Microsoft Fabric Integration

Overview

This guide outlines the necessary permissions and service principals required to fully integrate the Loome application with Microsoft Fabric. These configurations are essential for enabling key features related to embedded analytics and metadata harvesting.

You need to configure the following for Loome Portal;

  • Entra ID Microsoft Fabric API permissions for the Loome application.
    • So that you can embed Microsoft Fabric reports in to Loome Portal with the current user’s Entra ID token.
  • Service principal with Microsoft Fabric permissions.
    • So that Loome can read metadata from the Microsoft Fabric tenant about the kind of dashboards and reports it has.

Prerequisite Steps in Loome

Required Account: Loome Organisation Administrator

You need to kick off the process by configuring the Loome organisation to look at the Microsoft Entra ID, and to start the consent requests for the permissions we need for Loome Portal.

This step involves logging in to the Loome organisation management application as a Microsoft Entra ID account and carrying out the following steps.

  • Login to the Loome organisation management app, https://manage-au.loomesoftware.com.
    • This MUST be done as a Microsoft Entra ID account.
    • This account must be an administrator of the Loome organisation.
  • Navigate to the ‘Features’ page from the left navigation menu.

Features section

  • Click on the ‘Link Organization’ button and confirm.
    • This is a one off step, if you do not see the button, it has already been linked.
  • After it has been linked, you will now find two sections, ‘Users and Group Lookup’ and ‘PowerBI.com’.
  • In the ‘PowerBI.com’ section, click on the ‘Authorize’ button.
    • This will take you to an Entra ID consent page, where Loome will request permissions for Microsoft Fabric API.
    • You will need to enter an approval reason and request.

If you completed this step as an Entra ID admin for your organisation, you could just consent on behalf of the organisation immediately and skip the next section.

Required Account: Microsoft Entra ID Administrator

The next step is to approve the consent requests from the previous step as an Microsoft Entra ID administrator.

  • Navigate to https://portal.azure.com and sign in as an Microsoft Entra ID administrator for your tenant.
  • Go to ‘Enterprise Applications’ from the left navigation menu.
  • Go to ‘Activity’ > ‘Admin Consent Requests’ from the left navigation menu.
    • Find the request for ‘Loome’ (with ID ‘8be834ff-edf0-4496-8419-6b802a6741f9’) and click on it.
    • Click on ‘Review permissions and consent’ from the details blade.
      • This will launch a consent window where the administrator can login.
    • Review requested permissions and tick the box to consent on behalf of the organisation.
  • Alternatively, you can go to ‘All Applications
    • Find the ‘Loome’ application (with ID ‘8be834ff-edf0-4496-8419-6b802a6741f9’) and click on it.
    • Go to ‘Security’ > ‘Permissions’ from the left navigation menu.
    • Click on ‘Grant admin consent for your tenant’.

At the end of this process, the Loome application should have the following permissions consented.

Please note that not all of these may appear under ‘Admin consent’ depending on the consent settings for the organisation and how you approved the permissions. Many of these permissions do not require administrative consent under standard Entra ID configuration, so if the organisation is not restrictive, you can check the ‘User Consent’ tab and see that you have individually consented to the remaining permissions to verify this. In this scenario, users might be prompted individually to consent the first time they view an embedded Microsoft Fabric report in Loome Portal.

Permissions for Microsoft Fabric:

  • Microsoft Fabric
    • Dashboard.Read.All
    • Dataset.Read.All
    • Report.Read.All
    • Workspace.Read.All

Setting up the Service Principal for Microsoft Fabric

Required Account: Microsoft Entra ID Administrator

Next, setup a service principal and give it permissions to Microsoft Fabric so that Loome can read the Microsoft Fabric metadata into Loome Portal as assets and activities.

You can reuse the same Service Principal created for ADF syncing if you wish, but you should NOT use an existing service principal that has Microsoft Fabric scopes granted to it.

  • Navigate to https://portal.azure.com and sign in as an Microsoft Entra ID administrator for your tenant.
  • Go to Microsoft Entra ID > App Registrations.
  • Click on ‘New Registration’.
  • Provide a name, such as ‘Loome Microsoft Fabric Sync’ or a name that suits your naming conventions.
  • No other settings need to be configured on this page.
  • Click on ‘Register
  • On the ‘Overview’ page of the App Registration, note the following information as it will need to be entered into the Loome Portal tenant.
    • Application (client) ID
    • Directory (tenant) ID
  • Go to ‘Certificates & secrets’ from the left navigation menu.
  • Click on ‘New client secret’ and from the ‘Add a client secret’ slide out.
    • Provide a description indicating its use within Loome Portal.
    • Set an appropriate expiry date based on your guidelines.
      • NOTE: Renewing this secret and updating Loome Portal will become a recurring task based on how long you set the expiration date.
    • Click ‘Add’ down the bottom.
    • Note the ‘Value’ field of the newly added secret as it will need to be entered in to the Loome Portal tenant.

You will need to recurringly update Loome Portal with the new client secret each time it has expired.

Enabling Service Principal access to Microsoft Fabric

Required Account: Microsoft Fabric Administrator

Following, you will need to provide the Service Principal with permission to call Microsoft Fabric Scanner APIs, so that Loome can retrieve metadata about Microsoft Fabric assets, such as reports and dashboards.

It is highly recommended for the following section that you use a Security group to control access to these settings rather than using ‘The entire organisation’ setting. You need to make an Entra ID security group, add the Service Principal to the Entra ID group, then add the Entra ID group to these settings. If the organisation has an existing group for this purpose, you could add the Service Principal to that group.

  • Go to https://app.powerbi.com/admin-portal and login as a Microsoft Fabric administrator for your tenant.
  • Find the ‘Service principals can call Fabric public APIs’ setting and expand it.
    • Ensure the feature is enabled for either ‘The entire Organisation’ or specific groups that include the Service Principal
  • Find the ‘Service principals can access read-only admin APIs’ setting and expand it.
    • Ensure the feature is enabled for either ‘The entire Organisation’ or specific groups that include the Service Principal
  • Find the ‘Enhance admin APIs responses with detailed metadata’
    • Ensure the feature is enabled.