Skip to Content
ReferencesAuth ProvidersMicrosoft Power BI

Microsoft Power BI

Microsoft Power BI is a dedicated , separate from the general-purpose Microsoft provider. To use it, create a custom auth provider of type Microsoft Power BI with your own Microsoft Entra (Azure AD) OAuth 2.0 credentials as described below.

The Microsoft Power BI enables tools and to call the Power BI REST API  on behalf of a .

Power BI has its own provider so that its permissions stay separate from the Microsoft Graph permissions used by the general-purpose Microsoft provider. Mixing the two breaks authorization — if you want to know why, see Advanced: token audiences and troubleshooting at the end of this page.

What’s documented here

This page describes how to use and configure Microsoft Power BI auth with Arcade.

This is used by:

  • The Arcade Power BI Server, which discovers workspaces, datasets, and reports; inspects and queries semantic models with DAX; and manages dataset refreshes
  • Your app code that needs to call Power BI REST APIs
  • Or, your custom tools that need to call Power BI REST APIs

Configuring Microsoft Power BI auth

When using your own app credentials, make sure you configure your to use a custom user verifier. Without this, your end-users will not be able to use your app or in production.

In a production environment, you will most likely want to use your own Microsoft app credentials. This way, your will see your application’s name requesting permission.

Before showing how to configure your Power BI app credentials, let’s go through the steps to create a Microsoft Entra app.

Create a Microsoft Entra app

  • Follow Microsoft’s guide to registering an app with the Microsoft identity platform .
  • Set the redirect URL to the redirect URL generated by Arcade (see below).
  • Under API permissions, add the Power BI Service delegated permissions listed in the section below. Then Grant admin consent for the permissions.
  • Copy the client ID and client secret to use below.

Add only the Power BI Service permissions listed below to this app — do not add permissions from other Microsoft APIs, such as Microsoft Graph’s User.Read. Mixing permissions from different Microsoft APIs on this app causes sign-in failures (see the Advanced section).

Power BI Service scopes

Add the following Power BI Service delegated permissions to your Entra app. These cover the permissions used by the Arcade Power BI Server:

PermissionUsed for
Workspace.Read.AllListing workspaces and reading the signed-in user
Dataset.Read.AllListing datasets, reading schemas, running DAX
Dataset.ReadWrite.AllTriggering dataset refreshes
Report.Read.AllListing and reading reports

In addition, add the standard OpenID Connect permissions openid, profile, and offline_access (the last is required to issue refresh tokens).

To enable schema inspection and DAX queries, an administrator must also turn on the Dataset Execute Queries REST API setting (a.k.a. Semantic Model Execute Queries) in the Power BI admin portal.

Next, add the Power BI app to Arcade.

Configuring your own Microsoft Power BI Auth Provider in Arcade

Configure Microsoft Power BI Auth Using the Arcade Dashboard GUI

Access the Arcade Dashboard

To access the Arcade Cloud dashboard, go to api.arcade.dev/dashboard . If you are self-hosting, by default the dashboard will be available at http://localhost:9099/dashboard . Adjust the host and port number to match your environment.

  • Under the Connections section of the Arcade Dashboard left-side menu, click Connected Apps.
  • Click Add OAuth Provider in the top right corner.
  • Select the Included Providers tab at the top.
  • In the Provider dropdown, select Microsoft Power BI.

Enter the provider details

  • Choose a unique ID for your provider (e.g. “my-powerbi-provider”).
  • Optionally enter a Description.
  • Enter the Client ID and Client Secret from your Microsoft Entra app.
  • Leave the Scopes field empty. Each requests the scopes it needs when it runs, so the provider only carries your credentials (see why).
  • Note the Redirect URL generated by Arcade. This must be set as your Microsoft Entra app’s redirect URL.

Create the provider

Hit the Create button and the provider will be ready to be used.

When you use tools that require Microsoft Power BI auth using your Arcade credentials, Arcade will automatically use this provider. If you have multiple Microsoft Power BI providers, see using multiple auth providers of the same type for more information.

Using Microsoft Power BI auth in app code

Use the Microsoft Power BI in your own and AI apps to get a token for the Power BI REST API. See authorizing agents with Arcade to understand how this works.

