OAuth Permissions and Endpoints

Required Permissions and Endpoint Domains for Microsoft Power BI XMLA

When integrating with Microsoft Power BI XMLA, your application needs specific permissions to interact with the API. This topic provides information about the required OAuth permissions and endpoint domains for the Microsoft Power BI XMLA provider.

Understanding Permissions

Microsoft Power BI XMLA uses different permission models depending on the authentication method:

User-based authentication (AzureAD): The embedded OAuth application automatically requests the required Delegated permissions. If you register a custom OAuth application, you must add the Delegated permissions Dataset.Read.All and Workspace.Read.All in Microsoft Entra ID.
Service Principal authentication (AzureServicePrincipal or AzureServicePrincipalCert): No API permissions are required in Microsoft Entra ID. Access is controlled through Power BI Admin settings and workspace role assignments.

Required Permissions for Microsoft Power BI XMLA

If you register a custom OAuth application for AzureAD authentication, add the following Delegated permissions in Microsoft Entra ID:


Permission	Type	Description
Dataset.Read.All	Delegated	Grants the app permission to read datasets in all workspaces accessible to the signed-in user..
Workspace.Read.All	Delegated	Grants the app permission to read metadata for all workspaces accessible to the signed-in user.

Understanding Endpoint Domains

Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations. Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.

Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.

Required Endpoint Domains for Microsoft Power BI XMLA