Power BI (Cloud)
This article outlines the integration with the Power BI Cloud connector, enabling efficient data management through features such as crawling, report preview, and lineage building (both automatic and manual). It also ensures secure authentication via Credential Manager.
Power BI Cloud connector supports the following authentication types:
Service User (Username and Password) Authentication Service User Authentication uses a Power BI user account. Access to workspaces, reports, and datasets is based on the permissions assigned to the service user.
Service Principal Authentication Service Principal Authentication uses an Azure Entra ID application. Access is based on the Azure AD app configuration and workspace role assignment. It is configured to call read-only admin APIs, the Azure AD application must not have any admin-consent required Power BI permissions configured in the Azure portal.
Overview
Connector Details
Connector Category
Report System
OvalEdge Release Connector Version
Release6.3.X
Connectivity
[How OvalEdge connects to Power BI Cloud ]
REST APIs
OvalEdge Releases Supported (Available from)
Release3.0
Power BI Cloud Versions
1.1.6513.3500 - 1.22.9153.7886
The Power BI Cloud connector has been validated with the mentioned "Verified Power BI Cloud Versions" and is expected to be compatible with other supported Power BI Cloud versions. If there are any issues with validation or metadata crawling, please submit a support ticket for investigation and feedback.
Connector Features
Crawling
✅
Delta Crawling
✅
Profiling
❌
Query Sheet
❌
Report Preview
✅
Auto Lineage
✅
Manual Lineage
✅
Secure Authentication via Credential Manager
✅
Data Quality
❌
DAM (Data Access Management)
❌
Bridge
✅
Metadata Mapping
The metadata objects that can be extracted from Power BI Cloud using REST APIs include tenant, workspace, report, page, and semantic model metadata. For more details, click here.
The following objects are crawled from Power BI Cloud and mapped to the corresponding UI assets.
Workspaces
Workspace
Report Group
Reports
Workspaces
Workspaces
Workspace description
source description
description
Workspaces
Reports
Reports Name
Report Name
Reports
Reports
Reports
Report description
source description
description
Reports
Reports
Report Type
type
Reprots
Dashboard, Report, Tile, Paginated report
Reports
webUrl
contentUrl
Reports
Reports
Pages
Page Name
Report Name
Reports
Page
Pages
Page description
source description
Reports
Page
Pages
Page type
type
Reports
Page
Dataset/Semantic Model
Dataset Name
Dataset Name
Reports
Dataset, Dataflow
Dataset/Semantic Model
Dataset Description
source description
description
Dataset, Dataflow
Dataset/Semantic Model
Dataset Type
type
Reports
Dataset, Dataflow
Datset/Semantic Model Tables
Table Name
Table name
Table
Datset/Semantic Model Tables
Description
source description
Datset/Semantic Model Table Fields
Field Name
Column name
Column
Measure, TField
Datset/Semantic Model Table Fields
Description
source description
Column
Measure, TField
Datset/Semantic Model Table Fields
Field Type
type
Column
Measure, TField
Datset/Semantic Model Table Fields
Expression
Formula
Column
Measure, TField
The following metadata information can be extracted only from the PBIX file:
Visual
Visual Name
Report Name
Reports
Visual
Visual
Visual type
type
Reports
Bar chart, pie chart etc..
Visual Fields
Visual Field Name
Column name
Report Field
Measure, TField
Visual Fields
Description
source description
Report Field
Measure, TField
Visual Fields
Visual Field Type
type
Report Field
Measure, TField
Visual Fields
Expression
Formula
Report Field
Measure, TField
Set up a Connection
Prerequisites
The following are the prerequisites to establish a connection:
For detailed prerequisite configuration steps in Azure and Power BI (including App Registration, Security Group creation, and Power BI Admin Portal settings), refer to the Power BI Cloud System Configuration.
Service Account User Permissions
It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions.
