A comprehensive PowerShell module for inventorying Microsoft Fabric and Power BI tenants. Retrieve detailed information about workspaces, capacities, datasets, reports, dashboards, dataflows, gateways, users, permissions, refresh status, and activity logs.
- Complete Tenant Inventory: One command to inventory all resources
- Granular Control: Individual cmdlets for each resource type
- Scanner API Integration: Comprehensive metadata including lineage and datasources
- Flexible Authentication: Interactive user login or service principal for automation
- Multiple Export Formats: CSV, JSON, Excel, and HTML
- Pagination Handling: Automatically handles large tenants with thousands of workspaces
- Error Resilience: Automatic retry with exponential backoff for transient failures
- Progress Indicators: Real-time feedback for long-running operations
- PowerShell: 7.0 or later
- Required Module:
MicrosoftPowerBIMgmt(v1.2.1111 or later) - Optional Module:
ImportExcel(for Excel export) - Permissions: Power BI Administrator or Fabric Administrator role
Install-Module -Name MicrosoftPowerBIMgmt -Scope CurrentUserInstall-Module -Name ImportExcel -Scope CurrentUser# Navigate to the module directory
cd "C:\Path\To\FabricTenantInventory"
# Import the module
Import-Module .\FabricTenantInventory.psd1# Connect to your tenant
Connect-FabricTenant
# Get complete inventory
$inventory = Get-FabricInventory
# View summary
$inventory.Summary
# Disconnect when done
Disconnect-FabricTenantConnect-FabricTenant
$inventory = Get-FabricInventory
Export-FabricInventory -InputObject $inventory -Path "C:\Inventory\tenant.json" -Format JSON
Disconnect-FabricTenant# Opens browser for authentication
Connect-FabricTenantIf you have an eligible Fabric Administrator role via PIM, you can activate it automatically when connecting:
# Activate PIM role and connect in one command
Connect-FabricTenant -ActivatePIMRole -PIMJustification "Quarterly tenant inventory"
# Specify custom duration (default is 8 hours)
Connect-FabricTenant -ActivatePIMRole -PIMJustification "Emergency audit" -PIMDurationHours 4# Check if you have eligible Fabric Administrator role
Enable-FabricAdministratorRole -CheckOnly
# Activate the role manually
Enable-FabricAdministratorRole -Justification "Monthly compliance review" -DurationHours 8
# Then connect
Connect-FabricTenant-
Eligible Role Assignment: You must have an eligible Fabric Administrator role in Entra ID
-
Microsoft Graph Authentication: One of the following must be available:
- Microsoft.Graph PowerShell module:
Install-Module Microsoft.Graph -Scope CurrentUser - Az.Accounts module:
Install-Module Az.Accounts -Scope CurrentUser - Azure CLI:
az login
- Microsoft.Graph PowerShell module:
-
Authenticate to Microsoft Graph (choose one method):
# Method 1: Microsoft.Graph module Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory" # Method 2: Az.Accounts module Install-Module Az.Accounts -Scope CurrentUser Connect-AzAccount # Method 3: Azure CLI az login
-
Run PIM activation:
# Now activate your PIM role
Connect-FabricTenant -ActivatePIMRole -PIMJustification "Tenant inventory"If automatic PIM activation fails, you can activate manually:
- Open Azure Portal - PIM
- Find "Fabric Administrator" role
- Click "Activate"
- Provide justification and duration
- Click "Activate"
- Wait ~30 seconds for activation to propagate
- Run
Connect-FabricTenant(without -ActivatePIMRole)
# Create credentials (Client ID as username, Secret as password)
$clientId = "12345678-1234-1234-1234-123456789012"
$clientSecret = ConvertTo-SecureString "your-client-secret" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($clientId, $clientSecret)
# Connect
Connect-FabricTenant -ServicePrincipal -TenantId "contoso.onmicrosoft.com" -Credential $credential- Register an Azure AD App in Azure Portal
- Grant API permissions:
- Power BI Service:
Tenant.Read.All,Workspace.Read.All
- Power BI Service:
- Add app to Power BI Admin group or grant Fabric Administrator role
- Create a client secret
$workspaces = Get-FabricWorkspace
$workspaces | Select-Object Name, State, IsOnDedicatedCapacity$capacityId = "12345678-1234-1234-1234-123456789012"
$workspaces = Get-FabricWorkspace -CapacityId $capacityId -State Active$datasets = Get-FabricDataset -IncludeDataSources
$datasets | Select-Object Name, WorkspaceId, IsRefreshable$workspaceId = "12345678-1234-1234-1234-123456789012"
$reports = Get-FabricReport -WorkspaceId $workspaceId$workspaceId = "workspace-id"
$datasetId = "dataset-id"
$refreshes = Get-FabricRefreshHistory -WorkspaceId $workspaceId -DatasetId $datasetId -Top 50
# Show failed refreshes
$refreshes | Where-Object { $_.status -eq 'Failed' } | Select-Object startTime, endTime, status$startDate = (Get-Date).AddDays(-7)
