Skip to content

docs: Microsoft Power BI OAuth provider#1055

Merged
jottakka merged 3 commits into
mainfrom
docs/microsoft-powerbi-auth-provider
Jul 10, 2026
Merged

docs: Microsoft Power BI OAuth provider#1055
jottakka merged 3 commits into
mainfrom
docs/microsoft-powerbi-auth-provider

Conversation

@jottakka

@jottakka jottakka commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the public docs page for the new Microsoft Power BI OAuth provider (well-known provider id microsoft-powerbi), following the existing Microsoft provider doc as the template.

The Power BI provider is a dedicated Microsoft provider: it reuses Microsoft Entra endpoints but authorizes on a separate connection so Power BI Service resource scopes never mix with Microsoft Graph scopes. Mixing them in one authorize request trips Entra AADSTS70011.

What's in the page

  • What it is — dedicated Power BI Service (https://analysis.windows.net/powerbi/api) OAuth provider and the AADSTS70011 isolation rationale.
  • Create a Microsoft Entra app — registration + the Arcade-generated redirect URI.
  • Power BI Service scopes — grant Power BI Service delegated permissions ONLY (Dataset.Read.All, Dataset.ReadWrite.All, Report.Read.All, Workspace.Read.All, plus openid/profile/offline_access) and NOT any Microsoft Graph or Fabric permission, with a prominent warning.
  • Configure the provider in the Arcade dashboard — type = Microsoft Power BI, leave the Scopes field empty, client id + secret only.
  • Using it from tools — app-code (provider="microsoft-powerbi") in Python/JS, and a custom-tool example that subclasses Microsoft overriding provider_id.

Specifics were sourced from the toolkit README's "Auth setup" section and adapted to the docs style.

Files

  • app/en/references/auth-providers/microsoft-powerbi/page.mdx (new)
  • app/en/references/auth-providers/page.mdx — added a Microsoft Power BI card to the provider catalog, after the Microsoft card

The sidebar entry resolves automatically: the frontmatter title sets the label and the folder sorts alphabetically right after microsoft (the same pattern the cisco-duo provider uses), so no _meta.tsx change was needed.

Verification

  • pnpm check-meta — ✅ all _meta.tsx keys valid (48 files).
  • Compiled both MDX files through @mdx-js/mdx with remark-frontmatter + remark-gfm — ✅ both parse.
  • Verified all internal links/anchors resolve (/references/auth-providers/microsoft, #using-multiple-providers-of-the-same-type, #build-a-custom-user-verifier, /get-started/about-arcade, /guides/create-tools/tool-basics/build-mcp-server).

Ref: TOO-1390

🤖 Generated with Claude Code


Note

Low Risk
Documentation-only changes with no runtime, auth, or application code impact.

Overview
Adds public documentation for the dedicated microsoft-powerbi OAuth provider so customers can configure Entra apps, Arcade dashboard providers, and app/tool auth without mixing Power BI Service scopes with Microsoft Graph.

The new reference page covers Entra app registration (Power BI Service delegated permissions only, empty provider Scopes field), dashboard setup, Python/JS client.auth.start examples, and a custom-tool pattern that subclasses Microsoft with provider_id = "microsoft-powerbi". It also documents AADSTS70011 isolation and troubleshooting.

The auth provider catalog gains a Microsoft Power BI card after Microsoft, and public/llms.txt is regenerated to index the new page.

Reviewed by Cursor Bugbot for commit 80f55b3. Bugbot is set up for automated code reviews on this repo. Configure here.

Document the dedicated Microsoft Power BI auth provider
(well-known id `microsoft-powerbi`): a Power BI Service OAuth
provider that reuses Microsoft Entra endpoints on a separate
connection so Power BI resource scopes never mix with Microsoft
Graph scopes (the mix trips Entra AADSTS70011).

Mirrors the Microsoft provider page structure and covers: Entra
app registration, the Arcade-generated redirect URI, granting
Power BI Service delegated permissions only (Dataset.Read.All,
Dataset.ReadWrite.All, Report.Read.All, Workspace.Read.All plus
openid/profile/offline_access) and NOT any Graph or Fabric
permission, configuring the provider in the dashboard with an
empty Scopes field and client id + secret only, and using it
from app code and custom tools.

Adds the provider to the auth-providers catalog page. The sidebar
title resolves from the page frontmatter title and sorts
alphabetically next to Microsoft (matching the cisco-duo
precedent), so no _meta.tsx change is needed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 10, 2026 7:07pm

Request Review

Keep the setup path simple: the intro, Entra-app steps, and dashboard
steps now state what to do in plain language, while token audiences,
AADSTS70011, resource URIs, and connection-reset troubleshooting move
to a clearly flagged 'Advanced' section at the end of the page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jottakka jottakka marked this pull request as ready for review July 10, 2026 20:09
@jottakka jottakka merged commit 45a383f into main Jul 10, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants