Microsoft Azure Power BI Service (Repository) - Import
Bridge Requirements
This bridge:requires Internet access to https://repo.maven.apache.org/maven2/ and/or other tool sites to download drivers into <TDC_HOME>/data/download/MIMB/.
Bridge Specifications
Vendor | Microsoft |
Tool Name | Azure Power BI |
Tool Version | 2.x |
Tool Web Site | https://powerbi.microsoft.com/ |
Supported Methodology | [Business Intelligence] Multi-Model, Metadata Repository, Data Store (Physical Data Model, OLAP Dimensional Model, Stored Procedure Expression Parsing), BI Report (Relational Source, Dimensional Source, Expression Parsing, Report Structure) via Java REST API |
Data Profiling | |
Incremental Harvesting | |
Multi-Model Harvesting | |
Remote Repository Browsing for Model Selection |
SPECIFICATIONS
Tool: Microsoft / Azure Power BI version 2.x via Java REST API
See https://powerbi.microsoft.com/
Metadata: [Business Intelligence] Multi-Model, Metadata Repository, Data Store (Physical Data Model, OLAP Dimensional Model, Stored Procedure Expression Parsing), BI Report (Relational Source, Dimensional Source, Expression Parsing, Report Structure)
Component: MicrosoftAzurePowerBI version 11.2.0
DISCLAIMER
This import bridge requires internet access to download third-party libraries:
- such as https://repo.maven.apache.org/maven2/ to download open source third-party libraries,
- and more sites for other third-party software such as database specific JDBC drivers.
The downloaded third-party libraries are stored into $HOME/data/download/MIMB/
- If HTTPS fails, the import bridge then tries with HTTP.
- If a proxy is used to access internet, you must configure that proxy in the JRE (see the -j option in the Miscellaneous parameter).
- If the import bridge does not have full access to internet, that $HOME/data/download/MIMB/ directory can be copied from another server with internet access where the command $HOME/bin/MIMB.sh (or .bat) -d can be used to download all third-party libraries used by all bridges at once.
By running this import bridge, you hereby acknowledge responsibility for the license terms and any potential security vulnerabilities from these downloaded third-party software libraries.
OVERVIEW
This import bridge imports Business Intelligence (BI) reporting metadata from Microsoft Power BI service hosted on the Microsoft Azure cloud using the Power BI REST APIs (the Admin APIs by default).
This import bridge allows cataloging object types:
- Workspaces (Groups)
- Dashboards
- Power BI reports
- Paginated reports
- DataSets (Semantic Models)
- DataFlows
- DataSources
REQUIREMENTS
- Authentication Requirements:
When connecting to the Power BI service hosted in Microsoft Azure cloud, the import bridge uses Azure Active Directory authentication.
This bridge relies on the Microsoft Authentication Library (MSAL) in order to authenticate against Azure Active Directory.
The following configuration steps are required for registering an application in the Azure global cloud.
- Connect to the Azure management console: https://portal.azure.com/
- Create or open the Azure Active Directory which corresponds to your organization.
- On the App registrations page, create an application registration named 'MIMB' of type 'Native Client', and write down its Client ID (Application ID).
- Make sure to add permission to the Power BI Service application, and grant necessary permissions.
For example, you may grant 'Power BI Service' permissions:
Dashboard.Read.All, Dataflow.Read.All, Dataset.Read.All, Gateway.Read.All, Report.Read.All, Tenant.Read.All, Workspace.Read.All
If you want to register the application in a Azure national sovereign cloud, you should follow similar steps using a different URL for the Azure management console, matching your government cloud environment.
For details please refer to: https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud
Please use the 'Azure environment' parameter to specify your government cloud environment.
The import bridge will use the Client ID (Application ID) information to connect to Azure, and obtain the authentication token.
For more details:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications
Alternatively, it is possible to register the application with Azure Active Directory using this page:
https://dev.powerbi.com/apps
Note that it may be necessary to grant consent for the specified permissions using the Azure management console.
You may also use the Office 365 Admin Center to configure users - via the Azure Active Directory management console (bottom left of the screen), and the Power BI subscription (license):
https://admin.microsoft.com/
This provides a fine grain configuration of users, groups and also application registration.
There are two ways to authenticate against Azure Active Directory:
- As a regular user: the login user is usually in the form of an email address. E.g.
UserName@DirectoryName.onmicrosoft.com
- As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided.
The import bridge requires the Microsoft enhanced metadata scanning APIs, to allow retrieving DataSets table structure and PowerQuery mashup expressions.
They are only available as part of the Admin APIs, and require configuration steps described below.
