Aiyoda

Entra ID App Registration for Microsoft Graph - PowerBI

Step-by-step guide to creating an Entra ID App Registration for Aiyoda's PowerBI discovery capabilities.

v3.5 · Updated 2026
Resource Hub/PowerBI App
ℹ️
What is this for? To discover PowerBI data in Aiyoda, you need to register an application in Microsoft Entra ID (formerly Azure Active Directory) and grant it Microsoft Graph API PowerBI permissions. This gives Aiyoda read-only access to your M365 tenant data without using a user account or password.
5
Steps to Complete
~10
Minutes to Complete
Read-Only
Permissions Required
Prerequisites
✅ What You Need Before Starting
Step-by-Step App Registration
1

Navigate to App Registrations

Open the Azure Portal and go to Microsoft Entra ID

🌐 portal.azure.com Microsoft Entra ID App registrations + New registration
a

Sign in to portal.azure.com with your admin account.

b

In the search bar at the top, type "Microsoft Entra ID" and select it.

c

In the left sidebar, click "App registrations" under the Manage section.

d

Click the "+ New registration" button at the top of the page.

2

Register the Application

Fill in the app details and create the registration

a

Name: Enter a meaningful name, e.g. "Aiyoda-Discovery"

b

Supported account types: Select "Accounts in this organizational directory only (Single tenant)"

c

Redirect URI: Leave this blank, Aiyoda uses client credentials flow (no user redirect needed)

d

Click the "Register" button to create the app.

💡 After registering, you will land on the app's Overview page. Copy and save the Application (client) ID and Directory (tenant) ID, you'll need these for the Aiyoda configuration.
3

Create a Client Secret

Generate credentials for Aiyoda to authenticate with

App Overview Certificates & secrets + New client secret
a

In the left sidebar click "Certificates & secrets" under Manage.

b

Click "+ New client secret".

c

Description: Enter "Aiyoda Secret" (or similar).

d

Expires: Select an appropriate expiry period.12 months (recommended).

e

Click "Add". Immediately copy the Secret Value shown as it will be hidden after you leave this page.

⚠️ Important: Copy the secret Value immediately. Once you navigate away from this page, the full value is hidden and you will need to create a new secret.
4

Assign Graph API Permissions

Grant Aiyoda the read-only permissions it needs

App Overview API permissions + Add a permission Microsoft Graph
a

Click "API permissions" in the left sidebar.

b

Click "+ Add a permission" → Select "PowerBI Service" → Select "Delegated permissions".

c

Search and add each of the required permissions listed in the table below.

d

Click "Add permissions" to save, then click "Grant admin consent for [your tenant]" and confirm.

PermissionTypePurpose
Dashboard.Read.AllDelegatedRead all PowerBI dashboards
Dataset.Read.AllDelegatedRead all PowerBI datasets
Report.Read.AllDelegatedRead all PowerBI reports data
Tenant.Read.AllDelegatedRead all PowerBI tenant data
Workspace.Read.AllDelegatedRead all PowerBI workspaces
⚠️ Admin consent required: Application permissions require a Global Administrator to click "Grant admin consent". Without this step, the app will receive authentication errors.
5

Configure Aiyoda with Your App Details

Enter the details into the Aiyoda console

In the Aiyoda portal, navigate to the Spectrum PowerBI Api configuration and enter the following values collected from the previous steps:

Tenant ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Directory (tenant) ID Client ID : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // From App Overview → Application (client) ID Client Secret : your-secret-value-here // From Certificates & secrets → Value
a

Login to the Aiyoda Portal and navigate to Spectrum → Power BI Api.

b

Paste your Tenant ID, Client ID, and Client Secret into the respective fields.

c

Click "Test Connection" to verify Aiyoda can authenticate successfully.

d

Once the connection test passes, you can start collecting data.

✅ Success indicator: After a successful connection test you are now ready to scan your M365 environment.
Security Best Practices
Keeping Your App Secure
  • Rotate secrets regularly — Set calendar reminders before expiry (12 months recommended)
  • Limit permissions — Only grant the permissions listed above, nothing more
  • Store secrets securely — Never store the client secret in plain text or source control
  • Monitor sign-ins — Review the app's sign-in logs in Entra ID periodically
  • Dedicated app — Use a dedicated registration for Aiyoda only
Troubleshooting Common Issues
  • 401 Unauthorized — Check that admin consent was granted for all permissions
  • 403 Forbidden — A required permission may be missing from the list
  • Secret expired — Create a new client secret and update Aiyoda config
  • Invalid tenant — Verify the Tenant ID matches your M365 directory
  • Consent not granted — Global Admin must approve permissions in Entra ID