# Create New Tenant

This chains together a lot of concepts from other notebooks.

In [1]:
pip install azure-mgmt-sql requests msal pyodbc requests_toolbelt

Note: you may need to restart the kernel to use updated packages.


In [2]:
#For orgaization purposes I put notbooks in subfolders not the root of the proejct.aad_token
#This code adds the root directory of the project to the sys path so we can load class modules from the services folder
#I think this only needs to be run once, but including it for completeness.
import os, sys
projectRoot = os.path.abspath('.')
directory = os.path.dirname(projectRoot)
if not directory in sys.path: sys.path.append(directory)

In [3]:
#This leverages the code encapsulated in services/aadservice.py that encapsulates the service principle login
from services.aadservice import AadService
credential = AadService.get_credential()

## Part 1 - Find Next Tenant Name


In [4]:
#This leverages the code encapsulated in services/aadservice.py that encapsulates the service principle login
scope = 'https://analysis.windows.net/powerbi/api/.default'
aadPBIToken = credential.get_token(scope).token

pbiApiHeaders =  {'Content-Type': 'application/json', 'Authorization': 'Bearer ' + aadPBIToken}

In [5]:
import requests
import json

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups'       

apiResponse = requests.get(apiUrl, headers=pbiApiHeaders)
#error handling for API call
if apiResponse.status_code != 200:
    description = f'Error retreiving workspace:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    apiResponse = json.loads(apiResponse.text)
    print(json.dumps(apiResponse,indent=2))

{
  "@odata.context": "http://wabi-west-us3-a-primary-redirect.analysis.windows.net/v1.0/myorg/$metadata#groups",
  "@odata.count": 4,
  "value": [
    {
      "id": "16453fea-cb0f-4ef4-b1b2-bede9d3b92be",
      "isReadOnly": false,
      "isOnDedicatedCapacity": true,
      "capacityId": "E3D6994E-EA17-4A7C-97FB-3F690CD4CDCF",
      "defaultDatasetStorageFormat": "Small",
      "type": "Workspace",
      "name": "cgmapiplaground"
    },
    {
      "id": "b80bf0f1-c106-4404-a0d5-3368646e93cb",
      "isReadOnly": false,
      "isOnDedicatedCapacity": false,
      "type": "Workspace",
      "name": "Test Workspace"
    },
    {
      "id": "4d788d68-fa4d-46b5-9884-6b1414c6c1e9",
      "isReadOnly": false,
      "isOnDedicatedCapacity": false,
      "type": "Workspace",
      "name": "cgmthisisatest"
    },
    {
      "id": "ec122731-e06f-46d8-a217-d3eb172636e6",
      "isReadOnly": false,
      "isOnDedicatedCapacity": true,
      "capacityId": "E7FA21D0-CFB8-425A-8AE9-B5BB85790FDE",


In [6]:
from services.env import const

workspaces = apiResponse["value"]

keyPosition = 0
keyValue = 0

for workspace in workspaces:
    nameParts = workspace["name"].split(const.tenantRoot)
    #if there was an underscroe in the title, get the suffix of the database name.
    if len(nameParts) > 1:
        #if the suffix is greater than our max capture it as the new max
        if int(nameParts[1]) > keyValue:
            keyValue = int(nameParts[1])
keyValue = keyValue+1
tenantName = f"{const.tenantRoot}{keyValue}"

print(f"Next tenant is: {tenantName}")

Next tenant is: cgmpbietenant2


## Part 2 - Create Tenant Workspace

In [7]:
import requests
import json
from services.env import const

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups?workspaceV2=True'       

body = {"name":tenantName}

apiResponse = requests.post(apiUrl, headers=pbiApiHeaders, data=json.dumps(body))
#error handling for createTemporaryUplodadLocation
if apiResponse.status_code != 200:
    description = f'Error creating workspace:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    workspace = json.loads(apiResponse.text)
    workspaceId = workspace["id"]
    print(f"Workspace {workspaceId} created")