For authenticating as Service Principal, you may configure additional permissions on this page:
https://app.powerbi.com/admin-portal/tenantSettings
- Developer settings / Allow service principals to use Power BI APIs
- Admin API settings / Allow service principals to use read-only Power BI admin APIs
- Admin API settings / Enhance admin APIs responses with detailed metadata (for Dataset Tables and Columns)
- Admin API settings / Enhance admin APIs responses with DAX and mashup expressions (for Dataset lineage metadata)
In addition, to enable downloading reports, you may configure:
- Export and sharing settings / Download reports
- API Requirements:
This import bridge uses the Power BI Admin APIs by default.
For using the Admin APIs, you need to:
- when using Delegated permissions (Login as a signed-in user), the user needs to have Power BI Admin Role.
- when using Service Principal authentication, remove Power BI Roles given to the app (Tenant.ReadWrite.All, Tenant.Read.All), via the Azure Active Directory console.
- In Azure ActiveDirectory, create a security group and add the Service Principal account to it.
- Enable access to your workspace(s) to the Service Principal and/or security group:
Utilizing the Powerbi.com service logged into your account, and select the Workspace
Navigate to Manage Access / Add people or groups
Select the user or group (or Service Principal account)
Configure it as Admin
- For downloading reports, the user or group must be assigned to the workspace(s) as Contributor or Admin
For more details, please refer to:
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning
https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning-setup
https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication
https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal#service-principal-vs-master-account
This import bridge can alternatively use the regular APIs (instead of Admin APIs), you need to:
- configure the miscellaneous parameter: -api.user
Note that detailed lineage metadata is not extracted in such case.
FREQUENTLY ASKED QUESTIONS
- If you experience the error message below, you may need the administrator to grant consent.
AADSTS65001: The user or administrator has not consented to use the application with ID '{client-id}' named 'MIMB'. Send an interactive authorization request for this user and resource.
Ask the administrator to grant consent using a URL like: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
For more details: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
LIMITATIONS
Refer to the current general known limitations at https://metaintegration.com/Products/MIMB/Help/#!Documents/mimbknownlimitations.html
- Admin APIs Limitations:
- DataSet metadata extracted via the Admin APIs are substantial (e.g. Datasets table structure and PowerQuery mashup expressions are extracted) but not as complete as the Tabular Object Model (TOM) fully extracted from the PBIT import bridge.
- Report metadata extracted via the Admin APIs are very limited compared to what can be extracted from the PBIT import bridge.
- Other Admin APIs limitations are documented here: https://docs.microsoft.com/en-us/power-bi/admin/service-admin-metadata-scanning
- For detailed report metadata, the bridge relies on the ability to download reports.
The report download limitations are documented here: https://learn.microsoft.com/en-us/power-bi/create-reports/service-export-to-pbix#limitations
- Standard APIs Limitations:
- lineage metadata is only available at the model level or connection level, not at the table or column level.
- Power BI supports 6 types of datasets: 'Push', 'Streaming', 'PushStreaming', 'AzureAS', 'AsOnPrem' and dataset from uploaded PBIX files.
- The structure of datasets (in term of tables and columns) is exposed only for 'Push' and 'PushStreaming' dataset types, due to API limitations.
- PowerQuery M Language Parsing Limitations:
The bridge relies on a PowerQuery M language parser to understand the lineage of each Table Query.
Some concepts in the PowerQuery language may not be well supported:
- some functions (data access functions, data manipulation functions)
- complex queries that rely on sub-queries, parameters, or custom/lambda functions
- queries that rely on other scripting languages (Kusto, Python, R)
SUPPORT
Provide a troubleshooting package with:
- the debug log (can be set in the UI or in conf/conf.properties with MIR_LOG_LEVEL=6)
- the metadata backup if available (can be set in the Miscellaneous parameter with -backup option, although this common option is not implemented on all bridges for technical reasons).
