I’ve created a PowerShell script that will add a given Service Principal to all (configured) Power BI workspaces. This can be useful or even required for all kinds of scenarios, but I recently needed such a script for my BPAA solution as it needs to talk to the XMLA endpoint of all data models in the Power BI Service and to be able to do that, the Service Principal needs to be a member of the workspaces.
Script details
Check out the AddServicePrincipalToPowerBIWorkspaces.ps1 gist on GitHub. It’s also framed below (same script).
This script will prompt for the (correct) ObjectId of the Service Principal (the one from “Enterprise applications” in Azure Active Directory), and it will prompt for the credentials of a Power BI Service Administrator.
Before you run the script, you can specify:
- If you want the Service Principal to be added to workspaces in shared or premium capacity or both.
- The type of role the Service Principal will get in all the workspaces.
- If you want to force update that in case the Service Principal is already a member.
Important notes/disclaimers
Before running this script, make sure you read these notes/disclaimers first:
- The given Service Principal will have permissions to access the data models in the workspaces it is added to. Please be incredibly careful and handle the secret of the Service Principal with care. Consider storing the details of the Service Principal, including the value of the secret in a private password manager or (Azure Key) vault.
- Tip: consider removing the Service Principal directly after you are finished with the task that requires the Service Principal to be a member of the workspaces. I have a script to remove a Service Principal from all Power BI workspaces.
- Note: this script only works with v2 workspaces (you can’t add a Service Principal to a v1 workspace).
# ================================================================================================================================================= | |
## This script will add the given Service Principal to Power BI workspaces | |
## It will first ask for the (correct) ObjectId of the Service Principal | |
## Then it will ask for the credentials of a Power BI Service Administrator | |
## Note: this script only works with v2 workspaces (you can't add a Service Principal to a v1 workspace) | |
# ================================================================================================================================================= | |
## Parameters | |
# The role to give the Service Principal in the workspaces (admin, member, contributor) | |
$RoleType = 'member' | |
# If the Service Principal is already a member of the workspace, | |
# do you want to force the role to be as state in the $RoleType parameter above? | |
$ForceRole = $True | |
# Add the Service Principal to workspaces that are in Premium capacity? | |
$AddToPremiumCapacityWorkspaces = $true | |
# Add the Service Principal to workspaces that are in shared capacity? | |
$AddToSharedCapacityWorkspaces = $true | |
# ================================================================================================================================================= | |
$ErrorActionPreference = 'Stop' | |
Clear-Host | |
Write-Host " | |
======================================================================== | |
__ ___ __ ___ __ _ | |
/ |/ /___ ___/ /___ ____ ___ / _ \ ___ _ / /_ ___ _ ___ _ (_) | |
/ /|_/ // _ \/ _ // -_)/ __// _ \ / // // _ '// __// _ '/_ / _ '// / | |
/_/ /_/ \___/\_,_/ \__//_/ /_//_//____/ \_,_/ \__/ \_,_/(_)\_,_//_/ | |
___ ___ _ _ __ | |
/ _ \ ___ _ _ __ ___ / _ \ __ __ (_) (_)/ /_ ___ ____ | |
/ // // _ '/| |/ // -_) / , _// // // / / // __// -_)/ __/ | |
/____/ \_,_/ |___/ \__/ /_/|_| \_,_//_/__/ / \__/ \__//_/ | |
|___/ | |
========================================================================" | |
#IMPORTANT: you need the correct ObjectId of the Service Principal | |
$PowerBIServicePrincipalObjectId = Read-Host -Prompt 'Specify ObjectId of Service Principal (find this in the "Enterprise applications" in Azure Active Directory)' | |
if ($PowerBIServicePrincipalObjectId) { | |
# Connect to Power BI (this will prompt for credentials, use an account that has the Power BI admin role!) | |
Connect-PowerBIServiceAccount | |
# Keep track of all the workspaces that we 'touch' | |
$listofworkspaces = [System.Collections.ArrayList]::new() | |
