Power BI (Cloud)
This article outlines the integration with the Power BI Cloud connector, enabling efficient data management through features such as crawling, report preview, and lineage building (both automatic and manual). It also ensures secure authentication via Credential Manager.
Power BI Cloud connector supports the following authentication types:
Service User (Username and Password) Authentication Service User Authentication uses a Power BI user account. Access to workspaces, reports, and datasets is based on the permissions assigned to the service user.
Service Principal Authentication Service Principal Authentication uses an Azure Entra ID application. Access is based on the Azure AD app configuration and workspace role assignment. It is configured to call read-only admin APIs, the Azure AD application must not have any admin-consent required Power BI permissions configured in the Azure portal.
Overview
Connector Details
Connector Category
Report System
OvalEdge Release Supported
Release6.3.x and later
Connectivity
[How OvalEdge connects to Power BI Cloud ]
REST APIs
Power BI Cloud Versions
Cloud Version
Connector Features
Crawling
✅
Delta Crawling
✅
Profiling
❌
Query Sheet
❌
Report Preview
✅
Auto Lineage
✅
Manual Lineage
✅
Secure Authentication via Credential Manager
✅
Data Quality
❌
DAM (Data Access Management)
❌
Bridge
✅
Metadata Mapping
The metadata objects that can be extracted from Power BI Cloud using REST APIs include tenant, workspace, report, page, and semantic model metadata. For more details, click here.
The following objects are crawled from Power BI Cloud and mapped to the corresponding UI assets.
Workspaces
Workspace
Report Group
Reports
Workspaces
Workspaces
Workspace description
source description
description
Workspaces
Reports
Reports Name
Report Name
Reports
Reports
Reports
Report description
source description
description
Reports
Reports
Report Type
type
Reprots
Dashboard, Report, Tile, Paginated report
Reports
webUrl
contentUrl
Reports
Reports
Pages
Page Name
Report Name
Reports
Page
Pages
Page description
source description
Reports
Page
Pages
Page type
type
Reports
Page
Dataset/Semantic Model
Dataset Name
Dataset Name
Reports
Dataset, Dataflow
Dataset/Semantic Model
Dataset Description
source description
description
Dataset, Dataflow
Dataset/Semantic Model
Dataset Type
type
Reports
Dataset, Dataflow
Datset/Semantic Model Tables
Table Name
Table name
Table
Datset/Semantic Model Tables
Description
source description
Datset/Semantic Model Table Fields
Field Name
Column name
Column
Measure, TField
Datset/Semantic Model Table Fields
Description
source description
Column
Measure, TField
Datset/Semantic Model Table Fields
Field Type
type
Column
Measure, TField
Datset/Semantic Model Table Fields
Expression
Formula
Column
Measure, TField
The following metadata information can be extracted only from the PBIX file:
Visual
Visual Name
Report Name
Reports
Visual
Visual
Visual type
type
Reports
Bar chart, pie chart etc..
Visual Fields
Visual Field Name
Column name
Report Field
Measure, TField
Visual Fields
Description
source description
Report Field
Measure, TField
Visual Fields
Visual Field Type
type
Report Field
Measure, TField
Visual Fields
Expression
Formula
Report Field
Measure, TField
Set up a Connection
Prerequisites
The following are the prerequisites to establish a connection:
For detailed prerequisite configuration steps in Azure and Power BI (including App Registration, Security Group creation, and Power BI Admin Portal settings), refer to the Power BI Cloud System Configuration.
For the minimum required Azure DevOps Personal Access Token (PAT) permissions, repository access requirements, and PAT configuration steps required for PBIP metadata extraction, refer to the Azure DevOps PAT Permissions for PBIP Extraction.
Service Account User Permissions
It is recommended to use a separate service account to establish the connection to the data source, configured with the following minimum set of permissions.
👨💻Who can provide these permissions? These permissions are typically granted by the Power BI Cloud administrator, as users may not have the required access to assign them independently.
Connector Validation
Service Principal with Admin API Access or Service User with Admin rights
Crawling
Service Principal with Admin API Access or Service User with Admin rights
Lineage
Service Principal with Admin API Access or Service User with Admin rights
Delta Crawl
Service Principal with Admin API Access or Service User with Admin rights
Semantic Model / Dataset
Service Principal with Admin API Access or Service User with Admin rights
Report
Service Principal with Admin API Access or Service User with Admin rights
Pages
Service Principal with Admin API Access or Service User with Admin rights
Visuals
Service Principal with Admin API Access or Service User with Admin rights
Service Principal
Grant Access to Power Workspace
When Service Principal authentication is used, the service principal must be added to the Power BI workspace with one of the following roles:
Admin
Member
For Service Principal authentication, API-level administrative permissions alone are insufficient. Viewer and Contributor workspace roles do not support PBIX export operations.
