# Power BI (Cloud) This article outlines the integration with the Power BI Cloud connector, enabling efficient data management through features such as crawling, report preview, and lineage building (both automatic and manual). It also ensures secure authentication via Credential Manager. Power BI Cloud connector supports the following authentication types: * **Service User (Username and Password) Authentication**\ Service User Authentication uses a **Power BI user account**. Access to workspaces, reports, and datasets is based on the permissions assigned to the service user. * **Service Principal Authentication**\ Service Principal Authentication uses an **Azure Entra ID application**. Access is based on the Azure AD app configuration and workspace role assignment. It is configured to call **read-only admin APIs**, the Azure AD application must not have any **admin-consent required Power BI permissions** configured in the Azure portal.

## **Overview** ### **Connector Details** | Connector Category | Report System | | ------------------------------------------------------------------------------ | ---------------------- | | OvalEdge Release Supported | Release6.3.x and later | |

Connectivity

\[How OvalEdge connects to Power BI Cloud ]

| REST APIs | | Power BI Cloud Versions | Cloud Version | ### **Connector Features** | Feature | Availability | | -------------------------------------------------------------------------------------------------------------------------------- | :----------: | | Crawling | ✅ | | Delta Crawling | ✅ | | Profiling | ❌ | | Query Sheet | ❌ | | Report Preview | ✅ | | Auto Lineage | ✅ | | Manual Lineage | ✅ | | Secure Authentication via Credential Manager | ✅ | | Data Quality | ❌ | | DAM (Data Access Management) | ❌ | | Bridge | ✅ | | [Chrome Extension Supported](https://docs.ovaledge.com/home/browser-extension/features-and-operations#view-certification-status) | ✅ | ### Metadata Mapping The metadata objects that can be extracted from Power BI Cloud using REST APIs include tenant, workspace, report, page, and semantic model metadata. For more details, click [here](https://docs.ovaledge.com/release8.1/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/power-bi-rest-apis-metadata). The following objects are crawled from Power BI Cloud and mapped to the corresponding UI assets.

Source Object	Source Attribute	OvalEdge Attribute	OvaEdge Category	OvalEdge Type
Workspaces	Workspace	Report Group	Reports	Workspaces
Workspaces	Workspace description	source description	description	Workspaces
Reports	Reports Name	Report Name	Reports	Reports
Reports	Report description	source description	description	Reports
Reports	Report Type	type	Reprots	Dashboard, Report, Tile, Paginated report
Reports	webUrl	contentUrl	Reports	Reports
Pages	Page Name	Report Name	Reports	Page
Pages	Page description	source description	Reports	Page
Pages	Page type	type	Reports	Page
Dataset/Semantic Model	Dataset Name	Dataset Name	Reports	Dataset, Dataflow
Dataset/Semantic Model	Dataset Description	source description	description	Dataset, Dataflow
Dataset/Semantic Model	Dataset Type	type	Reports	Dataset, Dataflow
Datset/Semantic Model Tables	Table Name	Table name	Table
Datset/Semantic Model Tables	Description	source description
Datset/Semantic Model Table Fields	Field Name	Column name	Column	Measure, TField
Datset/Semantic Model Table Fields	Description	source description	Column	Measure, TField
Datset/Semantic Model Table Fields	Field Type	type	Column	Measure, TField
Datset/Semantic Model Table Fields	Expression	Formula	Column	Measure, TField

The following metadata information can be extracted only from the PBIX file: | Source Object | Source Attribute | OvalEdge Attribute | OvaEdge Category | OvalEdge Type | | ------------- | ----------------- | ------------------ | ---------------- | -------------------------- | | Visual | Visual Name | Report Name | Reports | Visual | | Visual | Visual type | type | Reports | Bar chart, pie chart etc.. | | Visual Fields | Visual Field Name | Column name | Report Field | Measure, TField | | Visual Fields | Description | source description | Report Field | Measure, TField | | Visual Fields | Visual Field Type | type | Report Field | Measure, TField | | Visual Fields | Expression | Formula | Report Field | Measure, TField | ## Set up a Connection ### Prerequisites The following are the prerequisites to establish a connection: For detailed prerequisite configuration steps in **Azure** and **Power BI** (including **App Registration**, **Security Group creation**, and **Power BI Admin Portal settings**), refer to the [**Power BI Cloud System Configuration**](https://docs.ovaledge.com/release8.1/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/power-bi-cloud-system-configuration)**.** For the minimum required **Azure DevOps Personal Access Token (PAT)** permissions, repository access requirements, and **PAT configuration** steps required for **PBIP** metadata extraction, refer to the [**Azure DevOps PAT Permissions for PBIP Extraction**](https://docs.ovaledge.com/release8.1/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/azure-devops-pat-permissions-for-pbip-extraction). #### **Service Account User Permissions** {% hint style="warning" %} It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions. {% endhint %} {% hint style="info" %} 👨‍💻Who can provide these permissions? These permissions are typically granted by the Power BI Cloud administrator, as users may not have the required access to assign them independently. {% endhint %}

