Creating a Custom OAuth App
Creating an Azure AD Application
Microsoft Power BI XMLA supports user-based authentication using Azure AD. This authentication is OAuth-based.CData embeds OAuth Application Credentials with CData branding that can be used when connecting to Microsoft Power BI XMLA via a desktop application or a headless machine. To connect to Microsoft Power BI XMLA via the Web, you must always create a custom application, as described here.
However, since custom Azure AD applications seamlessly support all three commonly-used authentication flows, you might want to create a custom application (use your own Azure AD Applications Credentials) for those other authentication flows.
Custom OAuth applications are useful if you want to:
- Control branding of the authentication dialog.
- Control the redirect URI that the application redirects the user to after the user authenticates.
- Customize the permissions that you are requesting from the user.
Authenticating With Azure AD
In https://portal.azure.com:- In the left-hand navigation pane, select Azure Active Directory > App registrations.
- Click New registration.
- Enter a name for the application.
-
Specify the types of accounts this application should support:
- For private use applications, select Accounts in this organization directory only.
- For distributed applications, select one of the multi-tenant options.
Note: If you select Accounts in this organizational directory only (default), when you establish a connection with CData JDBC Driver for Microsoft Power BI XMLA you must set AzureTenant to the Id of the Azure AD Tenant. Otherwise, the authentication attempt fails.
- Set the redirect URI to http://localhost:33333 (default) OR, if you want to specify a different port, specify the desired port and set CallbackURL to the exact reply URL you just defined.
- To register the new application, click Register. An application management screen displays. Record these values for later use. (You will use the Application (client) ID value to set the OAuthClientId parameters, and the Directory (tenant) ID value to set the AzureTenant parameter.)
- Navigate to Certificates & Secrets. Select New Client Secret for this application and specify the desired duration. After the client secret is saved, the Azure App Registration displays the key value. This value is displayed only once, so record it for future use. (You will use it to set the OAuthClientSecret.)
- Select Power BI Service -> Delegated Permissions -> Dataset.Read.All and Workspace.Read.All.
- If you have specified the use of permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page.
Granting Admin Consent
Some custom applications require administrative permissions to operate within an Azure Active Directory tenant. Admin consent can be granted when creating a new custom Azure AD application, by adding relevant permissions that are already marked with "Admin Consent Required". Admin consent is also required to use Client Credentials in the authentication flow.To grant admin consent:
- Have an admin log in to https://portal.azure.com.
- Navigate to App Registrations and find the custom Azure AD application you created.
- Under API Permissions, click Grant Consent and follow the wizard.
Creating an Azure AD Application
Microsoft Power BI XMLA supports user-based authentication using Azure AD. This authentication is OAuth-based.CData embeds OAuth Application Credentials with CData branding that can be used when connecting to Microsoft Power BI XMLA via a desktop application or a headless machine. To connect to Microsoft Power BI XMLA via the Web, you must always create a custom application, as described here.
However, since custom Azure AD applications seamlessly support all three commonly-used authentication flows, you might want to create a custom application (use your own Azure AD Applications Credentials) for those other authentication flows.
Custom OAuth applications are useful if you want to:
- Control branding of the authentication dialog.
- Control the redirect URI that the application redirects the user to after the user authenticates.
- Customize the permissions that you are requesting from the user.
Authenticating With Azure AD
In https://portal.azure.com:- In the left-hand navigation pane, select Azure Active Directory > App registrations.
- Click New registration.
- Enter a name for the application.
-
Specify the types of accounts this application should support:
- For private use applications, select Accounts in this organization directory only.
- For distributed applications, select one of the multi-tenant options.
Note: If you select Accounts in this organizational directory only (default), when you establish a connection with CData JDBC Driver for Microsoft Power BI XMLA you must set AzureTenant to the Id of the Azure AD Tenant. Otherwise, the authentication attempt fails.
- Set the redirect URI to http://localhost:33333 (default) OR, if you want to specify a different port, specify the desired port and set CallbackURL to the exact reply URL you just defined.
- To register the new application, click Register. An application management screen displays. Record these values for later use. (You will use the Application (client) ID value to set the OAuthClientId parameters, and the Directory (tenant) ID value to set the AzureTenant parameter.)
- Navigate to Certificates & Secrets. Select New Client Secret for this application and specify the desired duration. After the client secret is saved, the Azure App Registration displays the key value. This value is displayed only once, so record it for future use. (You will use it to set the OAuthClientSecret.)
- Select Power BI Service -> Delegated Permissions -> Dataset.Read.All and Workspace.Read.All.
- If you have specified the use of permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page.
Granting Admin Consent
Some custom applications require administrative permissions to operate within an Azure Active Directory tenant. Admin consent can be granted when creating a new custom Azure AD application, by adding relevant permissions that are already marked with "Admin Consent Required". Admin consent is also required to use Client Credentials in the authentication flow.To grant admin consent:
- Have an admin log in to https://portal.azure.com.
- Navigate to App Registrations and find the custom Azure AD application you created.
- Under API Permissions, click Grant Consent and follow the wizard.