Bridge Parameters
Parameter Name | Description | Type | Values | Default | Scope | ||
Azure environment | This parameter allows selecting the Azure cloud environment to connect to. Most users may use the public 'GlobalCloud'. Users who want to connect to a National (sovereign) cloud may specify other values such as: - ChinaCloud (Microsoft Azure China operated by 21Vianet) - GermanyCloud (Microsoft Azure Deutschland) - USGovCloud (US Government Community Cloud (GCC)) - USGovDoDL4Cloud (US Government Community Cloud High (GCC High)) - USGovDoDL5Cloud (US Government (DoD Impact Level 5)) - USSecCloud (US Government Secret (DoD Impact Level 6)) - USNatCloud |
REPOSITORY_MODEL | GlobalCloud | ||||
Login User | The username which the import bridge will use to log in. This user name must have the necessary permissions to access the objects you wish to import. In case of Microsoft Azure Power BI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided. |
STRING | |||||
Login password | Enter the password associated with the username which the import bridge will use to log in. In case of Microsoft Azure Power BI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the password parameter corresponds to the Client Secret. |
PASSWORD | |||||
Client ID | Enter the Microsoft Azure Client ID for the application. | STRING | |||||
Tenant ID | Enter the Microsoft Azure ActiveDirectory Tenant ID. In case of Microsoft Azure Power BI, there are two ways to authenticate against Azure Active Directory: - As a regular user: the login user is usually in the form of an email address. E.g. UserName@DirectoryName.onmicrosoft.com - As a Service Principal: the user name parameter should be left empty, and the Tenant ID must be provided. |
STRING | |||||
Personal Workspaces | Specify whether to include or exclude personal workspaces. - True: personal workspaces are included - False: personal workspaces are excluded |
BOOLEAN |
|
True | |||
Workspace filter | Specify which workspaces to include using a filter. This parameter is used when browsing the list of available workspaces, to list a subset of workspaces, rather than a full list. After specifying the filter, please use the 'Workspaces' parameter to browse the matching workspaces, and further refine your selection. Examples: name eq 'Sales' or name eq 'Marketing' contains(name,'Sales') or contains(name,'Marketing') startswith(name,'Sales') or endswith(name,'Sales') type eq 'Group' or type eq 'Workspace' type ne 'Personal' and type ne 'PersonalGroup' state eq 'Active' state ne 'Deleted' and state ne 'Removing' isOnDedicatedCapacity eq true |
STRING | |||||
Workspaces | This parameter allows browsing available workspaces and selecting a subset to import, rather than all possible workspaces of the Azure Power BI tenant. It may be useful in case the tenant has numerous workspaces, if only some workspaces are of interest. If your Power BI tenant environment contains a very large number of workspaces, browsing the full list of workspaces may be impractical. In such case, you can use the 'Workspace filter' parameter to specify a filtering criteria, to avoid retrieving a full list, and make the selection more manageable. You can specify here a semicolon separated list of workspaces. You can specify the default empty value, to import all available workspaces. Power BI identifies workspaces by their guid unique identifier, for example: a3713590-d5aa-488d-82cc-e8cc52c085d7 When logging in as a regular user: - the current user's workspace can be identified as: me - Power BI restricts the list of workspaces to what the current logged in user has access to. When logging in as service principal (using Admin APIs): - all workspaces (including personal workspaces) are identified by guid unique identifier. |
REPOSITORY_SUBSET | |||||
Miscellaneous | INTRODUCTION Specify miscellaneous options starting with a dash and optionally followed by parameters, e.g. -connection.cast MyDatabase1="MICROSOFT SQL SERVER" Some options can be used multiple times if applicable, e.g. -connection.rename NewConnection1=OldConnection1 -connection.rename NewConnection2=OldConnection2; As the list of options can become a long string, it is possible to load it from a file which must be located in ${MODEL_BRIDGE_HOME}\data\MIMB\parameters and have the extension .txt. In such case, all options must be defined within that file as the only value of this parameter, e.g. ETL/Miscellaneous.txt JAVA ENVIRONMENT OPTIONS -java.memory <Java Memory's maximum size> (previously -m) 1G by default on 64bits JRE or as set in conf/conf.properties, e.g. -java.memory 8G -java.memory 8000M -java.parameters <Java Runtime Environment command line options> (previously -j) This option must be the last one in the Miscellaneous parameter as all the text after -java.parameters is passed "as is" to the JRE, e.g. -java.parameters -Dname=value -Xms1G The following option must be set when a proxy is used to access internet (this is critical to access https://repo.maven.apache.org/maven2/ and exceptionally a few other tool sites) in order to download the necessary third-party software libraries. Note: The majority of proxies are concerned with encrypting (HTTPS) the outside (of the company) traffic and trust the inside traffic that can access proxy over HTTP. In this case, an HTTPS request reaches the proxy over HTTP where the proxy HTTPS-encrypts it. -java.parameters -java.parameters -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user -Dhttp.proxyPassword=pass MODEL IMPORT OPTIONS -model.name <model name> Override the model name, e.g. -model.name "My Model Name" -prescript <script name> This option allows