Objects	Access Permission
Connector Validation	Service Principal with Admin API Access or Service User with Admin rights
Crawling	Service Principal with Admin API Access or Service User with Admin rights
Lineage	Service Principal with Admin API Access or Service User with Admin rights
Delta Crawl	Service Principal with Admin API Access or Service User with Admin rights
Semantic Model / Dataset	Service Principal with Admin API Access or Service User with Admin rights
Report	Service Principal with Admin API Access or Service User with Admin rights
Pages	Service Principal with Admin API Access or Service User with Admin rights
Visuals	Service Principal with Admin API Access or Service User with Admin rights

#### Service Principal **Grant Access to Power Workspace** When Service Principal authentication is used, the service principal must be added to the Power BI workspace with one of the following roles: * Admin * Member {% hint style="info" %} For Service Principal authentication, API-level administrative permissions alone are insufficient. Viewer and Contributor workspace roles do not support PBIX export operations. {% endhint %} **OAuth-Based Authentication Using Service Principal** Service Principal authentication in OvalEdge uses the Microsoft-recommended **OAuth 2.0** framework secured by **Microsoft Entra ID (Azure Active Directory)** to access Power BI REST APIs. Power BI REST APIs are protected by Microsoft Entra ID and require OAuth authentication for application integrations. OvalEdge supports this through Service Principal authentication, which is Microsoft’s standard non-interactive authentication approach for system integrations. At a high level, the authentication process works as follows: * An application is registered in Microsoft Entra ID (Azure AD). * Required Power BI API permissions are configured for the application. * An OAuth 2.0 access token is generated. * Power BI REST API calls are executed using the generated secure access token. This method does not require storage of user credentials and aligns with enterprise security standards for automated integrations. {% hint style="warning" %} OAuth token generation is handled internally by OvalEdge. Users only need to provide the Azure application details during connection configuration. {% endhint %} #### Service User Configuration **Grant Access to Power Workspace** When **Service User (Username and Password) authentication** is used, the service user must be added to the Power BI workspace with one of the following roles: * **Contributor** * **Viewer** {% hint style="info" %} Access to workspaces, reports, and datasets is based on the permissions assigned to the service user in Power BI. {% endhint %} #### Azure DevOps (PBIP) * Personal Access Token (PAT) must have access to the target project repositories. * Organization and Project ID must match the Azure DevOps project. * Ensure required access permissions are available for repository read operations. {% hint style="info" %} When Azure DevOps (PBIP) is selected, the system retrieves report metadata during crawl and generates report, page, and visual details. Review crawl logs for success or warnings. If duplicate report names exist across repositories, selection may require log review. Ensure the file path is valid and accessible. {% endhint %} ### Connection Configuration Steps {% hint style="info" %} Users are required to have the Connector Creator role in order to configure a new connection. {% endhint %} 1. Log into **OvalEdge**, go to **Administration > Connectors**, click **+ (New Connector)**, search for **Power BI**, and complete the required parameters. {% hint style="info" %} Fields marked with an asterisk (\*) are mandatory for establishing a connection. {% endhint %}

Field Name	Description
Connector Type	By default, "PowerBI Cloud" is displayed as the selected connector type.
Server Type*	From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.
Authentication*	Power BI Cloud supports two types of authentication. Username and Password (Service User) Service Principal Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.

Field Name

Description

Connector Type

By default, "PowerBI Cloud" is displayed as the selected connector type.

Server Type*

From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.

Authentication*

Power BI Cloud supports two types of authentication.

Username and Password (Service User)
Service Principal

Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.

