Power BI workspace access bootstrap

This guide walks through adding the main Euno Power BI application (the service principal you configure in Euno as Client ID / Client secret) as a workspace Admin across many workspaces, without using the Power BI UI for each workspace.

It complements Step 4 in the main Power BI setup.

Prerequisites (tenant)

Complete the main Power BI guide through Step 3 (tenant settings, security groups, admin API toggles). In particular, for the bootstrap flow you need a Fabric / Power BI admin who can complete device-code sign-in.

Step A — Create the bootstrap app registration

1. In Microsoft Entra admin center → App registrations → New registration.

2. Name: e.g. Euno Power BI workspace bootstrap.

3. Supported account types: Accounts in this organizational directory only.

4. Redirect URI: leave empty (device code flow).

5. Register and note the Application (client) ID and Directory (tenant) ID.

API permissions (bootstrap app)

1. API permissions → Add a permission → Power BI Service → Delegated permissions.

2. Add Tenant.ReadWrite.All.

3. Grant admin consent for the tenant (an administrator must consent for all users).

Do not add Power BI Application Tenant.ReadWrite.All on this app if you want to avoid the same service-principal admin API conflicts you can hit on the main app—delegated is enough for this script.

Public client (device code)

1. Authentication → Advanced settings → Allow public client flows = Yes.

2. Save.

Step B — Find the main Euno app’s service principal object ID

1. Entra → Enterprise applications → search for your main Euno app by name or Application ID.

2. Open it and copy Object ID (a UUID).

You will pass this to the script as --principal-object-id.

Step C — Run the script

Download the script here.

The grant-euno-workspace-access.sh wrapper runs Python with -u (unbuffered I/O) so the device user code appears immediately when stdout is not a terminal (CI, log capture, etc.).

Pass exactly one workspace selection flag (see table below), plus optional --skip, --limit, --dry-run, --role, --poll-interval, or --access-token-file.

Use exactly one workspace selection mode:

--skip N: after filtering, skip the first N workspaces, then apply --limit (stable order follows the Admin API listing).

--limit N: after filtering and --skip, process at most N workspaces.

--dry-run: print targets only; no POST. If you use only --workspace-ids, no sign-in is required. For --name-* / --all, dry-run needs a token: pass --access-token-file whose first line is a delegated Power BI access token (advanced).

--role: defaults to Admin (matches the main guide’s Step 4). Other values follow GroupUser documentation.

What the script does

1. Starts OAuth 2.0 device code against your tenant for the bootstrap app, with scope Tenant.ReadWrite.All on Power BI (plus offline_access for refresh token issuance if Microsoft returns one).

2. Prints a user code and opens a browser to https://login.microsoft.com/device (override with env DEVICE_VERIFY_URL if needed). Complete sign-in as a Fabric admin.

3. Polls the token endpoint every 5 seconds (override with --poll-interval or env POLL_INTERVAL) until tokens are issued.

4. Unless you only passed --workspace-ids, calls GET /admin/groups (paginated) and filters to type == "Workspace".

5. For each target workspace, calls POST /admin/groups/{workspaceId}/users with principalType: App and identifier = your main app’s service principal object ID.

Example: two workspaces by ID (dry run, no sign-in)

Example: first 10 workspaces whose names contain “test”

Example: all workspaces (use with care)

Security and operations

• The bootstrap app is powerful in combination with a Fabric admin user. Restrict who can run the script; rotate bootstrap app settings if credentials leak. Consider removing the app after the bootstrap is successful.

• Refresh tokens returned by the device-code flow are sensitive; this script does not print them. Run from a secure workstation.

• Re-running the script for a workspace that already has the app may return a non-2xx response from Microsoft; treat as idempotent “already added” and verify in the Power BI UI if unsure.

Related links

• Power BI integration (main setup)

• Add User As Admin (Microsoft Learn)

• Device code flow

• Enable service principal authentication for admin APIs

Q&A

Why is automation awkward? (Two different Microsoft models)

What you want: Call the Power BI Admin API Groups - Add User As Admin so a Fabric / Power BI administrator can add your Euno app to each workspace in one pass.

What Microsoft requires: The same API documentation states:

• The caller must be a Fabric administrator (directory role on the identity making the call).

• The token must include scope Tenant.ReadWrite.All for the Power BI resource.

At the same time, Microsoft’s guidance for service principals using read-only Power BI admin APIs says the app must not have certain Power BI Application permissions configured, or service-principal admin calls can fail in practice. See Enable service principal authentication for admin APIs.

Net effect for many customers:

• The Euno integration app (client credentials, no interactive user) should stay clean: no Power BI Application permission like Tenant.ReadWrite.All, so it can keep using read-only admin APIs and tenant settings as documented in the main guide.

• AddUserAsAdmin is reliably exercised with a delegated (user) token from a Fabric admin account, obtained through a small separate “bootstrap” app that is not the integration.

That is why this page describes a second Entra application used only for this bootstrap script.