How to Connect Power BI to Azure Active Directory

Connecting Power BI to Azure Active Directory is the key to managing data access and security at scale for your business intelligence environment. Done right, this integration gives you centralized control over who sees what, streamlining user management and putting robust security policies in place. This guide walks you through exactly how to set up and manage the connection for both everyday users and custom applications.

Why Connect Power BI to Azure Active Directory?

Before diving into the "how," let's quickly cover the "why." Linking Power BI with what is now called Microsoft Entra ID brings several critical benefits that move your analytics from an isolated tool to a fully integrated and secure part of your IT ecosystem. Think of it as giving your data a gatekeeper that already knows every employee and their role.

• Centralized Identity Management: Forget managing users separately in Power BI. When a new person joins your company and gets an account in Azure AD, their access to Power BI can be provisioned automatically. When they leave, their access is revoked from one central place, eliminating security risks from forgotten accounts.
• Single Sign-On (SSO): This is a massive user experience win. Once logged into their company account (like Office 365), users can access their Power BI reports and dashboards without needing to log in again. This seamless access encourages adoption and reduces password fatigue.
• Enhanced Security with Conditional Access: Because Power BI becomes an application recognized by Azure AD, you can apply powerful security policies. For example, you can require multi-factor authentication (MFA) to access sensitive financial dashboards, restrict access from unmanaged devices, or block logins from specific geographic locations.
• Simplified Access Management with Security Groups: Instead of assigning permissions to individual users in every Power BI workspace, you can assign them to Azure AD Security Groups. Need to give the entire sales team access to the new sales pipeline report? Add the "Sales Team" security group to the workspace. One simple action grants access to everyone in that group instantly.

Prerequisites You'll Need

To follow along, make sure you have the following in place. Getting these sorted out first will save you a lot of trouble down the line.

• A Power BI Pro or Premium license: While you can have a free Power BI account, sharing and advanced management features require a paid license.
• An Azure AD (Microsoft Entra ID) subscription: Most organizations using Microsoft 365 already have this. The free tier is sufficient for basic connections, but advanced features like Conditional Access Policies require Premium P1 or P2 licenses.
• Administrator Privileges: You'll need credentials for an account that has at least partial admin rights in both Power BI and Azure. Specifically, a Power BI Administrator role for certain settings and a role like Application Administrator or Global Administrator in Azure AD to register applications.

A Quick Note on Renaming: Azure AD is Now Microsoft Entra ID

Microsoft has recently rebranded Azure Active Directory to Microsoft Entra ID. While the name has changed, the functionality and IDs (like Tenant ID and Client ID) remain the same. In the Azure portal and documentation, you'll see "Microsoft Entra ID," but many people still search for and refer to it as "Azure AD." We'll use both terms in this guide for clarity.

Method 1: The Default Connection for Standard Users

The good news is that for most organizations, the basic connection between Power BI and Azure Active Directory is automatic. If your organization uses Microsoft 365 or Azure, your Power BI account is inherently tied to your company's directory, or "tenant."

When you or a user in your company signs up for Power BI using an organizational email address (like your.name@yourcompany.com), Power BI automatically provisions that user within your company's existing Azure AD tenant. You don't have to perform any extra steps to link them.

How to Verify Your Power BI Tenant Information

You can quickly confirm that your account is correctly associated with your organization's directory:

1. Log in to the Power BI Service at app.powerbi.com.
2. In the top-right corner, click the question mark icon (?) and select About Power BI.
3. A dialog box will appear showing details about your account, including a Tenant URL. It will look something like this: app.powerbi.com?ctid=xxxx-xxxx-xxxx-xxxx. The long alphanumeric string is your Directory (Tenant) ID. This confirms Power BI is part of your specific Azure AD tenant.

For day-to-day use, this automatic link is all you need. You can start creating security groups in Azure AD and assigning them access to your Power BI workspaces. But what if you need to connect an application or a script to Power BI? That's where app registration comes in.