running a script before the bridge execution. The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension. The script path must not include any parent directory symbol (..). The script should return exit code 0 to indicate success, or another value to indicate failure. For example: -prescript "script.bat arg1 arg2" -postscript <script name> This option allows running a script after successful execution of the bridge. The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension. The script path must not include any parent directory symbol (..). The script should return exit code 0 to indicate success, or another value to indicate failure. For example: -postscript "script.bat arg1 arg2" -cache.clear Clears the cache before the import, and therefore will run a full import without incremental harvesting. If the model was not changed and the -cache.clear parameter is not used (incremental harvesting), then a new version will not be created. If the model was not changed and the -cache.clear parameter is set (full source import instead of incremental), then a new version will be created. -backup <directory> Allows to save the input metadata for further troubleshooting. The provided <directory> must be empty. -restore <directory> Specify the backup <directory> to be restored. DATA CONNECTION OPTIONS Data Connections are produced by the import bridges typically from ETL/DI and BI tools to refer to the source and target data stores they use. These data connections are then used by metadata management tools to connect them (metadata stitching) to their actual data stores (e.g. databases, file system, etc.) in order to produce the full end to end data flow lineage and impact analysis. The name of each data connection is unique by import model. The data connection names used within DI/BI design tools are used when possible, otherwise connection names are generated to be short but meaningful such as the database / schema name, the file system path, or Uniform Resource Identifier (URI). The following option allows to manipulate connections. These options replaces the legacy options -c, -cd, and -cs. -connection.cast ConnectionName=ConnectionType Casts a generic database connection (e.g. ODBC/JDBC) to a precise database type (e.g. ORACLE) for SQL Parsing, e.g. -connection.cast "My Database"="MICROSOFT SQL SERVER". The list of supported data store connection types includes: ACCESS APACHE CASSANDRA DB2/UDB DENODO GOOGLE BIGQUERY HIVE MYSQL NETEZZA ORACLE POSTGRESQL PRESTO REDSHIFT SALESFORCE SAP HANA SNOWFLAKE MICROSOFT SQL AZURE MICROSOFT SQL SERVER SYBASE SQL SERVER SYBASE AS ENTERPRISE TERADATA VECTORWISE HP VERTICA -connection.rename OldConnection=NewConnection Renames an existing connection to a new name, e.g. -connection.rename OldConnectionName=NewConnectionName Multiple existing database connections can be renamed and merged into one new database connection, e.g. -connection.rename MySchema1=MyDatabase -connection.rename MySchema2=MyDatabase -connection.split oldConnection.Schema1=newConnection Splits a database connection into one or multiple database connections. A single database connection can be split into one connection per schema, e.g. -connection.split MyDatabase All database connections can be split into one connection per schema, e.g. -connection.split * A database connection can be explicitly split creating a new database connection by appending a schema name to a database, e.g. -connection.split MyDatabase.schema1=MySchema1 -connection.map SourcePath=DestinationPath Maps a source path to destination path. This is useful for file system connections when different paths points to the same object (directory or file). On Hadoop, a process can write into a CSV file specified with the HDFS full path, but another process reads from a Hive table implemented (external) by the same file specified using a relative path with default file name and extension, e.g. -connection.map /user1/folder=hdfs://host:8020/users/user1/folder/file.csv On Linux, a given directory (or file) like /data can be referred to by multiple symbolic links like /users/john and /users/paul, e.g. -connection.map /data=/users/John -connection.map /data=/users/paul On Windows, a given directory like C:\data can be referred to by multiple network drives like M: and N:, e.g. -connection.map C:\data=M:\ -connection.map C:\data=N:\ -connection.casesensitive ConnectionName... Overrides the default case insensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g. -connection.casesensitive "My Database" -connection.caseinsensitive ConnectionName... Overrides the default case sensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g. -connection.caseinsensitive "My Database" -connection.level AggregationLevel Specifies the aggregation level for the external connections, e.g.-connection.level catalog The list of the supported values: server catalog schema (default) MICROSOFT POWER BI OPTIONS -columns.notpropagated Do not propagate the columns discovered while parsing PowerQuery M script steps back to the source tables/files. -api.user Allow using Power BI Azure service regular (user mode) APIs, as opposed to Admin APIs. Note that detailed lineage metadata is not extracted in such case. -summarizePowerQuerySteps Allow summarizing PowerQuery data transformation steps, for direct source to target lineage relationships. -scanResult <file path> Allow specifying a file path to import metadata from, instead of retrieving metadata using Rest APIs. This file is expected to be in json format, according to the PowerBI GetScanResult Admin Rest API specification. |
STRING |
Bridge Mapping
Mapping information is not available