When you register your Microsoft Entra app, you grant it permission to access various APIs. As your needs change, you might want to adjust these permissions. This article shows you how.
Note
Microsoft Entra app permissions are only applicable for these scenarios:
- Embed for your organization
- Embed for your customers with the master user authentication method
Edit the permission settings on your Microsoft Entra app
Permission changes can be made programmatically, or in the Azure portal.
In the Azure portal, you can view your app and make changes to its permissions.
Sign into the Azure portal.
Select your Microsoft Entra tenant by selecting your account in the upper right corner of the page.
Select App registrations. If you can't see this option, search for it.
From the Owned applications tab, select your app. The application opens in the Overview tab, where you can review the Application ID.
Select the View API permissions tab.
Select Add a permission.
To add permissions, follow these steps (note that the first step is different for GCC apps):
From the Microsoft APIs tab, select Power BI service.
Note
For GCC apps, Select the APIs my organization uses tab, and search for either Microsoft Power BI Government Community Cloud OR fc4979e5-0aa5-429f-b13a-5d1365be5566.
Select Delegated Permissions and add or remove the specific permissions you need.
When you're done, select Add permissions to save your changes.
To remove a permission, follow these steps:
Select the ellipsis (...) to the right of the permission.
Select Remove permission.
In the Remove permission pop-up window, select Yes, remove.
To change your Microsoft Entra app permissions programmatically, you'll need to get the existing service principals (users) within your tenant. For information on how to do that, see servicePrincipal.
To get all the service principals within your tenant, call the Get servicePrincipal API without {ID}.
Check for a service principal with your app's application ID as the appId property. (displayName is optional.)
Post https://graph.microsoft.com/v1.0/servicePrincipals HTTP/1.1
Authorization: Bearer ey..qw
Content-Type: application/json
{
"accountEnabled" : true,
"appId" : "{App_Client_ID}",
"displayName" : "{App_DisplayName}"
}
Grant Power BI permissions to your app, by assigning one of these values to consentType:
AllPrincipals - Can only be used by a Power BI admin to grant permissions on behalf of all the users in the tenant.
Principal - Use to grant permissions on behalf of a specific user. If you're using this option, add the principalId={User_ObjectId} property to the request body.
Post https://graph.microsoft.com/v1.0/OAuth2PermissionGrants HTTP/1.1
Authorization: Bearer ey..qw
Content-Type: application/json
{
"clientId":"{Service_Plan_ID}",
"consentType":"AllPrincipals",
"resourceId":"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"scope":"Dataset.ReadWrite.All Dashboard.Read.All Report.Read.All Group.Read Group.Read.All Content.Create Metadata.View_Any Dataset.Read.All Data.Alter_Any",
"expiryTime":"2018-03-29T14:35:32.4943409+03:00",
"startTime":"2017-03-29T14:35:32.4933413+03:00"
}
Note
- If you're using a master user, to avoid being prompted for consent by Microsoft Entra ID, you need to grant permissions to the master account.
- The
resourceId is tenant dependent and not universal. Its value is the objectId of the Power BI Service application in Microsoft Entra ID. To get this value from the Azure portal, navigate to Enterprise applications > All applications, and search for Power BI Service.
Grant app permissions to Microsoft Entra ID, by assigning a value to consentType.
Post https://graph.microsoft.com/v1.0/OAuth2PermissionGrants HTTP/1.1
Authorization: Bearer ey..qw
Content-Type: application/json
{
"clientId":"{Service_Plan_ID}",
"consentType":"AllPrincipals",
"resourceId":"a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1",
"scope":"User.Read Directory.AccessAsUser.All",
"expiryTime":"2018-03-29T14:35:32.4943409+03:00",
"startTime":"2017-03-29T14:35:32.4933413+03:00"
}
You can also change your Microsoft Entra app permissions using C#. For more information see the oAuth2PermissionGrant API. This method can be useful if you're considering automating some of your processes.
var graphClient = GetGraphClient();
currentState.createdApp = await graphClient.Applications
.Request()
.AddAsync(application);
System.Threading.Thread.Sleep(2000);
var passwordCredential = new PasswordCredential
{
DisplayName = "Client Secret Created in C#"
};
currentState.createdSecret = await graphClient.Applications[currentState.createdApp.Id]
.AddPassword(passwordCredential)
.Request()
.PostAsync();
var servicePrincipal = new ServicePrincipal
{
AppId = currentState.createdApp.AppId
};
currentState.createdServicePrincipal = await graphClient.ServicePrincipals
.Request()
.AddAsync(servicePrincipal);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
// Use oAuth2PermissionGrant to change permissions
var oAuth2PermissionGrant = await graphClient.Oauth2PermissionGrants["{id}"]
.Request()
.GetAsync();
Related content