$activities = Get-FabricActivityLog -StartDateTime $startDate
# Most viewed reports
$activities | Where-Object Activity -eq 'ViewReport' | Group-Object ReportId | Sort-Object Count -Descending | Select-Object -First 10$users = Get-FabricUser
# Find specific user's access
$users | Where-Object UserPrincipalName -like "*john.doe@contoso.com*"# Get workspace IDs
$workspaceIds = (Get-FabricWorkspace -State Active | Select-Object -First 10).Id
# Run scanner with datasources and schema
$scanResult = Invoke-FabricScanner -WorkspaceIds $workspaceIds -Datasources -DatasetSchema
# Explore results
$scanResult.Summary
$scanResult.Datasets | Select-Object name, isRefreshable, configuredBy# Only get workspaces and datasets
$inventory = Get-FabricInventory `
-IncludeWorkspaces $true `
-IncludeCapacities $false `
-IncludeDatasets $true `
-IncludeReports $false `
-IncludeDashboards $false `
-IncludeDataflows $false `
-IncludeGateways $false `
-IncludeUsers $false$inventory = Get-FabricInventory
# Export to JSON
Export-FabricInventory -InputObject $inventory -Path "inventory.json" -Format JSON
# Export to CSV (split by resource type)
Export-FabricInventory -InputObject $inventory -Path "C:\Inventory" -Format CSV -Split
# Export to Excel (requires ImportExcel module)
Export-FabricInventory -InputObject $inventory -Path "inventory.xlsx" -Format Excel -Split# Find datasets without sensitivity labels
$datasets = Get-FabricDataset
$unlabeled = $datasets | Where-Object { -not $_.SensitivityLabel }
# Find uncertified datasets in production
$workspaces = Get-FabricWorkspace -Name "*Prod*"
$prodDatasets = Get-FabricDataset -WorkspaceId $workspaces.Id
$uncertified = $prodDatasets | Where-Object { $_.Endorsement.EndorsementStatus -ne 'Certified' }
# Export for review
$uncertified | Export-FabricInventory -Path "uncertified_datasets.csv" -Format CSVAutomatically assess your tenant against security and governance best practices:
# Run inventory with assessment
$inventory = Get-FabricInventory -RunAssessment
# View findings by severity
$inventory.Assessment.Findings.Critical # Critical issues
$inventory.Assessment.Findings.High # High priority issuesGenerate comprehensive HTML reports:
# Complete assessment with reporting
$inventory = Get-FabricInventory `
-IncludeActivityLogs -ActivityLogDays 90 `
-RunAssessment `
-GenerateReport `
-ReportPath "C:\Reports\TenantHealth.html"
# View health score (0-100)
$inventory.Report.Health.OverallScore- Security: Public sharing, external access, export permissions
- Governance: Sensitivity labels, certification, endorsement
- Operations: Refresh failures, single points of failure
- Compliance: Unused resources, permission sprawl
See Examples/AssessmentAndReporting.ps1 for complete examples.
| Cmdlet | Description |
|---|---|
Connect-FabricTenant |
Authenticate to Fabric/Power BI tenant (supports PIM role activation) |
Disconnect-FabricTenant |
Disconnect and clear session |
Enable-FabricAdministratorRole |
Activate eligible Fabric Administrator PIM role in Entra ID |
Get-FabricInventory |
Complete tenant inventory with optional assessment and reporting |
Get-FabricTenantSettings |
Retrieve tenant-level settings and configurations |
Invoke-FabricAssessment |
Assess tenant against best practices and identify issues |
New-FabricTenantReport |
Generate statistical report with health scores and top 10 lists |
Get-FabricWorkspace |
Retrieve workspace details |
Get-FabricCapacity |
Retrieve capacity information |
Get-FabricDataset |
Retrieve dataset/semantic model metadata |
Get-FabricReport |
Retrieve report information |
Get-FabricDashboard |
Retrieve dashboard details |
Get-FabricDataflow |
Retrieve dataflow information |
Get-FabricGateway |
Retrieve gateway configuration |
Get-FabricUser |
Aggregate user permissions |
Get-FabricRefreshHistory |
Retrieve dataset refresh history |
Get-FabricActivityLog |
Retrieve activity/audit logs |
Invoke-FabricScanner |
Execute Scanner API for comprehensive metadata |
Export-FabricInventory |
Export inventory to CSV/JSON/Excel/HTML |
Configuration is stored in FabricTenantInventory\Config\default-config.json. Key settings:
- RetryAttempts: Number of retries for failed API calls (default: 3)
- RetryDelaySeconds: Initial delay between retries (default: 5)
- ScannerAPIMaxWorkspaces: Max workspaces per Scanner API request (default: 100)
- ScannerAPITimeoutSeconds: Scanner API timeout (default: 600)
- ActivityLogDaysPerRequest: Days per activity log request (default: 1, max: 30)
The Enable-FabricAdministratorRole cmdlet automatically tries multiple authentication methods:
- Microsoft.Graph module (preferred)
- Az.Accounts module (fallback)
- Azure CLI (fallback)
No need to specify which method - it will try all available methods automatically.