Workspace 791485cb-01a0-470c-87ab-3adf0fad829a created


In [8]:
import requests
import json
from services.env import const

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/users'       

body = {
  "emailAddress": const.globalAdminUser,
  "groupUserAccessRight": "Admin"
}

apiResponse = requests.post(apiUrl, headers=pbiApiHeaders, data=json.dumps(body))
#error handling for adding user
if apiResponse.status_code != 200:
    description = f'Error creating user:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    print(f"User {const.globalAdminUser} added")

User chmitch@microsoftanalytics.info added


## Part 3:  Create Tenant Capacity

In [9]:
scope = 'https://management.azure.com/.default'
azureMgmtToken = credential.get_token(scope).token

azureApiHeaders =  {'Content-Type': 'application/json', 'Authorization': 'Bearer ' + azureMgmtToken}

In [10]:
import requests
import json
from services.env import const

apiUrl = f'https://management.azure.com/subscriptions/{const.subscriptionId}/resourceGroups/{const.resourceGroup}/providers/Microsoft.Fabric/capacities/{tenantName}?api-version=2022-07-01-preview'       

body = { 
            "type": "Microsoft.Fabric/capacities",
            "name": tenantName,
            "location": "westus3",
            "sku": {
                "name": "F2",
                "tier": "Fabric"
            },
            "properties": {
                "administration": {
                    "members": const.administrators
                }
            }
        }

apiResponse = requests.put(apiUrl, headers=azureApiHeaders, data=json.dumps(body))

#error handling for create capacity
if apiResponse.status_code != 201 and apiResponse.status_code != 200:
    description = f'Error creating capacity:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    print(f"Capacity '{tenantName}' created")

Capacity 'cgmpbietenant2' created


## Part 4:  Add Capacity to Workspace

In [11]:
import requests
import json

capacityId = "blank"
apiUrl = f'https://api.powerbi.com/v1.0/myorg/capacities'      

apiResponse = requests.get(apiUrl, headers=pbiApiHeaders)
#error handling for createTemporaryUplodadLocation
if apiResponse.status_code != 200:
    description = f'Error creating workspace:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    apiResponse = json.loads(apiResponse.text)
    capacities = apiResponse["value"]
    for capacity in capacities:
        if capacity["displayName"] == tenantName:
            capacityId = capacity["id"]

    print(f"The capacity {tenantName} has id {capacityId}")

The capacity cgmpbietenant2 has id 15F63C77-3AF3-42DF-8E0A-0EBF22D627E5


In [12]:
import requests
import json

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/AssignToCapacity'      

body = {'capacityId': capacityId}

apiResponse = requests.post(apiUrl, headers=pbiApiHeaders, data=json.dumps(body))

#error handling for capacity assignment.
if apiResponse.status_code != 200:
    description = f'Error assigning capacity:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    print(f"Capacity {capacityId} assigned to workspace {workspaceId}")

Capacity 15F63C77-3AF3-42DF-8E0A-0EBF22D627E5 assigned to workspace 791485cb-01a0-470c-87ab-3adf0fad829a


## Part 5: Create Tenant Service Principal

In [13]:
scope = 'https://graph.microsoft.com/.default'

#with the credential object, get the token for the azure management scope.
graphApiToken = credential.get_token(scope).token
graphApiHeaders =  {'Content-Type': 'application/json', 'Authorization': 'Bearer ' + graphApiToken}

In [14]:
import requests
import json

#appId = str(uuid.uuid4())
apiUrl = f'https://graph.microsoft.com/v1.0/applications'       

body = {
    "displayName": tenantName,
    "passwordCredentials":[
        {
            "displayName": "auth secret"
        }
    ]
}

apiResponse = requests.post(apiUrl, headers=graphApiHeaders, data=json.dumps(body))

#error handling for create capacity
if apiResponse.status_code != 201 and apiResponse.status_code != 200:
    description = f'Error creating capacity:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    apiResponse = json.loads(apiResponse.text)
    print(json.dumps(apiResponse,indent=2))

