Merge pull request #215595 from zeinab-mk/patch-27

Update register-scan-power-bi-tenant.md

Author: JamesJBarnett

articles/purview/media/setup-power-bi-scan-catalog-portal/power-bi-scan-cross-tenant-app-registration.png

@@ -6,7 +6,7 @@ ms.author: csugunan
 ms.service: purview
 ms.subservice: purview-data-map
 ms.topic: how-to
-ms.date: 09/22/2022
+ms.date: 10/24/2022
 ms.custom: template-how-to, ignite-fall-2021
 ---
 
@@ -78,10 +78,16 @@ Use either of the following deployment checklists during the setup, or for troub
 
 1. In the Power BI Azure AD tenant, validate the following app registration settings:
    1. The app registration exists in your Azure AD tenant where the Power BI tenant is located.
-   2. Under **API permissions**, the following APIs are set up with **read** for **delegated permissions** and **grant admin consent for the tenant**:
-      1. Power BI Service Tenant.Read.All
-      2. Microsoft Graph openid
-      3. Microsoft Graph User.Read
+   
+   2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
+   3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
+      - Power BI Service Tenant.Read.All
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
    3. Under **Authentication**:
       1. **Supported account types** > **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** is selected.
       2. **Implicit grant and hybrid flows** > **ID tokens (used for implicit and hybrid flows)** is selected.
@@ -115,10 +121,16 @@ Use either of the following deployment checklists during the setup, or for troub
 
 1. In the Power BI Azure AD tenant, validate the following app registration settings:
    1. The app registration exists in your Azure AD tenant where the Power BI tenant is located.
-   2. Under **API permissions**, the following APIs are set up with **read** for **delegated permissions** and **grant admin consent for the tenant**:
-      1. Power BI Service Tenant.Read.All
-      2. Microsoft Graph openid
-      3. Microsoft Graph User.Read
+   
+   2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
+   3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
+      - Power BI Service Tenant.Read.All
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
    3. Under **Authentication**:
       1. **Supported account types** > **Accounts in any organizational directory (Any Azure AD directory - Multitenant)** is selected.
       2. **Implicit grant and hybrid flows** > **ID tokens (used for implicit and hybrid flows)** is selected.
@@ -236,7 +248,11 @@ To create and run a new scan by using the Azure runtime, perform the following s
 
 1. If your key vault isn't connected to Microsoft Purview yet, you need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account).
 
-1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. Take note of the client ID (app ID).
+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. 
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-cross-tenant-app-registration.png" alt-text="Screenshot how to create App in Azure AD for cross tenant.":::
+ 
+3. Take note of the client ID (app ID).
 
     :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot that shows how to create a service principle.":::
 
@@ -246,7 +262,7 @@ To create and run a new scan by using the Azure runtime, perform the following s
    - Microsoft Graph openid
    - Microsoft Graph User.Read
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI and Microsoft Graph.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions on Power BI and Microsoft Graph.":::
 
 1. From the Azure AD dashboard, select the newly created application, and then select **Authentication**. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**. 
 
@@ -309,17 +325,20 @@ To create and run a new scan by using the Azure runtime, perform the following s
 
 To create and run a new scan by using the self-hosted integration runtime, perform the following steps:
 
-1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. Take note of the client ID (app ID).
+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. 
+
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-cross-tenant-app-registration.png" alt-text="Screenshot how to create App in Azure AD for cross tenant.":::
+ 
+2. Take note of the client ID (app ID).
 
     :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot that shows how to create a service principle.":::
 
-1. From the Azure AD dashboard, select the newly created application, and then select **App permissions**. Assign the application the following delegated permissions, and grant admin consent for the tenant:
+1. From the Azure AD dashboard, select the newly created application, and then select **App permissions**. Assign the application the following delegated permissions:
 
-   - Power BI Service Tenant.Read.All
    - Microsoft Graph openid
    - Microsoft Graph User.Read
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI and Microsoft Graph.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-api-permissions.png" alt-text="Screenshot of delegated permissions on Microsoft Graph.":::
 
 1. From the Azure AD dashboard, select the newly created application, and then select **Authentication**. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**. 
 

articles/purview/media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-api-permissions.png

@@ -6,7 +6,7 @@ ms.author: csugunan
 ms.service: purview
 ms.subservice: purview-data-map
 ms.topic: how-to
-ms.date: 10/19/2022
+ms.date: 10/24/2022
 ms.custom: template-how-to, ignite-fall-2021
 ---
 
@@ -100,10 +100,16 @@ Use any of the following deployment checklists during the setup or for troublesh
 
 1. Validate App registration settings to make sure:
    1. App registration exists in your Azure Active Directory tenant.
-   2. Under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
-      1. Power BI Service Tenant.Read.All
-      2. Microsoft Graph openid
-      3. Microsoft Graph User.Read
+   
+   2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
+   3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
+      - Power BI Service Tenant.Read.All
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+    
     3. Under **Authentication**, **Allow public client flows** is enabled.
 
 2. If delegated authentication is used, validate Power BI admin user settings to make sure:
@@ -153,10 +159,16 @@ Use any of the following deployment checklists during the setup or for troublesh
 
 1. Validate App registration settings to make sure:
    1. App registration exists in your Azure Active Directory tenant.
-   2. Under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
-      1. Power BI Service Tenant.Read.All
-      2. Microsoft Graph openid
-      3. Microsoft Graph User.Read
+   
+   2. If service principal is used, under **API permissions**, the following **delegated permissions** are assigned with read for the following APIs:
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
+   3. If delegated authentication is used, under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:
+      - Power BI Service Tenant.Read.All
+      - Microsoft Graph openid
+      - Microsoft Graph User.Read
+   
    3. Under **Authentication**, **Allow public client flows** is enabled.
 
 2. Review network configuration and validate if:
@@ -307,19 +319,18 @@ To create and run a new scan, do the following:
 
 1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** and create an App Registration in the tenant. Provide a web URL in the **Redirect URI**. [For information about the Redirect URI see this documenation from Azure Active Directory](/azure/active-directory/develop/reply-url).
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in AAD.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in Azure AD.":::
 
 2. Take note of Client ID(App ID).
 
     :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot how to create a Service principle.":::
 
-1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. From **API Permissions**, assign the application the following delegated permissions and grant admin consent for the tenant:
+1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. From **API Permissions**, assign the application the following delegated permissions:
 
-   - Power BI Service Tenant.Read.All
    - Microsoft Graph openid
    - Microsoft Graph User.Read
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI Service and Microsoft Graph.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-api-permissions.png" alt-text="Screenshot of delegated permissions on Microsoft Graph.":::
 
 1. Under **Advanced settings**, enable **Allow Public client flows**.
 
@@ -406,19 +417,19 @@ To create and run a new scan, do the following:
 
 1. Create an App Registration in your Azure Active Directory tenant. Provide a web URL in the **Redirect URI**. 
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in AAD.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in Azure AD.":::
 
 2. Take note of Client ID(App ID).
 
     :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot how to create a Service principle.":::
 
-1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. From **API Permissions**, assign the application the following delegated permissions and grant admin consent for the tenant:
+1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. Assign the application the following delegated permissions, and grant admin consent for the tenant:
 
    - Power BI Service Tenant.Read.All
    - Microsoft Graph openid
    - Microsoft Graph User.Read
 
-    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI Service and Microsoft Graph.":::
+    :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions on Power BI Service and Microsoft Graph.":::
 
 1. Under **Advanced settings**, enable **Allow Public client flows**.