If automatic activation fails, the cmdlet provides step-by-step instructions for:
- Azure Portal: Direct link to PIM activation page
- Required permissions: RoleManagement.ReadWrite.Directory
- Prerequisites check: Verifies eligible role assignment
# Install Graph module
Install-Module Microsoft.Graph -Scope CurrentUser
# Connect to Graph
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
# Activate PIM role and connect to Fabric
Connect-FabricTenant -ActivatePIMRole -PIMJustification "Initial setup"# If already connected to Microsoft Graph
Connect-FabricTenant -ActivatePIMRole -PIMJustification "Daily inventory"# Service principals don't use PIM
$cred = Get-Credential
Connect-FabricTenant -ServicePrincipal -TenantId "contoso.onmicrosoft.com" -Credential $cred# Ensure you're connected
Connect-FabricTenant
# Verify connection
$script:FabricConnectionThe module automatically retries with exponential backoff. For large tenants:
# Batch workspace scans
$workspaces = Get-FabricWorkspace
$batches = 0..($workspaces.Count / 100) | ForEach-Object {
$workspaces[($_ * 100)..([Math]::Min(($_ + 1) * 100 - 1, $workspaces.Count - 1))]
}
foreach ($batch in $batches) {
Invoke-FabricScanner -WorkspaceIds $batch.Id
Start-Sleep -Seconds 60 # Pause between batches
}Ensure your account or service principal has:
- Power BI Administrator or Fabric Administrator role
- API permissions:
Tenant.Read.All,Workspace.Read.All
For very large workspaces, increase timeout:
# Edit config file
$configPath = ".\FabricTenantInventory\Config\default-config.json"
$config = Get-Content $configPath | ConvertFrom-Json
$config.ScannerAPITimeoutSeconds = 1200 # 20 minutes
$config | ConvertTo-Json | Set-Content $configPath# Install the module
Install-Module -Name ImportExcel -Scope CurrentUser
# Or export to CSV instead
Export-FabricInventory -InputObject $inventory -Path "inventory.csv" -Format CSV# Check your PIM role assignments
Enable-FabricAdministratorRole -CheckOnly
# If no role found:
# 1. Request Fabric Administrator role from your admin
# 2. Verify in Azure Portal: Entra ID > Roles and administrators > Fabric Administrator > Eligible assignments# Install and connect to Microsoft Graph
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
# Verify connection
Get-MgContext
# Try activation again
Enable-FabricAdministratorRole -Justification "Tenant inventory"If activation appears to hang:
- PIM policies may require approval
- Check Azure Portal for pending activation requests
- Contact your admin to approve or adjust PIM policy
- Use manual portal activation as fallback
If role is already active:
# The cmdlet will detect this and inform you
Enable-FabricAdministratorRole -Justification "Check status"
# Output: "Role already active! Activated at: [time]"- Use Service Principal for Automation: Schedule regular inventories using service principal authentication
- Batch Large Operations: For tenants with 1,000+ workspaces, batch Scanner API calls
- Monitor Refresh Failures: Regularly check refresh history for critical datasets
- Track Activity Logs: Archive activity logs monthly for compliance
- Export Regularly: Keep historical snapshots for trend analysis
- Small tenant (< 100 workspaces): ~2-5 minutes
- Medium tenant (100-500 workspaces): ~5-15 minutes
- Large tenant (500-2,000 workspaces): ~15-45 minutes
- Very large tenant (> 2,000 workspaces): 45+ minutes
Scanner API is the primary bottleneck for large tenants. Use -IncludeDatasets $false to skip Scanner API if only workspace/capacity inventory is needed.
This module is under active development. Feedback and contributions welcome!
This project is licensed under the MIT License - see the LICENSE file for details.
- Initial pre-release version
- Note: This version is untested and intended for early feedback and testing
- Full tenant inventory support
- Scanner API integration
- Multiple export formats
- Interactive and service principal authentication
- PIM (Privileged Identity Management) role activation support
- Automatic Microsoft Graph authentication with multiple fallback methods
- Comprehensive error handling with manual fallback instructions
- Tenant settings inventory and governance assessment
- Best practice analysis with severity ratings (Critical/High/Medium/Low/Info)
- Automated identification of security risks and compliance issues
- Statistical reporting with health scores and top 10 lists
- HTML report generation with interactive visualizations
- Foreign key relationships across all data types for lineage tracking
For issues, questions, or feature requests, please open an issue on the GitHub repository.
Created by Klaas Vandenberghe ( @PowerDBAKlaas )