Skip to Content
ReferencesAuth ProvidersMicrosoft Power BI

Microsoft Power BI

Microsoft Power BI is a dedicated Microsoft , separate from the general-purpose Microsoft (Graph) provider. To use it, create a custom auth provider of type Microsoft Power BI with your own Microsoft Entra (Azure AD) OAuth 2.0 credentials as described below.

The Microsoft Power BI enables tools and to call the Power BI REST API  on behalf of a .

It authorizes against the Power BI Service resource (https://analysis.windows.net/powerbi/api) and reuses Microsoft’s Entra ID endpoints, but on its own connection. Keeping Power BI on a dedicated provider means its resource scopes never mix with the Microsoft Graph scopes used by the general-purpose Microsoft provider. Requesting Power BI and Graph scopes together in a single authorize request mixes token audiences and causes Microsoft Entra to reject the sign-in with AADSTS70011 (The provided value for the input parameter scope is not valid).

What’s documented here

This page describes how to use and configure Microsoft Power BI auth with Arcade.

This is used by:

  • The Arcade Power BI Server, which discovers workspaces, datasets, and reports; inspects and queries semantic models with DAX; and manages dataset refreshes
  • Your app code that needs to call Power BI REST APIs
  • Or, your custom tools that need to call Power BI REST APIs

Power BI Service scopes only. The Entra app behind this provider must carry Power BI Service delegated permissions and nothing else. Do not add a Microsoft Graph permission (e.g. User.Read) or a Microsoft Fabric permission (api.fabric.microsoft.com). Any non–Power BI scope mixes token audiences on the Power BI connection and triggers AADSTS70011 at authorize time.

Configuring Microsoft Power BI auth

When using your own app credentials, make sure you configure your to use a custom user verifier. Without this, your end-users will not be able to use your app or in production.

In a production environment, you will most likely want to use your own Microsoft app credentials. This way, your will see your application’s name requesting permission.

Before showing how to configure your Power BI app credentials, let’s go through the steps to create a Microsoft Entra app.

Create a Microsoft Entra app

  • Follow Microsoft’s guide to registering an app with the Microsoft identity platform .
  • Set the redirect URL to the redirect URL generated by Arcade (see below).
  • Under API permissions, add the Power BI Service delegated permissions listed in the section below — and only those. Then Grant admin consent for the permissions.
  • Copy the client ID and client secret to use below.

Do not add any Microsoft Graph or Microsoft Fabric permission to this app. If you previously added one (or changed any permission), delete and recreate the ’s connection in Arcade after fixing the app so a fresh, single-resource token is minted.

Power BI Service scopes

Add the following Power BI Service (https://analysis.windows.net/powerbi/api) delegated permissions to your Entra app. These cover the permissions used by the Arcade Power BI Server:

PermissionUsed for
Workspace.Read.AllListing workspaces and reading the signed-in user
Dataset.Read.AllListing datasets, reading schemas, running DAX
Dataset.ReadWrite.AllTriggering dataset refreshes
Report.Read.AllListing and reading reports

In addition, add the standard OpenID Connect permissions openid, profile, and offline_access (the last is required to issue refresh tokens).

Individual request only the specific Power BI scope each endpoint needs at call time. You do not configure scopes on the Arcade provider itself (see below). Write capability is governed entirely by the ’s OAuth scopes: a user without a *.ReadWrite.All permission receives a 403 from the API on a write call.

To enable schema inspection and DAX queries, an administrator must also turn on the Dataset Execute Queries REST API setting (a.k.a. Semantic Model Execute Queries) in the Power BI admin portal.

Next, add the Power BI app to Arcade.

Configuring your own Microsoft Power BI Auth Provider in Arcade

Configure Microsoft Power BI Auth Using the Arcade Dashboard GUI

Access the Arcade Dashboard

To access the Arcade Cloud dashboard, go to api.arcade.dev/dashboard . If you are self-hosting, by default the dashboard will be available at http://localhost:9099/dashboard . Adjust the host and port number to match your environment.

  • Under the Connections section of the Arcade Dashboard left-side menu, click Connected Apps.
  • Click Add OAuth Provider in the top right corner.
  • Select the Included Providers tab at the top.
  • In the Provider dropdown, select Microsoft Power BI.

Enter the provider details

  • Choose a unique ID for your provider (e.g. “my-powerbi-provider”).
  • Optionally enter a Description.
  • Enter the Client ID and Client Secret from your Microsoft Entra app.
  • Leave the Scopes field empty. Each requests its own Power BI scopes at call time; the provider carries only the client ID and secret. Entering scopes here can send Entra a mixed or invalid scope set in one authorize request and trigger AADSTS70011.
  • Note the Redirect URL generated by Arcade. This must be set as your Microsoft Entra app’s redirect URL.

Create the provider

Hit the Create button and the provider will be ready to be used.

When you use tools that require Microsoft Power BI auth using your Arcade credentials, Arcade will automatically use this provider. If you have multiple Microsoft Power BI providers, see using multiple auth providers of the same type for more information.

Using Microsoft Power BI auth in app code

Use the Microsoft Power BI in your own and AI apps to get a token for the Power BI REST API. See authorizing agents with Arcade to understand how this works.

Use client.auth.start() with the microsoft-powerbi provider to get a token for Power BI APIs:

Python
from arcadepy import Arcade client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable user_id = "{arcade_user_id}" # Start the authorization process auth_response = client.auth.start( user_id=user_id, provider="microsoft-powerbi", scopes=[ "https://analysis.windows.net/powerbi/api/Workspace.Read.All", "https://analysis.windows.net/powerbi/api/Dataset.Read.All", ], ) if auth_response.status != "completed": print("Please complete the authorization challenge in your browser:") print(auth_response.url) # Wait for the authorization to complete auth_response = client.auth.wait_for_completion(auth_response) token = auth_response.context.token # TODO: Do something interesting with the token...

Using Microsoft Power BI auth in custom tools

You can author your own custom tools that interact with the Power BI REST API.

Power BI is a Microsoft provider with a distinct provider_id, so mark a as requiring it by subclassing the Microsoft auth class and overriding provider_id to microsoft-powerbi. This routes authorization to your dedicated Power BI provider and keeps the connection on Power BI Service tokens only. The context.authorization.token field will be automatically populated with the ’s Power BI token:

Python
from typing import Annotated import httpx from arcade_tdk import ToolContext, tool from arcade_tdk.auth import Microsoft class MicrosoftPowerBI(Microsoft): """Microsoft OAuth bound to the dedicated `microsoft-powerbi` provider.""" provider_id: str = "microsoft-powerbi" @tool( requires_auth=MicrosoftPowerBI( scopes=["https://analysis.windows.net/powerbi/api/Dataset.Read.All"], ) ) async def list_datasets( context: ToolContext, group_id: Annotated[str, "The ID of the workspace to list datasets from"], ) -> Annotated[dict, "The datasets in the workspace"]: """List the datasets in a Power BI workspace.""" url = f"https://api.powerbi.com/v1.0/myorg/groups/{group_id}/datasets" headers = {"Authorization": f"Bearer {context.authorization.token}"} async with httpx.AsyncClient() as client: response = await client.get(url=url, headers=headers) response.raise_for_status() return response.json()
Last updated on