👨💻Who can provide these permissions? These permissions are typically granted by the Power BI Cloud administrator, as users may not have the required access to assign them independently.
Connector Validation
Service Principal with Admin API Access or Service User with Admin rights
Crawling
Service Principal with Admin API Access or Service User with Admin rights
Lineage
Service Principal with Admin API Access or Service User with Admin rights
Delta Crawl
Service Principal with Admin API Access or Service User with Admin rights
Semantic Model / Dataset
Service Principal with Admin API Access or Service User with Admin rights
Report
Service Principal with Admin API Access or Service User with Admin rights
Pages
Service Principal with Admin API Access or Service User with Admin rights
Visuals
Service Principal with Admin API Access or Service User with Admin rights
Service Principal Configuration
When Service Principal authentication is used, the service principal must be added to the Power BI workspace with one of the following roles:
Admin
Member
For Service Principal authentication, API-level administrative permissions alone are insufficient. Viewer and Contributor workspace roles do not support PBIX export operations.
OAuth-Based Authentication Using Service Principal
Service Principal authentication in OvalEdge uses the Microsoft-recommended OAuth 2.0 framework secured by Microsoft Entra ID (Azure Active Directory) to access Power BI REST APIs.
Power BI REST APIs are protected by Microsoft Entra ID and require OAuth authentication for application integrations. OvalEdge supports this through Service Principal authentication, which is Microsoft’s standard non-interactive authentication approach for system integrations.
At a high level, the authentication process works as follows:
An application is registered in Microsoft Entra ID (Azure AD).
Required Power BI API permissions are configured for the application.
An OAuth 2.0 access token is generated.
Power BI REST API calls are executed using the generated secure access token.
This method does not require storage of user credentials and aligns with enterprise security standards for automated integrations.
OAuth token generation is handled internally by OvalEdge. Users only need to provide the Azure application details during connection configuration.
Service User Configuration
When Service User (Username and Password) authentication is used, the service user must be added to the Power BI workspace with one of the following roles:
Contributor
Viewer
Access to workspaces, reports, and datasets is based on the permissions assigned to the service user in Power BI.
Connection Configuration Steps
Users are required to have the Connector Creator role in order to configure a new connection.
Log into OvalEdge, go to Administration > Connectors, click + (New Connector), search for Power BI, and complete the required parameters.
Fields marked with an asterisk (*) are mandatory for establishing a connection.
Connector Type
By default, "PowerBI Cloud" is displayed as the selected connector type.
Server Type*
From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.
Authentication*
Power BI Cloud supports two types of authentication.
Username and Password (Service User)
Service Principal
Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT Source*
Enter the PBIX/PBIT Source. It has two options.
Local Drive
One Drive
Connector Name*
Enter a unique name for the Power BI Cloud connection
(Example: "PowerBICloud").
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Connector Description
Enter a brief description of the connector.
One Drive Connection*
Provide the OneDrive connector ID.
Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
OneDrive Folder Name
Provide the OneDrive folder Name.
Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
Client Id*
A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*
A confidential key is generated during app registration and used to authenticate the app securely.
Tenant
An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*
A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Username*
Enter the service account username set up to access the Power BI Cloud (Example: "oesauser").
Password*
Enter the password associated with the service account user (Example: "password").
Files Path*
Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)
Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)
If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)
To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)
To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)
To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’.
Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Proxy Enabled*
Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT Source*
Enter the PBIX/PBIT Source. It has two options.
Local Drive
One Drive
Connector Name*
Enter a unique name for the Power BI Cloud connection
(Example: "PowerBICloud").
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Connector Description
Enter a brief description of the connector.
One Drive Connection*
Provide the OneDrive connector ID.
Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
OneDrive Folder Name
Provide the OneDrive folder Name.
Note: This field gets populated if the PBIX/PBIT Source is selected as OneDrive.
Client Id*
A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*
A confidential key is generated during app registration and used to authenticate the app securely.