Write-Host "==================================================================================================================================" | |
# Get all workspaces (and filter to only v2 workspaces) | |
$AllV2Workspaces = Get-PowerBIWorkspace -All -Scope Organization -Include All | ` | |
Where-Object {$_.Type -eq "Workspace" -and $_.State -ne "Deleted" -and $_.IsReadOnly -eq $False ` | |
-and ( ` | |
($_.IsOnDedicatedCapacity -eq $True -and $AddToPremiumCapacityWorkspaces -eq $true) ` | |
-or ` | |
($_.IsOnDedicatedCapacity -eq $False -and $AddToSharedCapacityWorkspaces -eq $true) ` | |
) ` | |
} | |
Write-Host "Found a total of $($AllV2Workspaces.Count) workspaces..." | |
# Add the Service Principal to the workspaces | |
$AllV2Workspaces | ForEach-Object { | |
Write-Host "==================================================================================================================================" | |
$WorkspaceName = $_.Name | |
$WorkspaceId = $_.Id | |
Write-Host "Working on workspace: $WorkspaceName." | |
# Track this workspace | |
$listofworkspaces += $WorkspaceName | |
# Check if Service Principal is in the workspace | |
$ServicePrincipalInWorkspace = $_.Users | Where-Object {$_.Identifier -eq $PowerBIServicePrincipalObjectId} | |
if ($ServicePrincipalInWorkspace) | |
{ | |
Write-Host "Service Principal already member of: $WorkspaceName, with role type $($ServicePrincipalInWorkspace.AccessRight)." | |
# Check current role type | |
if ($ServicePrincipalInWorkspace.AccessRight -ne $RoleType) { | |
# If foce is enabled, overrule the current role type | |
if ($ForceRole) { | |
Write-Host "Updating role type (force is inabled)." | |
# Remove Service Principal | |
Write-Host "Remove Service Principal from workspace..." | |
Remove-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId | |
# Adding Service Principal | |
Write-Host "Adding Service Principal to: $WorkspaceName, with correct role type..." | |
Add-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId -AccessRight $RoleType | |
Write-Host "Done." | |
} | |
else { | |
Write-Warning "Force update is not enabled, not updating this role membership!" | |
} | |
} | |
} | |
else { | |
Write-Host "Adding Service Principal to: $WorkspaceName." | |
Add-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId -AccessRight $RoleType | |
Write-Host "Done." | |
} | |
} | |
Write-Host "==================================================================================================================================" | |
# Report the tracked list of workspaces | |
Write-Host "List of workspaces that we checked during the script:" | |
$listofworkspaces | |
} | |
else { | |
Write-Error "No ObjectId provided for the Service Principal!" | |
} | |
Logout-PowerBIServiceAccount | |
Write-Host "`nScript finished." |
Hi,
Can your code be tweaked to add an Azure Active Directory security group containing multiple service principles for workspace access?
Thanks.
Yes that is possible
I tried by both using “PrincipleType Group” in the cmdlet (using the security group object id instead of service principle) and using the below API code within your “ForEach-Object” loop but I receive “Bad Request 400” and “Forbidden” errors. Perhaps “Add-PowerBIWorkspaceUser” doesn’t allow security group object ids and “Invoke-PowerBIRestMethod” doesn’t have the scope required?…
$accessToken = Get-PowerBIAccessToken
Write-Host “Adding Security Group to: $WorkspaceName.”
$Body = @{
identifier= $PowerBIServicePrincipalObjectId
groupUserAccessRight= $RoleType
principalType= “Group”
}
$BodyJSON=$Body | ConvertTo-Json
Invoke-PowerBIRestMethod -Headers $accessToken -Method Post -Url “/groups/$WorkspaceId/users” -Body $BodyJSON -ContentType:’application/json’ #Workspace ID
Write-Host “Done.”
Thanks.
Hello,
Is this possible to run this procedure without user interaction? I would like to automate the process of adding AAD group to the workspace by using Service Principal authentication (clientID and secret kept in Azure Key Vault).
Yes. Line 48 would have to be adjusted to authenticate using a Service Principal.
Alright, thank you!
Thanks you Dave for a wonderful Script. It makes my work easy!
Need Small clarification:
1. It is giving a warning that “only preview workspace are supported when -Scope Organization is specified” why like that?
2. Also, is there any script which Filters to the needed workspace. For example: all workspaces with “BI” in the workspace name should be given.