Method 2: App Registration for Custom Applications and Embedding

This is the more technical approach required for programmatic access. You'll need to do this if you are:

• Building a custom application that embeds Power BI content.
• Automating administrative tasks using the Power BI REST APIs (e.g., scripting a workspace export).
• Connecting a third-party service that needs to authenticate with Power BI on the backend.

This process involves creating an "identity" for your application within Azure AD so that Power BI trusts it to perform actions.

Step 1: Register an Application in Microsoft Entra ID

First, we’ll register our application with the Microsoft identity platform.

1. Sign into the Azure portal.
2. Navigate to Microsoft Entra ID (you can search for it in the top bar).
3. On the left-hand menu, select App registrations.
4. Click + New registration at the top.
5. Give it a Name: Choose a clear, descriptive name your team will recognize, like "Power BI Analytics Embed App" or "Marketing Reporting Automation."
6. Select Supported account types: For most internal apps, the default "Accounts in this organizational directory only (Single tenant)" is the right choice.
7. Redirect URI (optional for service apps): You can leave this blank for now if you're building a backend process. If it's a web app, you would add the URL a user gets redirected to after signing in. A common placeholder is http://localhost for local development.
8. Click Register.

Step 2: Collect Your Essential IDs

Once registered, you'll land on your application’s overview page. There are two critical pieces of information you need to copy and save somewhere safe:

• Application (client) ID: This is the unique identifier for your app. Think of it as your application's username.
• Directory (tenant) ID: This identifies your company's Azure AD instance.

You'll need these credentials in any script or application you use to authenticate against Power BI.

Step 3: Create a Client Secret

Next, your application needs a password to prove its identity. In Azure AD, this is called a client secret.

1. In your new app registration's menu, click on Certificates & secrets.
2. Click on + New client secret.
3. Provide a description (e.g., "Initial Secret for Reporting App") and choose an expiration period. Note: For security best practices, avoid setting secrets to never expire. A shorter duration like 6 or 12 months is recommended, but you’ll need to have a process to rotate them before they expire.
4. Click Add.

IMPORTANT: Your new client secret value will appear on the screen. Copy it immediately and store it in a secure location like Azure Key Vault or your password manager. Once you navigate away from this page, you will never be able to view it again.

Step 4: Grant API Permissions for Power BI Service

So far, your app has an identity but no permissions. Now we need to tell Azure AD what your app is allowed to do in Power BI.

1. From your app registration page, go to API permissions in the left menu.
2. Click + Add a permission.
3. A panel will appear. Select the Power BI Service API.
4. Next, you'll choose the type of permission. This is a critical step:
5. Select the specific permissions needed. For example, for a read-only app, you might choose Report.Read.All and Workspace.Read.All. If you need to refresh datasets, you'd add Dataset.ReadWrite.All. Don't grant more permissions than necessary.
6. After adding the permissions, click Add permissions.
7. Finally, you'll need to grant consent. Click the Grant admin consent for [Your Company Name] button and confirm. This authorizes the application to use the permissions you've just assigned across your entire organization. The status will turn to a green-ticked "Granted."

With your Client ID, Tenant ID, and Client Secret, your application can now authenticate with the Microsoft identity platform and perform the actions you allowed against the Power BI APIs.

Final Thoughts

Connecting Power BI and Azure Active Directory is essential for building a secure and scalable analytics environment. Whether relying on the automatic user provisioning for everyday BI consumers or setting up a detailed app registration for custom solutions, this integration forms the backbone of enterprise-level data governance and simplified user management.

Building secure and robust data pipelines is a serious undertaking, central to how modern teams operate. For our own reporting, we sometimes needed a way to get answers from our various marketing and sales platforms (like Google Analytics, Shopify, and Salesforce) without needing deep technical configuration or hours spent wrangling spreadsheets. That's why we built Graphed—a tool that allows us to simply connect our data sources and create real-time dashboards using plain English, giving us instant visibility without the extensive setup.