Bridge Specifications
| Vendor | Microsoft |
| Tool Name | Azure Power BI |
| Tool Version | 2.x |
| Tool Web Site | https://powerbi.microsoft.com/ |
| Supported Methodology | [Business Intelligence] Multi-Model, Metadata Repository, Data Store (Physical Data Model, OLAP Dimensional Model, Stored Procedure Expression Parsing), BI Report (Relational Source, Dimensional Source, Expression Parsing, Report Structure) via Java REST API |
SPECIFICATIONS
Tool: Microsoft / Azure Power BI version 2.x via Java REST API
See https://powerbi.microsoft.com/
Metadata: [Business Intelligence] Multi-Model, Metadata Repository, Data Store (Physical Data Model, OLAP Dimensional Model, Stored Procedure Expression Parsing), BI Report (Relational Source, Dimensional Source, Expression Parsing, Report Structure)
Component: MicrosoftAzurePowerBI version 11.1.0
DISCLAIMER
This bridge requires internet access to download third party libraries:
- such as https://repo.maven.apache.org/maven2/ to download open source third party libraries,
- and more sites for other third party software such as database specific jdbc drivers.
The downloaded third party libraries are stored into $HOME/data/download/MIMB/
- If https fails, the bridge then tries with http.
- If a proxy is used to access internet, you must configure that proxy in the JRE (see the -j option in the Miscellaneous parameter).
- If the bridge does not have full access to internet, that $HOME/data/download/MIMB/ directory can be copied from another server with internet access where the command $HOME/bin/MIMB.sh (or .bat) -d can be used to download all third party libraries used by all bridges at once.
By running this bridge, you hereby acknowledge responsibility for the license terms and any potential security vulnerabilities from these downloaded third party software libraries.
OVERVIEW
This bridge imports Business Intelligence (BI) reporting metadata from Microsoft Power BI service hosted on the Microsoft Azure cloud.
This bridge allows cataloging object types:
* Workspaces (Groups)
* Dashboards
* PowerBI reports
* DataSets
* DataSources
REQUIREMENTS
When connecting to the Power BI service hosted in Microsoft Azure cloud, the bridge uses Azure Active Directory authentication.
This bridge relies on the Microsoft Authentication Library (MSAL) in order to authenticate against Azure Active Directory.
The following configuration steps are required for registering an application in the Azure global cloud.
- Connect to the Azure management console: https://portal.azure.com/
- Create or open the Azure Active Directory which corresponds to your organization.
- On the App registrations page, create an application registration named 'MIMB' of type 'Native Client', and write down its Client ID (Application ID).
- Make sure to add permission to the Power BI Service application, and grant necessary permissions.
For example, you may grant 'Power BI Service' permissions: Dashboard.Read.All, Dataset.Read.All, Gateway.Read.All, Report.Read.All, Tenant.Read.All, Workspace.Read.All
If you want to register the application in a Azure national sovereign cloud, you should follow similar steps using a different url for the Azure management console, matching your government cloud environment.
For details please refer to: https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud
Please use the 'Azure environment' parameter to specify your government cloud environment.
The bridge will use the Client ID (Application ID) information to connect to Azure, and obtain the authentication token.
For more details:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications
Alternatively, it is possible to register the application with Azure Active Directory using this page:
https://dev.powerbi.com/apps
Note that it may be necessary to grant consent for the specified permissions using the Azure management console.
You may also use the Office 365 Admin Center to configure users - via the Azure Active Directory management console (bottom left of the screen), and the PowerBI subscription (license):
https://admin.microsoft.com/
This provides a fine grain configuration of users, groups and also application registration.
There are two ways to authenticate against Azure Active Directory:
- As a regular user: the login user is usually in the form of an email address. E.g.
UserName@DirectoryName.onmicrosoft.com
- As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided.
In June 2021, Microsoft introduced enhanced metadata scanning APIs, to allow retrieving DataSets table structure and PowerQuery mashup expressions.
