OAuth Permissions and Endpoints
Required Permissions and Endpoint Domains for Microsoft Power BI XMLA
When integrating with Microsoft Power BI XMLA, your application needs specific permissions to interact with the API. This topic provides information about the required OAuth permissions and endpoint domains for the Microsoft Power BI XMLA server.
Understanding Permissions
Microsoft Power BI XMLA does not use traditional OAuth scopes (like read, write, or admin) in the way that some APIs do. Instead, access is granted by assigning specific API permissions to your Microsoft Entra application registration.
These permissions fall into two categories:
- Delegated permissions are used when a signed-in user is present. The app acts on behalf of that user.
- Application permissions are used when no user is present. The app runs as itself, often as a background service or daemon.
Power BI XMLA only supports Application permissions. You must configure your OAuth application to request Application permissions, not Delegated permissions.
Note: Admin consent is required to enable Application permissions in your Microsoft Entra tenant.
Required Permissions for Microsoft Power BI XMLA
Your OAuth application must request the following Application permissions from Microsoft Entra ID:
| Permission | Type | Description |
| Dataset.Read.All | Application | Grants the app permission to read datasets in all workspaces. |
| Workspace.Read.All | Application | Grants the app permission to read metadata for all workspaces. |
Understanding Endpoint Domains
Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations. Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.
Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.
Required Endpoint Domains for Microsoft Power BI XMLA
| Domain | Always Required | Description |
| api.powerbi.com | FALSE | If AzureEnvironment=GLOBAL (default) |
| api.powerbigov.us | FALSE | If AzureEnvironment=USGOVT |
| api.high.powerbigov.us | FALSE | If AzureEnvironment=USGOVTHIGH |
| api.mil.powerbigov.us | FALSE | If AzureEnvironment=USGOVTDOD |
| *.pbidedicated.windows.net | FALSE | If AzureEnvironmnet=GLOBAL (default); the exact cluster used (added in the *) is determined by calling the api.powerbi.com |
| *.pbidedicated.usgovcloudapi.net | FALSE | If AzureEnvironment=USGOVT, USGOVTHIGH, or USGOVTDOD; the exact cluster used (added in the *) is determined by calling the api.* endpoint |
| login.microsoftonline.com | FALSE | If AzureEnvironment=GLOBAL (default) |
| login.microsoftonline.us | FALSE | If AzureEnvironment=USGOVT, USGOVTHIGH, or USGOVTDOD |