OAuth-Based Authentication Using Service Principal
Service Principal authentication in OvalEdge uses the Microsoft-recommended OAuth 2.0 framework secured by Microsoft Entra ID (Azure Active Directory) to access Power BI REST APIs.
Power BI REST APIs are protected by Microsoft Entra ID and require OAuth authentication for application integrations. OvalEdge supports this through Service Principal authentication, which is Microsoft’s standard non-interactive authentication approach for system integrations.
At a high level, the authentication process works as follows:
An application is registered in Microsoft Entra ID (Azure AD).
Required Power BI API permissions are configured for the application.
An OAuth 2.0 access token is generated.
Power BI REST API calls are executed using the generated secure access token.
This method does not require storage of user credentials and aligns with enterprise security standards for automated integrations.
OAuth token generation is handled internally by OvalEdge. Users only need to provide the Azure application details during connection configuration.
Service User Configuration
Grant Access to Power Workspace
When Service User (Username and Password) authentication is used, the service user must be added to the Power BI workspace with one of the following roles:
Contributor
Viewer
Access to workspaces, reports, and datasets is based on the permissions assigned to the service user in Power BI.
Azure DevOps (PBIP)
Personal Access Token (PAT) must have access to the target project repositories.
Organization and Project ID must match the Azure DevOps project.
Ensure required access permissions are available for repository read operations.
When Azure DevOps (PBIP) is selected, the system retrieves report metadata during crawl and generates report, page, and visual details. Review crawl logs for success or warnings. If duplicate report names exist across repositories, selection may require log review. Ensure the file path is valid and accessible.
Connection Configuration Steps
Users are required to have the Connector Creator role in order to configure a new connection.
Log into OvalEdge, go to Administration > Connectors, click + (New Connector), search for Power BI, and complete the required parameters.
Fields marked with an asterisk (*) are mandatory for establishing a connection.
Connector Type
By default, "PowerBI Cloud" is displayed as the selected connector type.
Server Type*
From the dropdown list options (powerbionpremise/powerbicloud), select powerbicloud.
Authentication*
Power BI Cloud supports two types of authentication.
Username and Password (Service User)
Service Principal
Note: Service User authentication requires a Power BI user account, while Service Principal authentication requires an Azure Entra ID application with Azure AD app configuration and workspace role assignment. An app using service principal authentication that calls read-only admin APIs must not have any admin-consent required permissions for Power BI set on it in the Azure portal.
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT/PBIP Source*
Enter the PBIX/PBIT/PBIP Source. Select an option from the drop-down.
Local Drive
One Drive
Azure DevOps PBIP
Connector Name*
Enter a unique name for the Power BI Cloud connection
(Example: "PowerBICloud").
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Connector Description
Enter a brief description of the connector.
One Drive Connection*
Provide the OneDrive connector ID.
Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
OneDrive Folder Name
Provide the OneDrive folder Name.
Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
Organization*
Enter the Azure DevOps organization name associated with the target project. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Project Id*
Enter the Project ID corresponding to the Azure DevOps project from which PBIP metadata will be retrieved. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Personal Access Token*
Enter a valid Personal Access Token (PAT) with access to the target project repositories to enable authentication and metadata extraction. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Extended Validation (Yes/No)
Enable or disable extended validation for the selected Local Drive source. Enter Yes to perform additional validation checks during processing, or No to proceed with standard validation only.
Client Id*
A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*
A confidential key is generated during app registration and used to authenticate the app securely.
Tenant
An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*
A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Username*
Enter the service account username set up to access the Power BI Cloud (Example: "oesauser").
Password*
Enter the password associated with the service account user (Example: "password").
Files Path*
Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)
Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)
If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)
To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)
To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)
To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’.
Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Exclude Auto-Generated Reports(Yes/No)
Enable or disable exclusion of system-generated reports. Enter Yes to skip auto-generated reports during processing, or No to include them.
Proxy Enabled*
Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.
Credential Manager*
Select the desired credentials manager from the drop-down list. Relevant parameters will be displayed based on your selection.
Supported Credential Managers:
OE Credential Manager
AWS Secrets Manager
HashiCorp
Azure Key Vault
License Add Ons
Select the checkbox for Auto Lineage Add-On to build data lineage automatically.
PBIX/PBIT/PBIP Source*
Enter the PBIX/PBIT/PBIP Source. Select an option from the drop-down.