{% tabs %} {% tab title="Username and Password (Service User)" %}

Field Name	Description
Credential Manager*	Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection. Supported Credential Managers: OE Credential Manager AWS Secrets Manager HashiCorp Azure Key Vault
License Add Ons	Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT/PBIP Source*	Enter the PBIX/PBIT/PBIP Source. Select an option from the drop-down. Local Drive One Drive Azure DevOps PBIP
Connector Name*	Enter a unique name for the Power BI Cloud connection (Example: "PowerBICloud").
Connector Environment	Select the environment (Example: PROD, STG) configured for the connector.
Connector Description	Enter a brief description of the connector.
One Drive Connection*	Provide the OneDrive connector ID. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
OneDrive Folder Name	Provide the OneDrive folder Name. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
Organization*	Enter the Azure DevOps organization name associated with the target project. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Project Id*	Enter the Project ID corresponding to the Azure DevOps project from which PBIP metadata will be retrieved. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Personal Access Token*	Enter a valid Personal Access Token (PAT) with access to the target project repositories to enable authentication and metadata extraction. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Extended Validation (Yes/No)	Enable or disable extended validation for the selected Local Drive source. Enter Yes to perform additional validation checks during processing, or No to proceed with standard validation only.
Client Id*	A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*	A confidential key is generated during app registration and used to authenticate the app securely.
Tenant	An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*	A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Username*	Enter the service account username set up to access the Power BI Cloud (Example: "oesauser").
Password*	Enter the password associated with the service account user (Example: "password").
Files Path*	Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)	Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)	If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)	To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)	To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)	To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’. Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Exclude Auto-Generated Reports(Yes/No)	Enable or disable exclusion of system-generated reports. Enter Yes to skip auto-generated reports during processing, or No to include them.
Proxy Enabled*	Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.

{% endtab %} {% tab title="Service Principal" %}

Field Name	Description
Credential Manager*	Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection. Supported Credential Managers: OE Credential Manager AWS Secrets Manager HashiCorp Azure Key Vault
License Add Ons	Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT/PBIP Source*	Enter the PBIX/PBIT/PBIP Source. Select an option from the drop-down. Local Drive One Drive Azure DevOps PBIP
Connector Name*	Enter a unique name for the Power BI Cloud connection (Example: "PowerBICloud").
Connector Environment	Select the environment (Example: PROD, STG) configured for the connector.
Connector Description	Enter a brief description of the connector.
One Drive Connection*	Provide the OneDrive connector ID. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
OneDrive Folder Name	Provide the OneDrive folder Name. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
Organization*	Enter the Azure DevOps organization name associated with the target project. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Project Id*	Enter the Project ID corresponding to the Azure DevOps project from which PBIP metadata will be retrieved. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Personal Access Token*	Enter a valid PAT with access to the target project repositories to enable authentication and metadata extraction. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Extended Validation (Yes/No)	Enable or disable extended validation for the selected Local Drive source. Enter Yes to perform additional validation checks during processing, or No to proceed with standard validation only.
Client Id*	A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*	A confidential key is generated during app registration and used to authenticate the app securely.
Tenant	An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*	A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Files Path*	Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)	Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)	If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)	To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)	To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)	To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’. Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Exclude Auto-Generated Reports(Yes/No)	Enable or disable exclusion of system-generated reports. Enter Yes to skip auto-generated reports during processing, or No to include them.
Proxy Enabled*	Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.

{% endtab %} {% endtabs %} **Default Governance Roles**


Default Governance Roles*	Select the appropriate users or teams for each governance role from the drop-down list. All users configured in the security settings are available for selection.

**Admin Roles**


Admin Roles*	Select one or more users from the drop-down list for Integration Admin and Security & Governance Admin. All users configured in the security settings are available for selection.

**No of Archive Objects**


No Of Archive Objects*	This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive. Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.

No Of Archive Objects*

This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.

Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.

**Bridge**


Select Bridge*	If applicable, select the bridge from the drop-down list. The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.

Select Bridge*

If applicable, select the bridge from the drop-down list.

The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.

2. After entering all connection details, the following actions can be performed: 1. Click **Validate** to verify the connection. 2. Click **Save** to store the connection for future use. 3. Click **Save & Configure** to apply additional settings before saving. 3. The saved connection will appear on the Connectors home page. ## Manage Connector Operations ### Crawl {% hint style="warning" %} To perform crawl operations, users must be assigned the Integration Admin role. {% endhint %} The **Crawl/Profile** button allows users to select one or more **schemas** for crawling. 1. Navigate to the **Connectors** page and click **Crawl/Profile**. 2. Select the schemas to be crawled. 3. The Crawl option is selected by default. 4. Click **Run** to collect metadata from the connected source and load it into the **Data Catalog**. 5. After a successful crawl, the information appears in the **Data Catalog > Report / Report Column** tab. The Schedule checkbox allows automated crawling and profiling at defined intervals, from a minute to a year. 1. Click the **Schedule** checkbox to enable the **Select Period drop-down**. 2. Select a time period for the operation from the drop-down menu. 3. Click **Schedule** to initiate metadata collection from the connected source. 4. The system will automatically execute the **crawl** operation at the scheduled time. #### **Other Operations** The Connectors page provides a centralized view of all configured connectors, along with their health status. **Managing connectors includes:** * **Connector Health**: Displays the current status of each connector using a **green** icon for active connections and a **red** icon for inactive connections, helping to monitor the connectivity with data sources. * **Viewing**: Click the **Eye icon** next to the connector name to view connector details, including databases, tables, columns, and codes. **Nine Dots Menu Options:** To view, edit, validate, build lineage, configure, or delete connectors, click on the **Nine Dots menu**. * **Edit Connector:** Update and revalidate the data source. * **Validate Connector**: Check the connection's integrity. * **Settings**: Modify connector settings. * **Crawler**: Configure data extraction. * **Access Instructions:** Add notes on how data can be accessed. * **Business Glossary Settings**: Manage term associations at the connector level. * **Lineage**: Configure Server Dialects for source code parsing and Connector Priority for table lineage connection. * **Others**: Configure notification recipients for metadata changes. * **Build Lineage**: Automatically build data lineage using source code parsing. * **Delete Connector**: Remove a connector with confirmation. ## Limitations ### Power BI Embedded – Embed Token Limitations

