Skip to Content
IntegrationFabric Integration via Service Principal

Fabric Integration via Service Principal

This guide articulates the technical prerequisites to set up an integration between Zenity and Fabric, using a customer-managed Service Principal for authentication.

Goal:

  1. Create and set up an application that will be used by Zenity for data collection.
  2. Register the application you created as power platform administrator. Today, the only way to register your application is programmatically using a tenant administrator user.

Notice that we will grant the application “System Administrator” security role on each of the tenant’s Power Platform environments.

In this document, you will find both a quick guide and a step-by-step guide.

Quick guide

A short summary of the steps required to set up your integration.

Step 1: Create an Azure AD application

  1. Create a single-tenant Azure AD application
  2. Create a client-secret for your application and keep the generated value
  3. Enable the following application permissions under API permissions

  • Microsoft Graph: GroupMember.Read.All, User.Read.All, InformationProtectionPolicy.Read.All

  1. Grant admin consent for your organization

Step 2: Create an Azure AD security group

  1. Create a security group in Microsoft Entra (AAD) with the following configuration:
    • Group type: Security
    • Membership type: Assigned
    • Members: Select the service principal you created in Step 1

Step 3: Enable the Fabric service admin settings

Enable the following settings in the Fabric Admin portal for the security group you created in Step 2:

  • Allow service principals to use Power BI APIs
  • Allow service principals to use read-only admin APIs
  • Enhance admin APIs responses with detailed metadata
  • Enhance admin APIs responses with DAX and mashup expressions

Step 4: Create the integration in Zenity portal

  1. Sign into Zenity portal, go to Integrations page, click CREATE NEW
  2. Select Fabric platform and Service Principal method
  3. Provide your Tenant ID, Application (client) ID, and client secret

Step-by-step guide

Detailed instructions on how to set up your integration.

Step 1: Create an Azure AD application

Open Azure AD portal 

  1. Create an Azure AD application

    1. Select App registration
    2. Click New registration
    3. Select a display name
    4. Under Supported account types choose Accounts in this organizational directory only (<tenant> only - Single tenant)
    5. Click Register to complete image

  2. Get the application’s client ID

    1. Open the application page in Azure AD
    2. Copy the ID under Application (client) ID image

  3. Create a client-secret to your application

    1. Open the application page in Azure AD
    2. Select Certificates & secrets
    3. Select Client secrets tab
    4. Click on New client secret image
    5. At Description choose a descriptive name to represent the secret
    6. At Expires choose an expiration time of 24 months (once the secret is expired you will need to create a new one and update it at your Zenity’s integration)
    7. Click Add to complete image
    8. Keep the generated secret

  4. Set up permissions

    1. Open the application page in Azure AD

    2. Select API permissions

    3. Click Add a permission and enable the following permissions:

    • Under Microsoft Graph, Application permissions, choose GroupMember.Read.All, User.Read.All, InformationProtectionPolicy.Read.All image

  5. Under API permissions, verify that the assigned permissions are similar to those on the image below, and click Grant admin consent for <tenant> image

Step 2: Create an Azure AD security group

Your service principal doesn’t have access to any of your Fabric content and APIs. In order to provide the service principal application access to Fabric content and APIs, do the following:

  • Create a security group in Microsoft Entra (AAD) with the following configuration:
  • Group type: Security
  • Group name: zenity-pbi-spn
  • Microsoft Entra roles can be assigned to the group: No
  • Membership type: Assigned
  • Members: Select the service principal you created in Step 1 image image image

Step 3: Enable the Fabric service admin settings

For an Azure AD app to access the Fabric content and APIs, a Fabric admin needs to enable the following settings:

  • Allow Zenity service principal to use Fabric APIs

Enter Fabric Admin portal

Admin Portal https://app.powerbi.com/admin-portal image

Allow service principals to use Fabric APIs

  • Enable “Allow service principals to use Power BI APIs” in apps for the specific security group you created in Azure AD. image

  • Enable “Allow service principals to use read-only admin APIs” in apps for the specific security group you created in Azure AD. image

  • Enable “Enhance admin APIs responses with detailed metadata” in apps for the specific security group you created in Azure AD. image

  • Enable “Enhance admin APIs responses with DAX and mashup expressions” in apps for the specific security group you created in Azure AD. image

Step 4: Create the integration in Zenity portal

Retrieve the following details from your Azure Active Directory:

  • Your AAD tenant id
  • The Application (client) ID of the service principal you created in Step 1
  • The client secret you created in Step 1

Sign into Zenity portal, go to Integrations page, click CREATE NEW and provide the details:

image

IPs Whitelisting Consideration

In our ongoing efforts to enhance the security and reliability of our software, we will be updating the public IP addresses used by our Services and APIs. If your company policy requires you to safelist IP Addresses for your inbound integrations then please make sure these IPs are safelisted.