They are only available as part of the Admin APIs, and require additional configuration steps described below.
For authenticating as Service Principal, you may configure additional permissions on this page:
https://app.powerbi.com/admin-portal/tenantSettings
- Developer settings / Allow service principals to use Power BI APIs
- Admin API settings / Allow service principals to use read-only Power BI admin APIs
- Admin API settings / Enhance admin APIs responses with detailed metadata (for Dataset Tables and Columns)
- Admin API settings / Enhance admin APIs responses with DAX and mashup expressions (for Dataset lineage metadata)
For using the Admin APIs, you need to:
- when using Delegated permissions (Login as a signed-in user), the user needs to have PowerBI Admin Role.
- when using Service Principal authentication, remove Power BI Roles given to the app (Tenant.ReadWrite.All, Tenant.Read.All), via the Azure Active Directory console.
- In Azure ActiveDirectory, create a security group and add the Service Principal account to it.
- Enable access to your workspace(s) to the Service Principal and/or security group.
- configure the bridge with miscellaneous parameter: -admin
For more details, please refer to:
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning-setup
https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal#service-principal-vs-master-account
FREQUENTLY ASKED QUESTIONS
- If you experience the error message below, you may need the administrator to grant consent.
AADSTS65001: The user or administrator has not consented to use the application with ID '{client-id}' named 'MIMB'. Send an interactive authorization request for this user and resource.
Ask the administrator to grant consent using a URL like: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
For more details: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
LIMITATIONS
Refer to the current general known limitations at http://metaintegration.com/Products/MIMB/MIMBKnownLimitations.html or bundled in Documentation/ReadMe/MIMBKnownLimitations.html
When using PowerBI Rest standard user APIs:
- lineage metadata is only available at the model level or connection level, not at the table or column level.
- PowerBI supports 6 types of datasets: 'Push', 'Streaming', 'PushStreaming', 'AzureAS', 'AsOnPrem' and dataset from uploaded PBIX files.
- The structure of datasets (in term of tables and columns) is exposed only for 'Push' and 'PushStreaming' dataset types, due to API limitations.
When using PowerBI Rest admin APIs:
- Datasets table structure and PowerQuery mashup expressions may be retrieved.
- Admin APIs limitations are documented here: https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning
The bridge relies on a PowerQuery M language parser to understand the lineage of each Table Query.
Some concepts in the PowerQuery language may not be well supported:
- some functions (data access functions, data manipulation functions)
- complex queries that rely on sub-queries, parameters, or custom/lambda functions
- queries that rely on other scripting languages (Kusto, Python, R)
SUPPORT
Provide a trouble shooting package with:
- the debug log (can be set in the UI or in conf/conf.properties with MIR_LOG_LEVEL=6)
- the metadata backup if available (can be set in the Miscellaneous parameter with option -backup)
Bridge Parameters
| Parameter Name | Description | Type | Values | Default | Scope | ||
| Azure environment | This parameter allows selecting the Azure cloud environment to connect to. Most users may use the public 'GlobalCloud'. Users who want to connect to a National (sovereign) cloud may specify other values such as: - ChinaCloud (Microsoft Azure China operated by 21Vianet) - GermanyCloud (Microsoft Azure Deutschland) - USGovCloud (US Government Community Cloud (GCC)) - USGovDoDL4Cloud (US Government Community Cloud High (GCC High)) - USGovDoDL5Cloud (US Government Department of Defense) |
REPOSITORY_MODEL | GlobalCloud | ||||
| Login User | The username which the bridge will use to log in. This user name must have the necessary permissions to access the objects you wish to import. In case of Microsoft Azure PowerBI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided. |
STRING | Administrator | ||||
| Login password | Enter the password associated with the username which the bridge will use to log in. In case of Microsoft Azure PowerBI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the password parameter corresponds to the Client Secret. |
PASSWORD | |||||
