Power BI and ADF integration to Loome Portal

Overview

This document outlines the necessary permissions and service principals required to fully integrate the Loome application with Microsoft Power BI and Azure Data Factory (ADF). These configurations are essential for enabling key features related to embedded analytics and metadata harvesting.

You need to configure the following features for Loome Portal;

  • Entra ID Power BI API permissions for the Loome application.
    • So that you can embed PowerBI.com reports in to Loome Portal with the current user’s Entra ID token.
  • Service Principal with ADF permissions.
    • So that you can read metadata from the ADF factory(s) about what kind of pipelines and activities you have.
  • Service principal with Power BI permissions.
    • So that you can read metadata from the PowerBI.com tenant about what kind of dashboards and reports you have.

Pre-requisite step to begin process

Required Account: Loome Organisation Administrator

You need to kick off the process by configuring the Loome organisation to look at the Microsoft Entra ID, and to kick off the consent requests for the permissions we need for Loome Portal.

This step involves logging in to the Loome organisation management application as an account and carrying out the below steps.

  • Login to the Loome organisation management app, https://manage-au.loomesoftware.com.
    • This MUST be done as a Microsoft Entra ID account.
    • This account must be an administrator of the ‘Tenant’ Loome organisation.
  • Navigate to the ‘Features’ page from the left navigation menu.
  • Click on the ‘Link Organization’ button and confirm.
    • This is a one off step, if you do not see it, its already been done.
  • You will now see two sections, one for ‘Users and Group Lookup’ and ‘PowerBI.com’.
  • Click on the ‘Authorize’ button In the ‘PowerBI.com’.
    • This will take you to an Entra ID consent page, where we will request permissions for Power BI API.
    • You will need to enter an approval reason and request.

Note: If you completed this step as an Entra ID admin for your Tenant, you could just consent on behalf of the organisation immediately and skip the next section.

Required Account: Microsoft Entra ID Administrator

Now we need to approve the consent requests from the previous step either as an Microsoft Entra ID administrator.

  • Navigate to https://portal.azure.com and sign in as an Microsoft Entra ID administrator for your tenant.
  • Go to ‘Enterprise Applications’ from the left navigation menu.
  • Go to ‘Activity’ > ‘Admin Consent Requests’ from the left navigation menu.
    • Find the request for ‘Loome’ (with ID ‘8be834ff-edf0-4496-8419-6b802a6741f9’) and click on it.
    • Click on ‘Review permissions and consent’ from the details blade.
      • This will launch a consent window where the administrator can login.
    • Review requested permissions and tick the box to consent on behalf of the organisation.
  • Alternatively, you can go to ‘All Applications’
    • Find the ‘Loome’ application (with ID ‘8be834ff-edf0-4496-8419-6b802a6741f9’) and click on it.
    • Go to ‘Security’ > ‘Permissions’ from the left navigation menu.
    • Click on the ‘Grant admin consent for your tenant.

At the end of this process, the Loome application should have the following permissions consented. Please note that not all of these may appear under ‘Admin consent’ depending on the consent settings for the organisation and how you approved the permissions. Many of these permissions do not require administrative consent under standard Entra ID configuration, so if the organisation is not restrictive, you can check the ‘User Consent’ tab and see that you have individually consented to the remaining permissions to verify this. In this scenario, users might be prompted individually to consent the first time they view an embedded PowerBI.com report in Loome Portal.

  • Power BI
    • Dashboard.Read.All
    • Dataset.Read.All
    • Report.Read.All
    • Workspace.Read.All

Setting up the Service Principal for ADF

Required Account: Microsoft Entra ID Administrator

Now we need to setup a service principal and give it permissions to ADF so that we can read the ADF metadata in to Loome Portal as assets and activities.

