## Power BI integration

Integrating Microsoft Power BI with Frontegg allows your application to read and manage datasets, reports, dashboards, workspaces, dataflows, and apps in a Power BI tenant through the Power BI REST API — all via Frontegg's integration layer using Microsoft Entra ID OAuth 2.0.

Prerequisites
- A Microsoft account with access to the [Azure portal](https://portal.azure.com/)
- A Microsoft Entra ID (Azure AD) tenant where you can register applications
- A Power BI account (Power BI Pro, Premium Per User, or Power BI Premium capacity is required for some endpoints such as dataflows and report export)


### Register an application in Azure

#### Step 1: Open App registrations

Sign in to the [Azure portal](https://portal.azure.com/) and open **App registrations** (you can search for it in the top search bar or open it directly from **Microsoft Entra ID → App registrations**). Click **New registration** at the top of the page.

![App registrations page in Azure portal](/assets/powerbi-1.26865dec38c7eb812792589b90f6868b9eae5956ab3bcef9dbb9354c1ff345f3.1ce25488.png)

#### Step 2: Register a new application

Fill in the registration form:

1. Enter a name for your application (for example, `Frontegg Power BI Integration`).
2. Under **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID tenant — Multitenant)** for multi-tenant apps, or **Accounts in this organizational directory only** for a single-tenant app.
3. Under **Redirect URI**, choose **Web** as the platform and enter:

```
https://YOUR_MCP_GATEWAY_URL/integration-callback
```
4. Click **Register**.


![New application registration form with name, multitenant account type, Web platform, and redirect URI filled in](/assets/powerbi-2.111b93cb12b3e674124aff4b1f563da77fd42964e31da4a2abe73cfb97b40420.1ce25488.png)

#### Step 3: Copy the Application (client) ID and Directory (tenant) ID

After registration, you are taken to the application **Overview** page. Copy both the **Application (client) ID** and the **Directory (tenant) ID** — you will need them when configuring the Frontegg portal.

![Application overview page with Application (client) ID and Directory (tenant) ID highlighted](/assets/powerbi-3.1af9d28e4e608b02c0f01937c20c86ce0173dae9558a6835b731a936bfa80ad8.1ce25488.png)

### Create a client secret

#### Step 4: Open Certificates & secrets

In the left sidebar, under **Manage**, click **Certificates & secrets**. On the **Client secrets** tab, click **New client secret**.

![Certificates and secrets page with New client secret button highlighted](/assets/powerbi-4.2a83409185ef7ca9172442b207755f5d2a1465780c187a9ae27408331a0c65c8.1ce25488.png)

#### Step 5: Add a description and expiry

In the **Add a client secret** panel, enter a description (for example, `Frontegg Integration`) and choose an expiry period. Click **Add**.

![Add a client secret panel with description field filled in and Add button highlighted](/assets/powerbi-5.114c86e7930194fe3d448ae4421ea63209b670c595826bb38f0d146d613e090f.1ce25488.png)

#### Step 6: Copy the client secret value

The new secret appears in the list. Copy the **Value** immediately — it is only shown once. After you navigate away, you cannot retrieve it again.

Save your Client Secret now
The Client Secret value is only displayed once. After you leave this page, you can only see the secret ID — not the value. Store the value securely before continuing.

![Client secret list showing the new secret with value blurred and highlighted](/assets/powerbi-6.f4a7c97830508c546b2be1b4db660287615443f955ae7210597b9e889824899f.1ce25488.png)

### Configure API permissions

#### Step 7: Open API permissions

In the left sidebar, click **API permissions**, then click **Add a permission**.

![API permissions page with Add a permission button highlighted](/assets/powerbi-7.de2768fad439189adc37b10731b2b7d3924c7fff62f465807840ef4bdbbc59ff.1ce25488.png)

#### Step 8: Select Power BI Service

In the **Request API permissions** panel, scroll to **Commonly used Microsoft APIs** and click **Power BI Service**.

![Request API permissions panel with Power BI Service highlighted](/assets/powerbi-8.5225043e30c1b7fb4dcf323ab07462ab789d5e71e878fcc31f35917e03db430c.1ce25488.png)

#### Step 9: Select delegated permissions

Click **Delegated permissions**. Expand each permission group and select the scopes your application requires. Select the following scopes:

| Scope | Description |
|  --- | --- |
| `App.Read.All` | View all Power BI apps the user has access to |
| `Dashboard.Read.All` | Read dashboards |
| `Dashboard.ReadWrite.All` | Read and write dashboards |
| `Dataflow.ReadWrite.All` | Read and write dataflows (Premium or Premium Per User required) |
| `Dataset.Read.All` | View all datasets |
| `Dataset.ReadWrite.All` | Read and write all datasets (create, refresh, delete) |
| `Report.Read.All` | Read reports |
| `Report.ReadWrite.All` | Read and write reports (clone, delete, export) |
| `Workspace.Read.All` | View all workspaces |
| `Workspace.ReadWrite.All` | Read and write all workspaces and their members |


Click **Add permissions**.

How Power BI scopes are issued
Frontegg requests Power BI access using the resource-scoped `https://analysis.windows.net/powerbi/api/.default` scope. Microsoft Entra ID returns the union of all delegated Power BI permissions you have pre-authorized on this app — only the scopes you select here will be included in the issued token.

![Delegated permissions list with selected Power BI Service scopes](/assets/powerbi-9.ff77a737f3f59bab6438994f7648290cdc7da481ce7ff97e47e6c8f9f838bb33.1ce25488.png)

#### Step 10: Verify configured permissions

After adding permissions, the **API permissions** page lists all configured permissions under **Power BI Service**.

![API permissions page showing all configured Power BI Service permissions](/assets/powerbi-10.2204adca2b2ccb9f17d01ac26243d3f53e7e8422304f45bdc47404363dbf49aa.1ce25488.png)

### Configure the Frontegg portal

Once you have your **Client ID**, **Client Secret**, and **Directory (tenant) ID**, enter them in the Frontegg portal:

1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Power BI.
2. Enter the **Client ID** and **Client Secret** in the corresponding fields.
3. Optionally, enter the **Directory (tenant) ID**. Leave blank or set to `common` for multi-tenant applications; use a tenant GUID or domain for single-tenant applications.
4. Click **Save**.


Keep your credentials secure
Never share or commit your Client Secret to version control.

### Additional resources

- [Power BI REST API reference](https://learn.microsoft.com/rest/api/power-bi/)
- [Power BI service](https://app.powerbi.com/)
- [Azure portal](https://portal.azure.com/)
- [Microsoft identity platform and OAuth 2.0](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
- [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)