What it is
A GRC asset inventory of your Microsoft Power Platform, captured for audit. Every asset is a durable record with its maker/admin-portal deep link, so an auditor can click straight through to the source. Assets can be documented (owner, criticality, notes, tags) and linked to TATER controls as evidence. It lives in TATER Manage → Connections → Power Platform Inventory and reuses the same connection as the Flow Monitor — no second setup.
What's captured
| Asset type | Source | Deep link |
|---|---|---|
| Environments | Power Platform admin (BAP) API | admin.powerplatform.microsoft.com |
| Solutions | Dataverse (Microsoft first-party solutions filtered out; publisher kept) | make.powerapps.com |
| Canvas apps | Dataverse | make.powerapps.com |
| Model-driven apps | Dataverse | make.powerapps.com |
| Custom connectors | Dataverse | make.powerapps.com |
| Power BI workspaces / datasets / reports | Power BI read-only admin API (needs a one-time grant — below) | app.powerbi.com |
| Cloud flows | Separate, richer Flow inventory (Ops → Flow Monitor) | make.powerautomate.com |
A daily sweep keeps it current; click Scan now on the page to refresh on demand.
Documenting & linking assets for audit
Click any asset to open its detail card. Set an owner, a criticality, free-text notes, tags, and linked control IDs — the controls this asset is evidence for. Those links are preserved across scans and appear in the audit export.
Audit export
The Audit export (CSV) button produces one consolidated, auditor-ready file listing every Power Platform asset (apps, connectors, environments, solutions, and flows) with its type, environment, maker deep-link, owner, criticality, publisher/managed status, and linked control evidence — exactly the "here's everything and where to find it" artifact an auditor asks for.
Power BI — both directions
Feed TATER data OUT to Power BI (no setup)
TATER's data endpoint exposes the inventory as Power BI datasets so you can build your own GRC dashboards:
GET https://api.tatersecurity.com/api/reports/powerbi?dataset=powerplatform
GET https://api.tatersecurity.com/api/reports/powerbi?dataset=flowsAuthenticate with a TATER API key (x-api-key) — see the Power BI integration guide.
Read your Power BI artifacts INTO the inventory (one-time grant)
To inventory your Power BI workspaces, datasets, and reports, grant the TATER scanning app read-only Power BI admin API access (you must be a Fabric/Power BI admin). There are two ways — a PowerShell script (recommended for MSPs / repeatable rollouts) or the portal.
Option A — PowerShell (recommended, repeatable)
Run Grant-PowerBIAdminAccess.ps1 as a Microsoft Entra + Fabric admin. It creates the security group, adds the scanning app to it, enables the tenant setting via the Fabric Admin API (with an automatic portal fallback), and can verify the grant end-to-end.
# prereq (once): Install-Module Az.Accounts -Scope CurrentUser
# the AppId is the same scanning app used for the Power Automate connection
./Grant-PowerBIAdminAccess.ps1 -AppId <scanning-app-id> -TenantId <your-tenant-id>
# optional: also verify app-only read works end-to-end
./Grant-PowerBIAdminAccess.ps1 -AppId <app-id> -TenantId <tid> -ClientSecret <secret>The script is self-documenting (run Get-Help ./Grant-PowerBIAdminAccess.ps1 -Full). It also warns if the app has conflicting Power BI Service API permissions (Microsoft requires read-only admin-API service principals to have none).
Option B — Portal (manual)
- Microsoft Entra → create/choose a security group (e.g.
TATER-PowerBI-Readers) → add the TATER scanning app (the same app registration used for Power Automate) as a member. - Power BI →
app.powerbi.com→ Settings → Admin portal → Tenant settings → Admin API settings → enable "Service principals can access read-only admin APIs" → scope it to that group. - Under Developer settings, enable "Service principals can call Fabric public APIs" for the group.
Either way: wait ~15 minutes to propagate, then click Scan now on the Power Platform Inventory page — Power BI assets appear automatically. Until granted, the scan simply notes "grant needed" and captures everything else; Power BI is never required for the rest of the inventory.
MCP tools
| Tool | Purpose |
|---|---|
list_power_platform_inventory | List the inventory (optional type filter) with each asset's maker deep-link. Read-only (Auditor+). |
document_power_platform_asset | Set an asset's owner/criticality/notes/tags and link it to controls, docs, and Ops tasks as evidence. Admin. |
Permissions & privacy
- Auditor+ can view the inventory + audit export. Admin+ can scan and document/link assets.
- TATER reads asset metadata only (names, ids, publishers, links) — not the data inside apps, datasets, or flows.
- Reuses the existing Power Automate connection; the client secret is encrypted at rest.
Related
- Power Automate Flow Monitor — the richer, health-monitoring inventory for cloud flows.
- Power BI integration — building dashboards over TATER data.