Local Drive
One Drive
Azure DevOps PBIP
Connector Name*
Enter a unique name for the Power BI Cloud connection
(Example: "PowerBICloud").
Connector Environment
Select the environment (Example: PROD, STG) configured for the connector.
Connector Description
Enter a brief description of the connector.
One Drive Connection*
Provide the OneDrive connector ID.
Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
OneDrive Folder Name
Provide the OneDrive folder Name.
Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as OneDrive.
Organization*
Enter the Azure DevOps organization name associated with the target project. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Project Id*
Enter the Project ID corresponding to the Azure DevOps project from which PBIP metadata will be retrieved. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Personal Access Token*
Enter a valid PAT with access to the target project repositories to enable authentication and metadata extraction. Note: This field gets populated if the PBIX/PBIT/PBIP Source is selected as Azure DevOps PBIP.
Extended Validation (Yes/No)
Enable or disable extended validation for the selected Local Drive source. Enter Yes to perform additional validation checks during processing, or No to proceed with standard validation only.
Client Id*
A unique identifier generated during app registration in Azure AD is used to authenticate the app in Power BI.
Client Secret*
A confidential key is generated during app registration and used to authenticate the app securely.
Tenant
An organization that owns and manages the Microsoft cloud instance (e.g., organization.onmicrosoft.com)
Tenant Id*
A unique identifier for the Azure AD instance is used to authenticate the app within the tenant.
Files Path*
Provide the server file path to temporarily store exported PBIX files.
Premium reports(Y/N)
Select the Premium Report option. When the option is Yes, the user can crawl the report's dataset, and when the premium option is selected as NO, the user can only view the report.
Okta Enabled(Y/N)
If Okta is enabled for the given service user, enter ‘Y’; otherwise, enter ‘N’.
Read From NFS(Y/N)
To retrieve reports directly from the folder without connecting to the Power BI service, enter 'Y'; otherwise, enter 'N’.
Crawl Hidden Pages(Y/N)
To crawl the hidden pages, enter ‘Y’; otherwise, enter 'N’.
Plugin Open In PowerBI Apps(Y/N)
To open the reports using Apps in Power BI, enter ‘Y’. Else enter ‘N’.
Note: Reports will open via apps if available; otherwise, they'll open through workspaces.
Exclude Auto-Generated Reports(Yes/No)
Enable or disable exclusion of system-generated reports. Enter Yes to skip auto-generated reports during processing, or No to include them.
Proxy Enabled*
Select Yes to route API calls through a proxy server. Select No to bypass the proxy and connect directly.
Default Governance Roles
Default Governance Roles*
Select the appropriate users or teams for each governance role from the drop-down list. All users configured in the security settings are available for selection.
Admin Roles
Admin Roles*
Select one or more users from the drop-down list for Integration Admin and Security & Governance Admin. All users configured in the security settings are available for selection.
No of Archive Objects
No Of Archive Objects*
This shows the number of recent metadata changes to a dataset at the source. By default, it is off. To enable it, toggle the Archive button and specify the number of objects to archive.
Example: Setting it to 4 retrieves the last four changes, displayed in the 'Version' column of the 'Metadata Changes' module.
Bridge
Select Bridge*
If applicable, select the bridge from the drop-down list.
The drop-down list displays all active bridges that have been configured. These bridges facilitate communication between data sources and the system without requiring changes to firewall rules.
After entering all connection details, the following actions can be performed:
Click Validate to verify the connection.
Click Save to store the connection for future use.
Click Save & Configure to apply additional settings before saving.
The saved connection will appear on the Connectors home page.
Manage Connector Operations
Crawl
To perform crawl operations, users must be assigned the Integration Admin role.
The Crawl/Profile button allows users to select one or more schemas for crawling.
Navigate to the Connectors page and click Crawl/Profile.
Select the schemas to be crawled.
The Crawl option is selected by default.
Click Run to collect metadata from the connected source and load it into the Data Catalog.
After a successful crawl, the information appears in the Data Catalog > Report / Report Column tab.
The Schedule checkbox allows automated crawling and profiling at defined intervals, from a minute to a year.
Click the Schedule checkbox to enable the Select Period drop-down.
Select a time period for the operation from the drop-down menu.
Click Schedule to initiate metadata collection from the connected source.
The system will automatically execute the crawl operation at the scheduled time.
Other Operations
The Connectors page provides a centralized view of all configured connectors, along with their health status.
Managing connectors includes:
Connector Health: Displays the current status of each connector using a green icon for active connections and a red icon for inactive connections, helping to monitor the connectivity with data sources.
Viewing: Click the Eye icon next to the connector name to view connector details, including databases, tables, columns, and codes.