  • Navigate to https://portal.azure.com and sign in as an Microsoft Entra ID administrator.
  • Go to Microsoft Entra ID > App Registrations.
  • Click on ‘New Registration’.
  • Provide a name, such as ‘Loome ADF Sync’ or a name that suits your tenant’s naming conventions.
  • No other settings need to be configured on this page.
  • Click on ‘Register’
  • On the ‘Overview’ page of the App Registration, note the following information as it will need to be entered in to the Loome Portal tenant.
    • Application (client) ID
    • Directory (tenant) ID
  • Go to ‘Certificates & secrets’ from the left navigation menu.
  • Click on ‘New client secret’ and from the ‘Add a client secret’ slide out.
    • Provide a description indicating its use within Loome Portal.
    • Set an appropriate expiry date based on your tenant guidelines.
      • NOTE: Renewing this secret and updating Loome Portal will become a recurring task based on how long you set the expiration date.
    • Click ‘Add’ down the bottom.
    • Note the ‘Value’ field of the newly added secret as it will need to be entered in to the Loome Portal tenant.

Assigning permissions to the ADF Service Principal

Required Account: Microsoft Entra ID account with permission management to each Data Factory

You now need to grant the Service Principal with permissions to each Data Factory that should be synced to Loome Portal.

  • For each Data Factory;
    • Navigate to your Azure Data Factory in https://portal.azure.com
    • Go to ‘Access control (IAM)’ from the left navigation menu.
    • Click on ‘Add’ and then ‘Add role assignment’ .
    • Under ‘Job function roles’, find the ‘Reader’ role and select it, click ‘Next’.
    • Click on ‘+Select Members’
    • Find the previously created Service Principal, select it, and then click on ‘Select’.     
    • Click on ‘Review and Assign’ and complete the permission assignment.

Setting up the Service Principal for PowerBI.com

Required Account: Microsoft Entra ID Administrator

Now we need to setup a service principal and give it permissions to PowerBI.com so that we can read the PowerBI.com metadata into Loome Portal as assets and activities.

Note: You can reuse the same Service Principal created for ADF syncing if you wish, but you should NOT use an existing service principal that has Power BI scopes granted to it.

  • Navigate to https://portal.azure.com and sign in as an Microsoft Entra ID administrator for your tenant.
  • Go to Microsoft Entra ID > App Registrations.
  • Click on ‘New Registration’.
  • Provide a name, such as ‘Loome Power BI Sync’ or a name that suits Mercy Health naming conventions.
  • No other settings need to be configured on this page.
  • Click on ‘Register’
  • On the ‘Overview’ page of the App Registration, note the following information as it will need to be entered in to the Loome Portal tenant.
    • Application (client) ID
    • Directory (tenant) ID
  • Go to ‘Certificates & secrets’ from the left navigation menu.
  • Click on ‘New client secret’ and from the ‘Add a client secret’ slide out.
    • Provide a description indicating its use within Loome Portal.
    • Set an appropriate expiry date based on Mercy Health guidelines.
      • NOTE: Renewing this secret and updating Loome Portal will become a recurring task based on how long you set the expiration date.
    • Click ‘Add’ down the bottom.
    • Note the ‘Value’ field of the newly added secret as it will need to be entered in to the Loome Portal tenant.

Enabling Service Principal access to PowerBI.com

Required Account: Power BI Administrator

We now need to provide the Service Principal with permission to call Power BI/Fabric Scanner APIs so that we can retrieve metadata about Power BI assets, such as reports and dashboards.

It is highly recommended for the following section that you use a Security group to control access to these settings rather than using ‘The entire organisation’ setting. You simply need to make an Entra ID security group, add the Service Principal to the Entra ID group, then add the Entra ID group to these settings. If the organisation has an existing group for this purpose, you could add the Service Principal to that group.

  • Go to https://app.powerbi.com/admin-portal and login as a Power BI administrator for your tenant.
  • Find the ‘Service principals can call Fabric public APIs’ setting and expand it.
    • Ensure the feature is enabled for either ‘The entire Organisation’ or specific groups that include the Service Principal
  • Find the ‘Service principals can access read-only admin APIs’ setting and expand it.
    • Ensure the feature is enabled for either ‘The entire Organisation’ or specific groups that include the Service Principal
  • Find the ‘Enhance admin APIs responses with detailed metadata’
    • Ensure the feature is enabled.