Update register-scan-power-bi-tenant-cross-tenant.md

Author: zeinab-mk

articles/purview/register-scan-power-bi-tenant-cross-tenant.md

@@ -6,7 +6,7 @@ ms.author: csugunan
 ms.service: purview
 ms.subservice: purview-data-map
 ms.topic: how-to
-ms.date: 09/09/2022
+ms.date: 09/21/2022
 ms.custom: template-how-to, ignite-fall-2021
 ---
 
@@ -27,7 +27,7 @@ For a list of metadata available for Power BI, see our [available metadata docum
 |**Scenario**  |**Microsoft Purview public access** |**Power BI public access** | **Runtime option** | **Authentication option**  | **Deployment checklist** | 
 |---------|---------|---------|---------|---------|---------|
 |Public access with Azure integration runtime     |Allowed     |Allowed        |Azure runtime      |Delegated authentication    | [Deployment checklist](#deployment-checklist) |
-|Public access with self-hosted integration runtime     |Allowed     |Allowed        |Self-hosted runtime        |Delegated authentication / Service principal | [Deployment checklist](#deployment-checklist) |
+|Public access with self-hosted integration runtime     |Allowed     |Allowed        |Self-hosted runtime        |Delegated authentication / service principal | [Deployment checklist](#deployment-checklist) |
 
 ### Known limitations
 
@@ -68,9 +68,9 @@ Use either of the following deployment checklists during the setup, or for troub
 
 1. Review your credential to validate that the:
    1. Client ID matches the _Application (Client) ID_ of the app registration.
-   2. For **delegated auth**, Username includes the user principal name, such as `[email protected]`.
+   2. For **delegated auth**, username includes the user principal name, such as `[email protected]`.
 
-1. If delegated authentication is used, in the Power BI Azure AD tenant validate the following Power BI admin user settings:
+1. In the Power BI Azure AD tenant validate the following Power BI admin user settings:
    1. The user is assigned to the Power BI administrator role.
    2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.
    3. If the user is recently created, sign in with the user at least once, to make sure that the password is reset successfully, and the user can successfully initiate the session.
@@ -113,12 +113,6 @@ Use either of the following deployment checklists during the setup, or for troub
    1. Client ID matches the _Application (Client) ID_ of the app registration.
    2. Username includes the user principal name, such as `[email protected]`.
 
-1. If delegated authentication is used, in the Power BI Azure AD tenant validate the following Power BI admin user settings:
-   1. The user is assigned to the Power BI administrator role.
-   2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.
-   3. If the user is recently created, sign in with the user at least once, to make sure that the password is reset successfully, and the user can successfully initiate the session.
-   4. There are no multifactor authentication or conditional access policies enforced on the user.
-
 1. In the Power BI Azure AD tenant, validate the following app registration settings:
    1. The app registration exists in your Azure AD tenant where the Power BI tenant is located.
    2. Under **API permissions**, the following APIs are set up with **read** for **delegated permissions** and **grant admin consent for the tenant**:
@@ -130,6 +124,12 @@ Use either of the following deployment checklists during the setup, or for troub
       2. **Implicit grant and hybrid flows** > **ID tokens (used for implicit and hybrid flows)** is selected.
       3. **Allow public client flows** is enabled.
 
+1. If delegated authentication is used, in the Power BI Azure AD tenant validate the following Power BI admin user settings:
+   1. The user is assigned to the Power BI administrator role.
+   2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.
+   3. If the user is recently created, sign in with the user at least once, to make sure that the password is reset successfully, and the user can successfully initiate the session.
+   4. There are no multifactor authentication or conditional access policies enforced on the user.
+
 1. Validate the following self-hosted runtime settings:
    1. The latest version of the [self-hosted runtime](https://www.microsoft.com/download/details.aspx?id=39717) is installed on the VM.
    1. Network connectivity from the self-hosted runtime to the Power BI tenant is enabled.
@@ -216,7 +216,7 @@ In Azure Active Directory Tenant, where Power BI tenant is located:
     > [!Note]
     > You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.
 