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
  "id": "ac07f140-41b3-4ca9-bea9-7bed6f4fdfcd",
  "deletedDateTime": null,
  "appId": "ca92edc7-e9c9-482e-a755-3d0aaadfbee7",
  "applicationTemplateId": null,
  "disabledByMicrosoftStatus": null,
  "createdDateTime": "2024-05-24T14:26:01.2788689Z",
  "displayName": "cgmpbietenant2",
  "description": null,
  "groupMembershipClaims": null,
  "identifierUris": [],
  "isDeviceOnlyAuthSupported": null,
  "isFallbackPublicClient": null,
  "nativeAuthenticationApisEnabled": null,
  "notes": null,
  "publisherDomain": "microsoftanalytics.info",
  "serviceManagementReference": null,
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null,
  "uniqueName": null,
  "samlMetadataUrl": null,
  "defaultRedirectUri": null,
  "certification": null,
  "optionalClaims": null,
  "servicePrincipalLockConfiguration": null,
  "requestSignatureVerification": null,
  "addIns": [],
  "api": {
    "a

In [15]:
from services.secretservice import SecretService
from services.env import const

#Grab the app id and client secret for the created application.
appId = apiResponse["appId"]
secrets = apiResponse["passwordCredentials"]
secret = secrets[0]
secretText = secret["secretText"]

#SecretService.get_secret_byname(keyVault,"foo")
appIdKey = f'{tenantName}Id'
appSecretKey = f'{tenantName}Secret'

SecretService.store_secret_byname(const.keyVault, appIdKey, appId)
SecretService.store_secret_byname(const.keyVault, appSecretKey, secretText)

<KeyVaultSecret [https://cgmmlservicevault.vault.azure.net/secrets/cgmpbietenant2Secret/5342b6cb04d443b68f1018cef9491e3a]>

In [16]:
import requests
import json

#appId = str(uuid.uuid4())
apiUrl = f'https://graph.microsoft.com/v1.0/servicePrincipals'       

body = {
  "appId": appId
}

apiResponse = requests.post(apiUrl, headers=graphApiHeaders, data=json.dumps(body))

#error handling for create capacity
if apiResponse.status_code != 201 and apiResponse.status_code != 200:
    description = f'Error creating capacity:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
else:
    print(f"Application {appId} converted to Service Principal")

Application ca92edc7-e9c9-482e-a755-3d0aaadfbee7 converted to Service Principal


## Part 6:  Create Azure SQL Database

Extensive details on what this script does are covered in CreateSQLDB.ipynb.  In this step we're creating a new database as a copy of an existing "template" database.   While there are multiple ways to create an empty database with a specific schema this is the fewest steps.  Other options include:

1. Create a blank database and deploy a schema from a script.
1. Create the database as a restore from a backup file.

Another advantage of this approach is if there are any users that need to have admin access to all databases this user grant, or static data that needs to be included, it can all exist in the database already and will be there already after the copy.

In [17]:
from azure.mgmt.sql import SqlManagementClient
import json
from services.env import const

try:
    #
    sqlClient = SqlManagementClient(credential=credential, subscription_id=const.subscriptionId)
    
    # Create database
    database = sqlClient.databases.begin_create_or_update(
        const.resourceGroup,
        const.serverName,
        tenantName,
        {
            "location": const.location,
            "sku": {
                "name": "S0",
                "tier": "Standard"
            },
            "properties": {
                "createMode": "Copy",
                "sourceDatabaseId": f"/subscriptions/{const.subscriptionId}/resourceGroups/{const.resourceGroup}/providers/Microsoft.Sql/servers/{const.serverName}/databases/template"
            }
        }
        ).result()

    print(f"Database {tenantName} created")
except KeyError:
    print(f"Database {tenantName} create failed")


Database cgmpbietenant2 created


Now that we've created a database on the precreated server, we want to do some post configuration on that database.  The server's admin account is running as a service principal.  In order to let us connect to that datbabase directly we need to add an additional Entra user to the database.  I'll do this using and ODBC connection and a couple SQL commands to create a local database user that corresponds to an Entra user and also grant that user owner permissions on the database.

This is an example of where you'd likely create a tenant specific user for the database and grant that user access.

Supporting docs:

1. How to install SQL ODBC drivers on Linux:  https://learn.microsoft.com/en-us/sql/connect/odbc/linux-mac/installing-the-microsoft-odbc-driver-for-sql-server?view=sql-server-ver16&tabs=ubuntu18-install%2Calpine17-install%2Cdebian8-install%2Credhat7-13-install%2Crhel7-offline
2. How to connect to a database with pyodbc drivers and a service principal login:  https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-sql-passwordless-migration-python?view=azuresql&tabs=sign-in-azure-cli%2Cazure-portal-create%2Cazure-portal-assign%2Capp-service-identity

In [18]:
import struct
import pyodbc
import json
from services.secretservice import SecretService
from services.env import const

serverFqdn = f'{const.serverName}.database.windows.net'
driver = '{ODBC Driver 18 for SQL Server}'

#Get a credential for database access.
tokenBytes = credential.get_token("https://database.windows.net/.default").token.encode("UTF-16-LE")
token_struct = struct.pack(f'<I{len(tokenBytes)}s', len(tokenBytes), tokenBytes)
SQL_COPT_SS_ACCESS_TOKEN = 1256

#open the connection
conn_str = f'DRIVER={driver};SERVER={serverFqdn};DATABASE={tenantName};'
conn = pyodbc.connect(conn_str,attrs_before={SQL_COPT_SS_ACCESS_TOKEN: token_struct})

#Update our "WhoAmI" table so we have a basic table to prove our reports are connected to another database
sql = f"TRUNCATE TABLE WhoAmI\n\rINSERT INTO WhoAmI VALUES ('{tenantName}')"
conn.execute(sql)
sql = f"CREATE USER [{tenantName}] FROM EXTERNAL PROVIDER;"
conn.execute(sql)
sql = f"ALTER ROLE db_datareader ADD MEMBER [{tenantName}];"
conn.execute(sql)

#This is important, the connection doesn't auto commit
conn.commit()

print(f"Application {appId} granted data reader permissions on database {tenantName}")

Application ca92edc7-e9c9-482e-a755-3d0aaadfbee7 granted data reader permissions on database cgmpbietenant2


## Part 7 - Deploy Power BI Model to workspace

In [19]:
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

fileLocation = '../files/Template.pbix'

url = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/imports?datasetDisplayName={tenantName}'
headers = {
    'Content-Type': 'multipart/form-data',
    'authorization': 'Bearer ' + aadPBIToken
}

# you need this dictionary to convert a binary file into form-data format
# None here means we skip the filename and file content is important 
files = {'value': (None, open(fileLocation, 'rb'), 'multipart/form-data')}

mp_encoder = MultipartEncoder(fields=files)

r = requests.post(
    url=url,
    data=mp_encoder,  # The MultipartEncoder is posted as data, don't use files=...!
    # The MultipartEncoder provides the content-type header with the boundary:
    headers=headers
)

print(f"File {fileLocation} deployed to workspace {workspaceId}")

File ../files/Template.pbix deployed to workspace 791485cb-01a0-470c-87ab-3adf0fad829a


## Part 8 - Change Dataset Connection

In [20]:
#/myorg/groups/{workspace_id}/datasets
#This retreives a list of datasets in the given workspace, notice the response value is wrapped in an array []
import requests
import json
import time

#Injecting a wait to make sure Power BI has had time to enumerate datasets in the uploaded model.
time.sleep(15)

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/datasets'       


# Generate Embed token for multiple workspaces, datasets, and reports. Refer https://aka.ms/MultiResourceEmbedToken
apiResponse = requests.get(apiUrl, headers=pbiApiHeaders)
if apiResponse.status_code != 200:
    description = f'Error while retrieving datasets:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
    #print(api_response.status_code, description=description)
else:
    apiResponse = json.loads(apiResponse.text)
    datasets = apiResponse["value"]
    dataset = datasets[0]
    datasetId = dataset["id"]

    print(f"Deployed model has datasetId: {datasetId}")

Deployed model has datasetId: 7a3e424e-69e1-4751-8b80-285a264df758


In [21]:
import requests
import json

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/datasets/{datasetId}/Default.UpdateParameters'       

body = {
    "updateDetails": [
        {
            "name": "server",
            "newValue": serverFqdn
        },
        {
            "name": "database",
            "newValue": tenantName
        }
    ]
}

# Generate Embed token for multiple workspaces, datasets, and reports. Refer https://aka.ms/MultiResourceEmbedToken
apiResponse = requests.post(apiUrl, headers=pbiApiHeaders, data=json.dumps(body))
if apiResponse.status_code != 200:
    description = f'Error while updating dataset parameters:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
    #print(api_response.status_code, description=description)
else:
    print(f"Dataset {datasetId} parameters changed successfully")


Dataset 7a3e424e-69e1-4751-8b80-285a264df758 parameters changed successfully


In [22]:
import requests
import json
apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/datasets/{datasetId}/datasources'       

# Generate Embed token for multiple workspaces, datasets, and reports. Refer https://aka.ms/MultiResourceEmbedToken
apiResponse = requests.get(apiUrl, headers=pbiApiHeaders)
if apiResponse.status_code != 200:
    description = f'Error while retrieving datasets:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
    #print(api_response.status_code, description=description)
else:
    apiResponse = json.loads(apiResponse.text)
    datasources = apiResponse["value"]
    datasource = datasources[0]
    datasourceId = datasource["datasourceId"]
    gatewayId = datasource["gatewayId"]
    print(f"Dataset {datasetId} has datasource {datasourceId} on gateway {gatewayId}")

Dataset 7a3e424e-69e1-4751-8b80-285a264df758 has datasource c9e5e7b5-5985-4698-93e3-ed56a571b697 on gateway 5e33e147-3098-47a4-97bd-f36591b97b1c


In [23]:
import requests
import json
from services.aadservice import AadService

apiUrl = f'https://api.powerbi.com/v1.0/myorg/gateways/{gatewayId}/datasources/{datasourceId}'       

#We need a SQL Auth token for the new tenant login we created
credential = AadService.get_tenant_credential(tenantName)
aadSQLToken = credential.get_token("https://database.windows.net/.default").token

serialized_credentials = '{\'credentialData\':[{\'name\':\'accessToken\',\'value\':\'' + aadSQLToken + '\'}]}'

body = {
    "credentialDetails": {
        "credentialType": "OAuth2",
        "credentials": serialized_credentials,
        "encryptedConnection": "NotEncrypted",
        "encryptionAlgorithm": "None",
        "privacyLevel": "None"
    }
}


apiResponse = requests.patch(apiUrl, data=json.dumps(body), headers=pbiApiHeaders)
if apiResponse.status_code != 200:
    description = f'Error while retrieving datasets:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
    #print(api_response.status_code, description=description)
else:
    print(f"Updated credentials on datasource {datasourceId}")


Updated credentials on datasource c9e5e7b5-5985-4698-93e3-ed56a571b697


## Part 9 - Refresh Model

In [24]:
import requests
import json

apiUrl = f'https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/datasets/{datasetId}/refreshes'       

body = {
  "notifyOption": "NoNotification",
  "retryCount": 3
}

apiResponse = requests.post(apiUrl, data=json.dumps(body), headers=pbiApiHeaders)
if apiResponse.status_code != 202:
    description = f'Error while retrieving datasets:\n  -Status Code:\t{apiResponse.status_code}\n  -Reason:\t{apiResponse.reason}\n  -RequestId:\t{apiResponse.headers.get("RequestId")}\n  -Text:\t{apiResponse.text}'
    print(description)
    #print(api_response.status_code, description=description)
else:
    print(f"Refresh on dataset {datasetId} in workspace {workspaceId} initiated Successfully")

Refresh on dataset 7a3e424e-69e1-4751-8b80-285a264df758 in workspace 791485cb-01a0-470c-87ab-3adf0fad829a initiated Successfully
