> Software > Protect > SaaS > Power Platform > Power BI > Get Started > Adopt Best Security Configuration

Update Single Tenant Apps with Conditional Access Policy for Power BI

Use these steps to update the security configuration of your single tenant apps to align with current security best practices.

Security Requirements

All app registrations must:

  • Use the Federated Identity Credentials (FIC)–based authentication mechanism.

  • Have appropriate Conditional Access policies configured and enforced.

Before You Begin

Identify the list of Power BI backup apps which are using one or more single-tenant apps.

Procedure

For each of the apps that use single-tenant apps, perform the following steps:

Step 1: Identify Single Tenant Apps

  1. From the Command Center navigation pane, go to Protect > Power Platform.

    The Power BI Overview page appears.

  2. On the Apps tab, click the Power BI app that you want to update.

  3. Go to the configuration page of the backup app.

  4. Identify the existing single tenant apps listed on the configuration page and note down the Azure app ID for each app.

Step 2: Update Permissions in Azure Portal

For each of the single tenant apps, perform the following steps in the Azure portal:

  1. Sign in to the Azure portal.

  2. Navigate to Azure Active Directory > App registrations.

  3. Locate the single tenant app using the Azure app ID you noted earlier.

  4. Click on the app to open its details.

  5. In the left navigation, click API permissions.

  6. Add the following permissions:

    1. Click Add a permission.

    2. Select Microsoft Graph.

    3. Select Application permissions.

    4. Search for and add Policy.Read.All.

    5. Click Add permissions.

    6. Repeat the above steps to add Application.ReadWrite.OwnedBy permission.

  7. Remove the Application.ReadWrite.All permission if it is present:

    1. In the API permissions list, locate Application.ReadWrite.All.

    2. Click the three dots (...) next to the permission.

    3. Click Remove permission.

    4. Confirm the removal.

  8. Grant admin consent for the app:

    1. At the top of the API permissions page, click Grant admin consent for [Your Organization].

    2. Click Yes to confirm.

    3. If you choose to assign this permission to your Azure app, you may need to run this PowerShell command to add the Azure app as owner of itself:

      powershell az ad app owner add --id 062f19f5-9dbf-48fe-adf7-94539bd3fa8e --owner-object-id 55f5965a-48bd-49ee-bcbd-21a55bd18af1

      Where:

      • 062f19f5-9dbf-48fe-adf7-94539bd3fa8e: Replace with the Application (client) ID of your Azure app

      • 55f5965a-48bd-49ee-bcbd-21a55bd18af1: Replace with the Object ID of your Azure app

Step 3: Configure Conditional Access Policy

Configure a Conditional Access Policy (CAP) for your single tenant apps. For detailed instructions, see Create a Conditional Access Policy for Power BI Azure Apps.

What to Do Next

Recommendation

For better security posture, consider migrating to Commvault hosted multi-tenant apps via express configuration instead of single tenant apps. Multi-tenant apps use Federated Identity Credentials (FIC) which do not require app secrets or certificates, providing enhanced security.

After completing these steps, your single tenant apps will meet current security standards. Monitor the configuration page for any additional security notifications.

×

Loading...