Microsoft Power BI
Microsoft Power BI is a dedicated Microsoft , separate from the general-purpose Microsoft (Graph) provider. To use it, create a custom auth provider of type Microsoft Power BI with your own Microsoft Entra (Azure AD) OAuth 2.0 credentials as described below.
The Microsoft Power BI enables tools and to call the Power BI REST API on behalf of a .
It authorizes against the Power BI Service resource (https://analysis.windows.net/powerbi/api) and reuses Microsoft’s Entra ID endpoints, but on its own connection. Keeping Power BI on a dedicated provider means its resource scopes never mix with the Microsoft Graph scopes used by the general-purpose Microsoft provider. Requesting Power BI and Graph scopes together in a single authorize request mixes token audiences and causes Microsoft Entra to reject the sign-in with AADSTS70011 (The provided value for the input parameter scope is not valid).
What’s documented here
This page describes how to use and configure Microsoft Power BI auth with Arcade.
This is used by:
- The Arcade Power BI Server, which discovers workspaces, datasets, and reports; inspects and queries semantic models with DAX; and manages dataset refreshes
- Your app code that needs to call Power BI REST APIs
- Or, your custom tools that need to call Power BI REST APIs
Power BI Service scopes only. The Entra app behind this provider must carry
Power BI Service delegated permissions and nothing else. Do not add a Microsoft
Graph permission (e.g. User.Read) or a Microsoft Fabric permission
(api.fabric.microsoft.com). Any non–Power BI scope mixes token audiences on the
Power BI connection and triggers AADSTS70011 at authorize time.
Configuring Microsoft Power BI auth
When using your own app credentials, make sure you configure your to use a custom user verifier. Without this, your end-users will not be able to use your app or in production.
In a production environment, you will most likely want to use your own Microsoft app credentials. This way, your will see your application’s name requesting permission.
Before showing how to configure your Power BI app credentials, let’s go through the steps to create a Microsoft Entra app.
Create a Microsoft Entra app
- Follow Microsoft’s guide to registering an app with the Microsoft identity platform .
- Set the redirect URL to the redirect URL generated by Arcade (see below).
- Under API permissions, add the Power BI Service delegated permissions listed in the section below — and only those. Then Grant admin consent for the permissions.
- Copy the client ID and client secret to use below.
Do not add any Microsoft Graph or Microsoft Fabric permission to this app. If you previously added one (or changed any permission), delete and recreate the ’s connection in Arcade after fixing the app so a fresh, single-resource token is minted.
Power BI Service scopes
Add the following Power BI Service (https://analysis.windows.net/powerbi/api) delegated permissions to your Entra app. These cover the permissions used by the Arcade Power BI Server:
| Permission | Used for |
|---|---|
Workspace.Read.All | Listing workspaces and reading the signed-in user |
Dataset.Read.All | Listing datasets, reading schemas, running DAX |
Dataset.ReadWrite.All | Triggering dataset refreshes |
Report.Read.All | Listing and reading reports |
In addition, add the standard OpenID Connect permissions openid, profile, and offline_access (the last is required to issue refresh tokens).
Individual request only the specific Power BI scope each endpoint needs at
call time. You do not configure scopes on the Arcade provider itself (see below).
Write capability is governed entirely by the ’s OAuth scopes: a user without a
*.ReadWrite.All permission receives a 403 from the API on a write call.
To enable schema inspection and DAX queries, an administrator must also turn on the Dataset Execute Queries REST API setting (a.k.a. Semantic Model Execute Queries) in the Power BI admin portal.
Next, add the Power BI app to Arcade.
Configuring your own Microsoft Power BI Auth Provider in Arcade
Dashboard GUI
Configure Microsoft Power BI Auth Using the Arcade Dashboard GUI
Access the Arcade Dashboard
To access the Arcade Cloud dashboard, go to api.arcade.dev/dashboard . If you are self-hosting, by default the dashboard will be available at http://localhost:9099/dashboard . Adjust the host and port number to match your environment.
Navigate to the OAuth Providers page
- Under the Connections section of the Arcade Dashboard left-side menu, click Connected Apps.
- Click Add OAuth Provider in the top right corner.
- Select the Included Providers tab at the top.
- In the Provider dropdown, select Microsoft Power BI.
Enter the provider details
- Choose a unique ID for your provider (e.g. “my-powerbi-provider”).
- Optionally enter a Description.
- Enter the Client ID and Client Secret from your Microsoft Entra app.
- Leave the Scopes field empty. Each requests its own Power BI scopes at call time; the provider carries only the client ID and secret. Entering scopes here can send Entra a mixed or invalid scope set in one authorize request and trigger AADSTS70011.
- Note the Redirect URL generated by Arcade. This must be set as your Microsoft Entra app’s redirect URL.
Create the provider
Hit the Create button and the provider will be ready to be used.
When you use tools that require Microsoft Power BI auth using your Arcade credentials, Arcade will automatically use this provider. If you have multiple Microsoft Power BI providers, see using multiple auth providers of the same type for more information.
Using Microsoft Power BI auth in app code
Use the Microsoft Power BI in your own and AI apps to get a token for the Power BI REST API. See authorizing agents with Arcade to understand how this works.
Use client.auth.start() with the microsoft-powerbi provider to get a token for Power BI APIs:
Python
from arcadepy import Arcade
client = Arcade() # Automatically finds the `ARCADE_API_KEY` env variable
user_id = "{arcade_user_id}"
# Start the authorization process
auth_response = client.auth.start(
user_id=user_id,
provider="microsoft-powerbi",
scopes=[
"https://analysis.windows.net/powerbi/api/Workspace.Read.All",
"https://analysis.windows.net/powerbi/api/Dataset.Read.All",
],
)
if auth_response.status != "completed":
print("Please complete the authorization challenge in your browser:")
print(auth_response.url)
# Wait for the authorization to complete
auth_response = client.auth.wait_for_completion(auth_response)
token = auth_response.context.token
# TODO: Do something interesting with the token...Using Microsoft Power BI auth in custom tools
You can author your own custom tools that interact with the Power BI REST API.
Power BI is a Microsoft provider with a distinct provider_id, so mark a as requiring it by subclassing the Microsoft auth class and overriding provider_id to microsoft-powerbi. This routes authorization to your dedicated Power BI provider and keeps the connection on Power BI Service tokens only. The context.authorization.token field will be automatically populated with the ’s Power BI token:
from typing import Annotated
import httpx
from arcade_tdk import ToolContext, tool
from arcade_tdk.auth import Microsoft
class MicrosoftPowerBI(Microsoft):
"""Microsoft OAuth bound to the dedicated `microsoft-powerbi` provider."""
provider_id: str = "microsoft-powerbi"
@tool(
requires_auth=MicrosoftPowerBI(
scopes=["https://analysis.windows.net/powerbi/api/Dataset.Read.All"],
)
)
async def list_datasets(
context: ToolContext,
group_id: Annotated[str, "The ID of the workspace to list datasets from"],
) -> Annotated[dict, "The datasets in the workspace"]:
"""List the datasets in a Power BI workspace."""
url = f"https://api.powerbi.com/v1.0/myorg/groups/{group_id}/datasets"
headers = {"Authorization": f"Bearer {context.authorization.token}"}
async with httpx.AsyncClient() as client:
response = await client.get(url=url, headers=headers)
response.raise_for_status()
return response.json()