-### Scan cross-tenant 
+### Create scan for cross-tenant using Azure IR with delegated authentication 
 
 To create and run a new scan by using the Azure runtime, perform the following steps:
 
@@ -305,6 +305,80 @@ To create and run a new scan by using the Azure runtime, perform the following s
 
     :::image type="content" source="media/setup-power-bi-scan-catalog-portal/save-run-power-bi-scan.png" alt-text="Screenshot that shows how to save and run the Power BI source.":::
 
+### Create scan for cross-tenant using self-hosted IR with service principal
+
+To create and run a new scan by using the self-hosted integration runtime, perform the following steps:
+
+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. Take note of the client ID (app ID).
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot that shows how to create a service principle.":::
+  
+1. From the Azure AD dashboard, select the newly created application, and then select **App permissions**. Assign the application the following delegated permissions, and grant admin consent for the tenant:
+
+   - Power BI Service Tenant.Read.All
+   - Microsoft Graph openid
+   - Microsoft Graph User.Read
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI and Microsoft Graph.":::
+
+1. From the Azure AD dashboard, select the newly created application, and then select **Authentication**. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**. 
+
+      :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-multitenant.png" alt-text="Screenshot of account type support multitenant.":::
+
+1. Under **Implicit grant and hybrid flows**, select **ID tokens (used for implicit and hybrid flows)**.
+    
+      :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-id-token-hybrid-flows.png" alt-text="Screenshot of ID token hybrid flows.":::
+
+1. Under **Advanced settings**, enable **Allow Public client flows**.
+
+1. In the tenant where Microsoft Purview is created go to the instance of Azure Key Vault.
+
+1. Select **Settings** > **Secrets**, and then select **+ Generate/Import**.
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault.png" alt-text="Screenshot of the instance of Azure Key Vault.":::
+
+1. Enter a name for the secret. For **Value**, type the newly created password for the Azure AD user. Select **Create** to complete.
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault-secret.png" alt-text="Screenshot that shows how to generate a secret in Azure Key Vault.":::
+
+1. If your key vault isn't connected to Microsoft Purview yet, you need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account).
+   
+1. In the Microsoft Purview Studio, go to the **Data map** in the left menu. Go to **Sources**.
+
+1. Select the registered Power BI source from cross-tenant.
+
+1. Select **+ New scan**.
+
+1. Give your scan a name. Then select the option to include or exclude the personal workspaces.
+   
+   > [!Note]
+   > If you switch the configuration of a scan to include or exclude a personal workspace, you trigger a full scan of the Power BI source.
+
+1. Select your self-hosted integration runtime from the drop-down list.
+
+1. For the **Credential**, select **Service Principal**, and then select **+ New** to create a new credential.
+ 
+1. Create a new credential and provide the following required parameters:
+    
+  - **Name**: Provide a unique name for credential
+  - **Authentication method**: Service principal
+  - **Tenant ID**: Your Power BI tenant ID
+  - **Client ID**: Use Service Principal Client ID (App ID) you created earlier
+
+1. Select **Test connection** before continuing to the next steps.
+
+    If the test fails, select **View Report** to see the detailed status and troubleshoot the problem:
+
+      1. *Access - Failed* status means that the user authentication failed. Validate if the App ID and secret are correct. Review if the credential contains the correct client (app) ID from the app registration.
+      2. *Assets (+ lineage) - Failed* status means that the authorization between Microsoft Purview and Power BI has failed. Make sure that the user is added to the Power BI administrator role, and has the proper Power BI license assigned.
+      3. *Detailed metadata (Enhanced) - Failed* status means that the Power BI admin portal is disabled for the following setting: **Enhance admin APIs responses with detailed metadata**.
+
+1. Set up a scan trigger. Your options are **Recurring** or **Once**.
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/scan-trigger.png" alt-text="Screenshot of the Microsoft Purview scan scheduler.":::
+
+1. On **Review new scan**, select **Save and run** to launch your scan.
+
 ## Next steps
 
 Now that you've registered your source, see the following guides to learn more about Microsoft Purview and your data.