Nine Dots Menu Options:
To view, edit, validate, build lineage, configure, or delete connectors, click on the Nine Dots menu.
Edit Connector: Update and revalidate the data source.
Validate Connector: Check the connection's integrity.
Settings: Modify connector settings.
Crawler: Configure data extraction.
Access Instructions: Add notes on how data can be accessed.
Business Glossary Settings: Manage term associations at the connector level.
Lineage: Configure Server Dialects for source code parsing and Connector Priority for table lineage connection.
Others: Configure notification recipients for metadata changes.
Build Lineage: Automatically build data lineage using source code parsing.
Delete Connector: Remove a connector with confirmation.
Limitations
Power BI Embedded – Embed Token Limitations
1
Dedicated Capacity (A, EM, P SKU)
No published limit on the number of embed tokens that can be generated. Embed token usage can be monitored using the “Available Features” API.
2
Shared Capacity / Pro / PPU Licensing
Embed token generation is limited (not published) and intended only for development/testing. Users may receive the error: “You have exceeded the amount of embed token that can be generated on a shared or ProPlus capacity.”
3
Shared Capacity / Pro / PPU Licensing
Microsoft states embed tokens generated under Pro/PPU are meant only for development testing. To avoid limitations, dedicated capacity (A/EM/P SKU) is required for production embedding.
4
Embed Token Lifetime
Embed tokens expire automatically. The token lifetime is tied to the Microsoft Entra ID access token used during token generation and is typically valid for approximately one hour. The expiration duration cannot be extended.
5
My Workspace Limitation
Embed tokens cannot be generated for reports or content stored in My Workspace. Reports must be located in a Power BI Workspace (App Workspace).
6
Workspace Permission Requirement
The configured Service Principal or Service User must be a member of the workspace containing the report and semantic model. If reports and semantic models exist in different workspaces, access permissions are required for all associated workspaces.
7
Workspace Capacity Requirement
For production embedding scenarios, the workspace must be assigned to Power BI Embedded or Premium capacity. Without dedicated capacity, embedding capabilities are intended only for development and testing purposes.
8
Token Scope Limitation
Embed tokens are generated only for supported artifacts such as reports, semantic models, and dashboards. Some APIs do not support generating a single embed token for multiple dashboards or tiles simultaneously.
Power BI REST API – PBIX Export Limitations
1
Report Type Limitation
Reports created directly in Power BI Service (online editing) cannot be exported as .pbix using REST API.
2
Report Type Limitation
Reports using Live Connection / DirectQuery to another dataset do not support PBIX export.
3
Report Type Limitation
Reports using Dataflows, Analysis Services live connection, or composite models cannot be exported using REST API.
4
File Size Limitation
Exporting large PBIX files (greater than 1 GB uncompressed) may fail or time out. Microsoft does not officially guarantee export success beyond approximately 500 MB.
5
Download Permission Requirement
PBIX export operations require the Download .pbix option to be enabled in the workspace or report settings. If the tenant administrator disables PBIX downloads, the REST API export operation fails.
6
Sensitivity Label Limitation
Reports configured with Microsoft Information Protection (MIP) sensitivity labels may restrict or block PBIX export operations depending on tenant-level security configurations.
7
Composite Model Limitation
Some complex composite models, particularly models referencing external semantic models, may not support PBIX export operations through REST APIs.
8
Workspace Permission Requirement
To export PBIX files through REST APIs, the configured Service Principal or Service User must have one of the following workspace roles: Admin, Member, or Contributor. Viewer access does not support PBIX export operations.
9
Export Scope Limitation
REST API export operations support report export only. Export operations are not supported for dashboards, individual visuals, or semantic models independently.
Power BI Azure DevOps PBIP – Extraction Limitations
1
Project Scope Limitation
Currently supports processing for a single project within a connection. Support for multiple projects within the same connection is not available.
2
Duplicate Report Name Limitation
Due to ambiguity in identifying reports with identical names across multiple repositories, such reports are skipped during PBIP extraction. This avoids incorrect metadata mapping and may require manual review using crawl logs.
FAQs
What is the impact of renaming a Power BI workspace on curated metadata?
Renaming a Power BI workspace does not inactivate or delete curated metadata in OvalEdge.
The workspace name is updated after re-crawl
The external reference ID remains unchanged
Existing objects remain active
Curated metadata (tags, descriptions, glossary terms, etc.) is retained.
Recommendation: It is safe to rename workspaces at the source. However, it is recommended to validate the change in a development or test environment before applying it in production.
Copyright © 2025, OvalEdge LLC, Peachtree Corners GA USA
Last updated
Was this helpful?