Power BI Lineage Scanner

Scanned and supported objects

Supported Power BI source technologies

Snowflake
Databricks
MSSQL
Oracle
PostgreSQL
CSV files
XLS files
Web files
JSON files

Scanned resources

The extracted metadata includes the following objects:

Workspaces
Reports
Dashboards
Datasets
Dataflows (Gen1)
Columns
Measures

Limitations

Power BI REST APIs do not support downloading .pbix files from Premium capacity workspaces due to architectural and security restrictions. As a result, lineage is not available for such files.
Lineage information is available on column level for most objects, however there might be exceptions to this.
Power BI enables 500 requests per hour. See the official Microsoft documentation.
To obtain attribute-level lineage from Reports, certain conditions need to be met. For details, see Download a report from the Power BI service to Power BI Desktop.
Lineage cannot be extracted for the following objects:
- Paginated reports
- Power BI apps
In Power Query, nested LET statements are not supported. This list might not be exhaustive.

Supported connectivity

Connector type: REST API.
Authentication method: OAuth 2.0 Client Credentials Flow (Service Principal).

Power BI permissions

REST API permissions to access Admin - WorkspaceInfo GetScanResult

The user account used for lineage scanning must have administrator rights (such as Microsoft 365 Global Administrator or Power BI Service Administrator), or authenticate using a service principal.

When running under service principal authentication, the service principal app must not have any admin-consent required permissions for Power BI set in the Azure portal.

For more details, see the Microsoft documentation.

Access to Power BI workspaces

The user account needs to have access rights to a given workspace in Power BI.

To manage access for the Power BI workspace, locate the workspace you want to scan in Power BI.
Select Manage access and setup admin rights for the Azure Power BI scan entity.

Enable tenant settings for metadata scanning

The following tenant settings that control metadata scanning need to be configured. To do this, go to Admin portal > Tenant settings > Admin API settings.

Enhance admin APIs responses with detailed metadata: Turns on model caching and enhances API responses with low-level semantic model metadata (for example, name and description) for tables, columns, and measures.
Enhance admin APIs responses with DAX and mashup expressions: Allows the API response to include DAX expressions and Mashup queries. The setting can only be used if the first setting is also configured.

Scanner configuration

All fields marked with an asterisk (*) are mandatory.

Property Description

Property	Description
`name*`	Unique name for the scanner job.
`sourceType*`	Specifies the source type to be scanned. Must contain `POWER_BI`.
`description*`	A human-readable description of the scan.
`oneConnections`	List of Ataccama ONE connection names for future automatic pairing.
`powerQueryParserPath*`	Path to the PowerQueryParser execution file.
`apiUrl*`	URL of the Power BI REST API endpoint.
`tokenUrl*`	REST endpoint for Microsoft OAauth 2.0. The URL should contain the tenant ID of your organization. See Tenant ID in Azure
`clientID*`	Microsoft 0Auth 2.0 credentials client ID. See Client ID in Azure.
`clientSecret*`	Microsoft OAuth 2.0 credentials client secret.
`workspaces_disabled`	List of workspace IDs to be excluded from the scan.
`workspaces`	List of workspace IDs to be scanned. If left empty, the scanner scans everything.

name*

Unique name for the scanner job.

sourceType*

Specifies the source type to be scanned. Must contain POWER_BI.

description*

A human-readable description of the scan.

oneConnections

List of Ataccama ONE connection names for future automatic pairing.

powerQueryParserPath*

Path to the PowerQueryParser execution file.

apiUrl*

URL of the Power BI REST API endpoint.

tokenUrl*

REST endpoint for Microsoft OAauth 2.0. The URL should contain the tenant ID of your organization.

See Tenant ID in Azure

clientID*

Microsoft 0Auth 2.0 credentials client ID.

See Client ID in Azure.

clientSecret*

Microsoft OAuth 2.0 credentials client secret.

workspaces_disabled

List of workspace IDs to be excluded from the scan.

workspaces

List of workspace IDs to be scanned. If left empty, the scanner scans everything.

Power BI scanner example configuration

{
   "scannerConfigs": [
      {
         "name": "Power BIJob1",
         "sourceType": "POWER_BI",
         "description": "Scan Power BI platform",
         "oneConnections": [],
         "inputDataCatalogFilePath": null,
         "powerQueryParserPath": "@@ref:env:[POWERQUERY_PARSER]",
         "tokenUrl": "https://login.microsoftonline.com/[tenantID]/oauth2/v2.0/token",
         "apiUrl": "https://api.powerbi.com/v1.0/myorg",
         "clientId": "your-client-id",
         "clientSecret": "@@ref:ata:[POWER_BI_CLIENT_SECRET]",
         "workspaces": [
             "workspace-id1-to-include",
             "workspace-id2-to-include"
         ]
      }
   ]
}

Tenant ID in Azure

To find your organization tenant ID, in your Azure portal (portal.azure.com), go to Azure Active Directory > Properties.

Client ID in Azure

The Microsoft Entra app establishes permissions for Power BI REST resources, and allows access to the Power BI REST APIs.

Troubleshooting

PowerQuery parser can’t run on macOS

Problem

When trying to run the PowerQuery parser on macOS, it cannot be opened because it cannot be checked for malicious software.

Solution

This is a common issue with applications downloaded from the internet which are not recognized by Apple security protocols.

To allow the PowerQuery parser to run, you can remove the quarantine attribute using the following command:

xattr -d com.apple.quarantine parser-macos

Was this page useful?