Use client.auth.start() with the microsoft-powerbi provider to get a token for Power BI APIs:

Python
from arcadepy import Arcade client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable user_id = "{arcade_user_id}" # Start the authorization process auth_response = client.auth.start( user_id=user_id, provider="microsoft-powerbi", scopes=[ "https://analysis.windows.net/powerbi/api/Workspace.Read.All", "https://analysis.windows.net/powerbi/api/Dataset.Read.All", ], ) if auth_response.status != "completed": print("Please complete the authorization challenge in your browser:") print(auth_response.url) # Wait for the authorization to complete auth_response = client.auth.wait_for_completion(auth_response) token = auth_response.context.token # TODO: Do something interesting with the token...

Using Microsoft Power BI auth in custom tools

You can author your own custom tools that interact with the Power BI REST API.

Power BI is a Microsoft provider with its own provider_id, so mark a as requiring it by subclassing the Microsoft auth class and overriding provider_id to microsoft-powerbi. The context.authorization.token field will be automatically populated with the ’s Power BI token:

Python
from typing import Annotated import httpx from arcade_tdk import ToolContext, tool from arcade_tdk.auth import Microsoft class MicrosoftPowerBI(Microsoft): """Microsoft OAuth bound to the dedicated `microsoft-powerbi` provider.""" provider_id: str = "microsoft-powerbi" @tool( requires_auth=MicrosoftPowerBI( scopes=["https://analysis.windows.net/powerbi/api/Dataset.Read.All"], ) ) async def list_datasets( context: ToolContext, group_id: Annotated[str, "The ID of the workspace to list datasets from"], ) -> Annotated[dict, "The datasets in the workspace"]: """List the datasets in a Power BI workspace.""" url = f"https://api.powerbi.com/v1.0/myorg/groups/{group_id}/datasets" headers = {"Authorization": f"Bearer {context.authorization.token}"} async with httpx.AsyncClient() as client: response = await client.get(url=url, headers=headers) response.raise_for_status() return response.json()

Advanced: token audiences and troubleshooting

For advanced . You do not need this section to complete the setup above. Read it if you want to understand why Power BI needs a dedicated provider, or if you are troubleshooting an authorization error such as AADSTS70011.

Why Power BI needs its own provider

The Power BI provider authorizes against the Power BI Service resource (https://analysis.windows.net/powerbi/api). It reuses Microsoft’s Entra ID endpoints, but on its own connection, separate from the general-purpose Microsoft provider.

A Microsoft Entra access token is issued for a single resource (its audience). Power BI Service and Microsoft Graph are different resources, so a single authorize request cannot mix scopes from both: Entra rejects the sign-in with AADSTS70011 (The provided value for the input parameter scope is not valid). Keeping Power BI on a dedicated provider guarantees every authorize request on that connection carries Power BI Service scopes only.

For the same reason, the Entra app behind this provider must carry Power BI Service delegated permissions and nothing else. Do not add a Microsoft Graph permission (e.g. User.Read) or a Microsoft Fabric permission (api.fabric.microsoft.com) — any non–Power BI scope mixes token audiences on the Power BI connection and triggers AADSTS70011 at authorize time.

Why the provider’s Scopes field stays empty

Individual request only the specific Power BI scope each endpoint needs at call time, so the Arcade provider itself carries only the client ID and secret. Entering scopes on the provider can send Entra a mixed or invalid scope set in one authorize request and trigger AADSTS70011.

Write capability is governed entirely by the ’s OAuth scopes: a user without a *.ReadWrite.All permission receives a 403 from the API on a write call.

Troubleshooting

  • AADSTS70011 at authorize time. The scope set in the authorize request mixes resources or is malformed. Check that the Entra app carries only Power BI Service permissions and that the provider’s Scopes field is empty.
  • Errors after changing the Entra app’s permissions. If you added or removed a permission on the Entra app (including removing a stray Graph or Fabric permission), delete and recreate the ’s connection in Arcade so a fresh, single-resource token is minted.
  • 403 on a write call. The ’s token is missing the corresponding *.ReadWrite.All scope. Re-authorize with the required scope.
Last updated on