Sl. No.	Scenario	Limitation
1	Dedicated Capacity (A, EM, P SKU)	No published limit on the number of embed tokens that can be generated. Embed token usage can be monitored using the “Available Features” API.
2	Shared Capacity / Pro / PPU Licensing	Embed token generation is limited (not published) and intended only for development/testing. Users may receive the error: “You have exceeded the amount of embed token that can be generated on a shared or ProPlus capacity.”
3	Shared Capacity / Pro / PPU Licensing	Microsoft states embed tokens generated under Pro/PPU are meant only for development testing. To avoid limitations, dedicated capacity (A/EM/P SKU) is required for production embedding.
4	Embed Token Lifetime	Embed tokens expire automatically. The token lifetime is tied to the Microsoft Entra ID access token used during token generation and is typically valid for approximately one hour. The expiration duration cannot be extended.
5	My Workspace Limitation	Embed tokens cannot be generated for reports or content stored in My Workspace. Reports must be located in a Power BI Workspace (App Workspace).
6	Workspace Permission Requirement	The configured Service Principal or Service User must be a member of the workspace containing the report and semantic model. If reports and semantic models exist in different workspaces, access permissions are required for all associated workspaces.
7	Workspace Capacity Requirement	For production embedding scenarios, the workspace must be assigned to Power BI Embedded or Premium capacity. Without dedicated capacity, embedding capabilities are intended only for development and testing purposes.
8	Token Scope Limitation	Embed tokens are generated only for supported artifacts such as reports, semantic models, and dashboards. Some APIs do not support generating a single embed token for multiple dashboards or tiles simultaneously.

### Power BI REST API – PBIX Export Limitations

Sl. No.	Limitation Type	Limitation
1	Report Type Limitation	Reports created directly in Power BI Service (online editing) cannot be exported as .pbix using REST API.
2	Report Type Limitation	Reports using Live Connection / DirectQuery to another dataset do not support PBIX export.
3	Report Type Limitation	Reports using Dataflows, Analysis Services live connection, or composite models cannot be exported using REST API.
4	File Size Limitation	Exporting large PBIX files (greater than 1 GB uncompressed) may fail or time out. Microsoft does not officially guarantee export success beyond approximately 500 MB.
5	Download Permission Requirement	PBIX export operations require the Download .pbix option to be enabled in the workspace or report settings. If the tenant administrator disables PBIX downloads, the REST API export operation fails.
6	Sensitivity Label Limitation	Reports configured with Microsoft Information Protection (MIP) sensitivity labels may restrict or block PBIX export operations depending on tenant-level security configurations.
7	Composite Model Limitation	Some complex composite models, particularly models referencing external semantic models, may not support PBIX export operations through REST APIs.
8	Workspace Permission Requirement	To export PBIX files through REST APIs, the configured Service Principal or Service User must have one of the following workspace roles: Admin, Member, or Contributor. Viewer access does not support PBIX export operations.
9	Export Scope Limitation	REST API export operations support report export only. Export operations are not supported for dashboards, individual visuals, or semantic models independently.

### Power BI Azure DevOps PBIP – Extraction Limitations

Sl. No.	Limitation Type	Limitation
1	Project Scope Limitation	Currently supports processing for a single project within a connection. Support for multiple projects within the same connection is not available.
2	Duplicate Report Name Limitation	Due to ambiguity in identifying reports with identical names across multiple repositories, such reports are skipped during PBIP extraction. This avoids incorrect metadata mapping and may require manual review using crawl logs.

## FAQs

What is the impact of renaming a Power BI workspace on curated metadata?

Renaming a Power BI workspace does **not** inactivate or delete curated metadata in OvalEdge. * The workspace name is updated after re-crawl * The external reference ID remains unchanged * Existing objects remain active * Curated metadata (tags, descriptions, glossary terms, etc.) is retained. **Recommendation:**\ It is safe to rename workspaces at the source. However, it is recommended to validate the change in a development or test environment before applying it in production.

*** Copyright © 2025, OvalEdge LLC, Peachtree Corners GA USA --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ovaledge.com/release8.1/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.