| Client ID | Enter the Microsoft Azure Client ID for the application. | STRING | |||||
| Tenant ID | Enter the Microsoft Azure ActiveDirectory Tenant ID. In case of Microsoft Azure PowerBI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided. |
STRING | |||||
| Personal Workspaces | Specify whether to include or exclude personal workspaces. - True: personal workspaces are included - False: personal workspaces are excluded |
BOOLEAN |
|
True | |||
| Workspace filter | Specify which workspaces to include using a filter. This parameter is used when browsing the list of available workspaces, to list a subset of workspaces, rather than a full list. After specifying the filter, please use the 'Workspaces' parameter to browse the matching workspaces, and further refine your selection. Examples: name eq 'Sales' or name eq 'Marketing' contains(name,'Sales') or contains(name,'Marketing') startswith(name,'Sales') or endswith(name,'Sales') type eq 'Group' or type eq 'Workspace' type ne 'Personal' and type ne 'PersonalGroup' state eq 'Active' state ne 'Deleted' and state ne 'Removing' |
STRING | |||||
| Workspaces | This parameter allows browsing available workspaces and selecting a subset to import, rather than all possible workspaces of the Azure PowerBI tenant. It may be useful in case the tenant has numerous workspaces, if only some workspaces are of interest. If your PowerBI tenant environment contains a very large number of workspaces, browsing the full list of workspaces may be impractical. In such case, you can use the 'Workspace filter' parameter to specify a filtering criteria, to avoid retrieving a full list, and make the selection more manageable. You can specify here a semicolon separated list of workspaces. You can specify the default empty value, to import all available workspaces. PowerBI identifies workspaces by their guid unique identifier, for example: a3713590-d5aa-488d-82cc-e8cc52c085d7 When logging in as a regular user: - the current user's workspace can be identified as: me - PowerBI restricts the list of workspaces to what the current logged in user has access to. When logging in as service principal (using Admin APIs): - all workspaces (including personal workspaces) are identified by guid unique identifier. |
REPOSITORY_SUBSET | |||||
| Offline metadata directory | In order to facilitate testing and reproducing the PowerBI metadata environment, when that environment is not installed locally, this parameter allows importing metadata from files previously downloaded from the PowerBI server. Specify in this parameter the directory path where the downloaded files are located. No connection to the PowerBI server is needed in this case, the usual connection parameters are ignored. | DIRECTORY | |||||
| Miscellaneous | INTRODUCTION Specify miscellaneous options starting with a dash and optionally followed by parameters, e.g. -connection.cast MyDatabase1="SQL Server" Some options can be used multiple times if applicable, e.g. -connection.rename NewConnection1=OldConnection1 -connection.rename NewConnection2=OldConnection2; As the list of options can become a long string, it is possible to load it from a file which must be located in ${MODEL_BRIDGE_HOME}\data\MIMB\parameters and have the extension .txt. In such case, all options must be defined within that file as the only value of this parameter, e.g. ETL/Miscellaneous.txt JAVA ENVIRONMENT OPTIONS -java.memory <Java Memory's maximum size> (previously -m) 1G by default on 64bits JRE or as set in conf/conf.properties, e.g. -java.memory 8G -java.memory 8000M -java.parameters <Java Runtime Environment command line options> (previously -j) This option must be the last one in the Miscellaneous parameter as all the text after -java.parameters is passed "as is" to the JRE, e.g. -java.parameters -Dname=value -Xms1G The following option must be set when a proxy is used to access internet (this is critical to access https://repo.maven.apache.org/maven2/ and exceptionally a few other tool sites) in order to download the necessary third party software libraries. Note: The majority of proxies are concerned with encrypting (HTTPS) the outside (of the company) traffic and trust the inside traffic that can access proxy over HTTP. In this case, an HTTPS request reaches the proxy over HTTP where the proxy HTTPS-encrypts it. -java.parameters -java.parameters -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user -Dhttp.proxyPassword=pass -java.executable <Java Runtime Environment full path name> (previously -jre) It can be an absolute