Script to add Service Principal to Power BI workspaces
# ================================================================================================================================================= | |
## This script will add the given Service Principal to Power BI workspaces | |
## It will first ask for the (correct) ObjectId of the Service Principal | |
## Then it will ask for the credentials of a Power BI Service Administrator | |
## Note: this script only works with v2 workspaces (you can't add a Service Principal to a v1 workspace) | |
# ================================================================================================================================================= | |
## Parameters | |
# The role to give the Service Principal in the workspaces (admin, member, contributor) | |
$RoleType = 'member' | |
# If the Service Principal is already a member of the workspace, | |
# do you want to force the role to be as state in the $RoleType parameter above? | |
$ForceRole = $True | |
# Add the Service Principal to workspaces that are in Premium capacity? | |
$AddToPremiumCapacityWorkspaces = $true | |
# Add the Service Principal to workspaces that are in shared capacity? | |
$AddToSharedCapacityWorkspaces = $true | |
# ================================================================================================================================================= | |
$ErrorActionPreference = 'Stop' | |
Clear-Host | |
Write-Host " | |
======================================================================== | |
__ ___ __ ___ __ _ | |
/ |/ /___ ___/ /___ ____ ___ / _ \ ___ _ / /_ ___ _ ___ _ (_) | |
/ /|_/ // _ \/ _ // -_)/ __// _ \ / // // _ '// __// _ '/_ / _ '// / | |
/_/ /_/ \___/\_,_/ \__//_/ /_//_//____/ \_,_/ \__/ \_,_/(_)\_,_//_/ | |
___ ___ _ _ __ | |
/ _ \ ___ _ _ __ ___ / _ \ __ __ (_) (_)/ /_ ___ ____ | |
/ // // _ '/| |/ // -_) / , _// // // / / // __// -_)/ __/ | |
/____/ \_,_/ |___/ \__/ /_/|_| \_,_//_/__/ / \__/ \__//_/ | |
|___/ | |
========================================================================" | |
#IMPORTANT: you need the correct ObjectId of the Service Principal | |
$PowerBIServicePrincipalObjectId = Read-Host -Prompt 'Specify ObjectId of Service Principal (find this in the "Enterprise applications" in Azure Active Directory)' | |
if ($PowerBIServicePrincipalObjectId) { | |
# Connect to Power BI (this will prompt for credentials, use an account that has the Power BI admin role!) | |
Connect-PowerBIServiceAccount | |
# Keep track of all the workspaces that we 'touch' | |
$listofworkspaces = [System.Collections.ArrayList]::new() | |
Write-Host "==================================================================================================================================" | |
# Get all workspaces (and filter to only v2 workspaces) | |
$AllV2Workspaces = Get-PowerBIWorkspace -All -Scope Organization -Include All | ` | |
Where-Object {$_.Type -eq "Workspace" -and $_.State -ne "Deleted" -and $_.IsReadOnly -eq $False ` | |
-and ( ` | |
($_.IsOnDedicatedCapacity -eq $True -and $AddToPremiumCapacityWorkspaces -eq $true) ` | |
-or ` | |
($_.IsOnDedicatedCapacity -eq $False -and $AddToSharedCapacityWorkspaces -eq $true) ` | |
) ` | |
} | |
Write-Host "Found a total of $($AllV2Workspaces.Count) workspaces..." | |
# Add the Service Principal to the workspaces | |
$AllV2Workspaces | ForEach-Object { | |
Write-Host "==================================================================================================================================" | |
$WorkspaceName = $_.Name | |
$WorkspaceId = $_.Id | |
Write-Host "Working on workspace: $WorkspaceName." | |
# Track this workspace | |
$listofworkspaces += $WorkspaceName | |
# Check if Service Principal is in the workspace | |
$ServicePrincipalInWorkspace = $_.Users | Where-Object {$_.Identifier -eq $PowerBIServicePrincipalObjectId} | |
if ($ServicePrincipalInWorkspace) | |
{ | |
Write-Host "Service Principal already member of: $WorkspaceName, with role type $($ServicePrincipalInWorkspace.AccessRight)." | |
# Check current role type | |
if ($ServicePrincipalInWorkspace.AccessRight -ne $RoleType) { | |
# If foce is enabled, overrule the current role type | |
if ($ForceRole) { | |
Write-Host "Updating role type (force is inabled)." | |
# Remove Service Principal | |
Write-Host "Remove Service Principal from workspace..." | |
Remove-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId | |
# Adding Service Principal | |
Write-Host "Adding Service Principal to: $WorkspaceName, with correct role type..." | |
Add-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId -AccessRight $RoleType | |
Write-Host "Done." | |
} | |
else { | |
Write-Warning "Force update is not enabled, not updating this role membership!" | |
} | |
} | |
} | |
else { | |
Write-Host "Adding Service Principal to: $WorkspaceName." | |
Add-PowerBIWorkspaceUser -Scope Organization -Id $WorkspaceId -PrincipalType App -Identifier $PowerBIServicePrincipalObjectId -AccessRight $RoleType | |
Write-Host "Done." | |
} | |
} | |
Write-Host "==================================================================================================================================" | |
# Report the tracked list of workspaces | |
Write-Host "List of workspaces that we checked during the script:" | |
$listofworkspaces | |
} | |
else { | |
Write-Error "No ObjectId provided for the Service Principal!" | |
} | |
Logout-PowerBIServiceAccount | |
Write-Host "`nScript finished." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment