What permissions does DataTako need?
DataTako uses a secure connection with your Power BI environment. This is done with a so called ‘app registration/service principal‘. This serviceprincipal can be managed from within your Azure environment.
You can find this connection in the Enterprise applications section in your Azure portal:
When you open the DataTako or DataTako PBIE (depending on configuration), navigate to the Permissions tab to see which permissions are used:
Required permissions:
DataTako needs the following permissions to operate:
| Subject | Claim | Explanation |
| Microsoft Graph | Organization.ReadAll | This permission is needed to be able to read your organisation name, which is shown on the connections page in DataTako. |
| Power BI service | Tenant.ReadWrite.All | The ability to read things such as workspace(s), the ability to refresh datasets when triggered, etc. |
| Power BI service | Tenant.ReadAll | The ability to read workspace(s), report name(s) used for configuration in DataTako. |
The above permissions itself don’t grant any access to the resources itself though. Those permissions tell the DataTako service principal that it is able to access the API’s for which the permissions were granted.
How DataTako gets access to your Power BI workspaces
DataTako uses a service principal to connect to your Power BI environment.
There are two layers of permissions, and both must be granted:
1. Azure / Entra ID Permission (API Access)
This allows DataTako to communicate with your Power BI tenant. Think of it as giving the app a badge to enter the building.
2. Power BI Workspace permission
This determines which specific workspaces DataTako can access. Think of it as giving the app keys to individual rooms.
Why you don’t see any workspace(s) in DataTako by default
Even with API permissions, the service principal has no workspace access by default.
A workspace only becomes visible when you add the service principal (or a security group containing it) to that workspace.
What this means for you
- DataTako only sees the workspaces you explicitly grant access to
- Nothing else in your tenant is visible
- You stay in full control at all times
- You can delete the service principal at any time, and this complete removes the DataTako access.
How to remove the DataTako service principal
If you no longer want to use DataTako you can clear the Service principal from your Azure tenant to fully remove the connection. You can do so by opening the ‘DataTako’ or ‘DataTako PBIE’ service principal in the enterprise applications page in Azure.
Delete the application after opening it, navigating to properties and then clicking on the delete icon at the top.