path to javaw.exe on Windows or a link/script path on Linux, e.g. -java.executable "c:\Program Files\Java\jre1.8.0_211\bin\javaw.exe" -environment.variable <name>=<value> (previously -v) None by default, e.g. -environment.variable var2="value2 with spaces" MODEL IMPORT OPTIONS -model.name <model name> Override the model name, e.g. -model.name "My Model Name" -prescript <script name> The script must be located in the bin directory, and have .bat or .sh extension. The script path must not include any parent directory symbol (..). The script should return exit code 0 to indicate success, or another value to indicate failure. For example: -prescript "script.bat arg1 arg2" -cache.clear Clears the cache before the import, and therefore will run a full import without incremental harvesting. Warning: this is a system option managed by the application calling the bridge and should not be set by users. -backup <directory> Full path of an empty directory to save the metadata input files for further troubleshooting. DATA CONNECTION OPTIONS Data Connections are produced by the import bridges typically from ETL/DI and BI tools to refer to the source and target data stores they use. These data connections are then used by metadata management tools to connect them (metadata stitching) to their actual data stores (e.g. databases, file system, etc.) in order to produce the full end to end data flow lineage and impact analysis. The name of each data connection is unique by import model. The data connection names used within DI/BI design tools are used when possible, otherwise connection names are generated to be short but meaningful such as the database / schema name, the file system path, or Uniform Resource Identifier (URI). The following options allows to manipulate connections. These options replaces the legacy options -c, -cd, and -cs. -connection.cast ConnectionName=ConnectionType Casts a generic database connection (e.g. ODBC/JDBC) to a precise database type (e.g. ORACLE) for SQL Parsing, e.g. -connection.cast "My Database"="SQL SERVER". The list of supported data store connection types includes: ACCESS CASSANDRA DB2 DENODO HIVE MYSQL NETEZZA ORACLE POSTGRESQL PRESTO REDSHIFT SALESFORCE SAP HANA SNOWFLAKE SQL SERVER SYBASE TERADATA VECTORWISE VERTICA -connection.rename OldConnection=NewConnection Renames an existing connection to a new name, e.g. -connection.rename OldConnectionName=NewConnectionName Multiple existing database connections can be renamed and merged into one new database connection, e.g. -connection.rename MySchema1=MyDatabase -connection.rename MySchema2=MyDatabase -connection.split OldConnection.Schema1=NewConnection Splits a database connection into one or multiple database connections. A single database connection can be split into one connection per schema, e.g. -connection.split MyDatabase All database connections can be split into one connection per schema, e.g. -connection.split * A database connection can be explicitly split creating a new database connection by appending a schema name to a database, e.g. -connection.split MyDatabase.schema1=MySchema1 -connection.map OldPath=NewPath Maps a New to Old path. This is useful for file system connections when different paths points to the same object (directory or file). On Hadoop, a process can write into a CSV file specified with the HDFS full path, but another process reads from a HIVE table implemented (external) by the same file specified using a relative path with default file name and extension, e.g. -connection.map hdfs://host:8020/users/user1/folder/file.csv=/user1/folder On Linux, a given directory (or file) like /data can be referred to by multiple symbolic links like /users/john and /users/paul, e.g. -connection.map /users/John=/data -connection.map /users/paul=/data On Windows, a given directory like C:\data can be referred to by multiple network drives like M: and N:, e.g. -connection.map M:\=C:\data -connection.map N:\=C:\data -connection.casesensitive ConnectionName Overrides the default case insensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g. -connection.casesensitive "My Database" MICROSOFT POWER BI OPTIONS -columns.notpropagated Do not propagate the columns discovered while parsing PowerQuery M script steps back to the source tables/files. -admin Allow using Power BI Azure service Admin APIs. -summarizePowerQuerySteps Allow summarizing PowerQuery data transformation steps, for direct source to target lineage relationships. |
STRING |
Bridge Mapping
Mapping information is not available