Limitation	Exporting large PBIX files (greater than 1 GB uncompressed) may fail or time out. Microsoft does not officially guarantee export success beyond approximately 500 MB.