Tenant
An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*
A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Files Path*
Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)
Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)
If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)
To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)
To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)
To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’.
Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Proxy Enabled*
Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.
Default Governance Roles
Default Governance Roles*
Select the appropriate users or teams for each governance role from the drop-down list. All users configured in the security settings are available for selection.
Admin Roles
Admin Roles*
Select one or more users from the drop-down list for Integration Admin and Security & Governance Admin. All users configured in the security settings are available for selection.
No of Archive Objects
No Of Archive Objects*
This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.
Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.
Bridge
Select Bridge*
If applicable, select the bridge from the drop-down list.
The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.
After entering all connection details, the following actions can be performed:
Click Validate to verify the connection.
Click Save to store the connection for future use.
Click Save & Configure to apply additional settings before saving.
The saved connection will appear on the Connectors home page.
Manage Connector Operations
Crawl
To perform crawl operations, users must be assigned the Integration Admin role.
The Crawl/Profile button allows users to select one or more schemas for crawling.
Navigate to the Connectors page and click Crawl/Profile.
Select the schemas to be crawled.
The Crawl option is selected by default.
Click Run to collect metadata from the connected source and load it into the Data Catalog.
After a successful crawl, the information appears in the Data Catalog > Report / Report Column tab.
The Schedule checkbox allows automated crawling and profiling at defined intervals, from a minute to a year.
Click the Schedule checkbox to enable the Select Period drop-down.
Select a time period for the operation from the drop-down menu.
Click Schedule to initiate metadata collection from the connected source.
The system will automatically execute the crawl operation at the scheduled time.
Other Operations
The Connectors page provides a centralized view of all configured connectors, along with their health status.
Managing connectors includes:
Connector Health: Displays the current status of each connector using a green icon for active connections and a red icon for inactive connections, helping to monitor the connectivity with data sources.
Viewing: Click the Eye icon next to the connector name to view connector details, including databases, tables, columns, and codes.
Nine Dots Menu Options:
To view, edit, validate, build lineage, configure, or delete connectors, click on the Nine Dots menu.
Edit Connector: Update and revalidate the data source.
Validate Connector: Check the connection's integrity.
Settings: Modify connector settings.
Crawler: Configure data extraction.
Access Instructions: Add notes on how data can be accessed.
Business Glossary Settings: Manage term associations at the connector level.
Lineage: Configure Server Dialects for source code parsing and Connector Priority for table lineage connection.
Others: Configure notification recipients for metadata changes.
Build Lineage: Automatically build data lineage using source code parsing.
Delete Connector: Remove a connector with confirmation.
Limitations
Power BI Embedded – Embed Token Limitations
1
Dedicated Capacity (A, EM, P SKU)
No published limit on the number of embed tokens that can be generated. Embed token usage can be monitored using the “Available Features” API.
2
Shared Capacity / Pro / PPU Licensing
Embed token generation is limited (not published) and intended only for development/testing. Users may receive the error: “You have exceeded the amount of embed token that can be generated on a shared or ProPlus capacity.”
3
Shared Capacity / Pro / PPU Licensing
Microsoft states embed tokens generated under Pro/PPU are meant only for development testing. To avoid limitations, dedicated capacity (A/EM/P SKU) is required for production embedding.
Power BI REST API – PBIX Export Limitations
1
Report Type Limitation
Reports created directly in Power BI Service (online editing) cannot be exported as .pbix using REST API.
2
Report Type Limitation
Reports using Live Connection / DirectQuery to another dataset do not support PBIX export.
3
Report Type Limitation
Reports using Dataflows, Analysis Services live connection, or composite models cannot be exported using REST API.
4
File Size Limitation
Exporting large PBIX files (greater than 1 GB uncompressed) may fail or time out. Microsoft does not officially guarantee export success beyond approximately 500 MB.
Copyright © 2025, OvalEdge LLC, Peachtree Corners GA USA
Was this helpful?