topic Re: Rest API with Service Principal - Can't get past Error 403 in Developer

Rest API with Service Principal - Can't get past Error 403

risDS — Fri, 08 Jul 2022 09:59:54 GMT

Hello everybody,

I seem to require some help on the subject, after several hours of searches and experimentation, I still cannot seem to solve my issue.

I want to use the API to programmatically add rows to a dataset. To do so, I :

- Created an application in my AAD, with an associated secret and gave it the permissions PowerBI "Tenant.ReadWrite.All" and granted the permission with an admin account

- Allowed service principals to use Power BI APIs through the Admin Portal

- Added the service principal account to a newly created Workspace (first as Member, now as Admin)

- Used OAuth 2 authentication flow to get the token (Auth URL : https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token, scope : https://analysis.windows.net/powerbi/api/.default )

- Now the token seems perfectly valid :

- But trying to contact any endpoint ends up with a 403 Forbidden response (ex : https://api.powerbi.com/v1.0/myorg/datasets/)

What am I missing here ?

Thank you in advance, I hope you will help me figure this out !

Re: Rest API with Service Principal - Can't get past Error 403

AmosHersch — Fri, 08 Jul 2022 14:56:31 GMT

Hi @risDS ,

I can't tell for sure, but I guess "Tenant.ReadWrite.All" isn't enough, it might be confusing but it doesn't contain all other scopes. For example if a certain API requires "Report.ReadWrite.All" then it will fail for you.

Each API has it's specific scopes requirement, and if the scope is missing from the token the API will fail.

Re: Rest API with Service Principal - Can't get past Error 403

Anonymous — Wed, 13 Jul 2022 08:37:58 GMT

Hi @risDS,

As AmosHersch said, the tenant permission may not be suitable for all API usages. They will also require the contents level permissions.

For example, the dataset API requires the permissions of the dataset, the report API will require the report permissions. You can find these additional requrenmenmt in the detailed API page 'scope' part.

BTW, they may also require additional permissions or be limited used due to connection mode when you work on particular data sources. (e.g. Azure AS)

Regards,

Xiaoxin Sheng

Re: Rest API with Service Principal - Can't get past Error 403

risDS — Wed, 13 Jul 2022 08:44:17 GMT

Thank you@Anonymous and @AmosHersch for your answers but they are incorrect.

As a matter of fact, using the C# connector (https://github.com/microsoft/PowerBI-CSharp) with the exact same configuration, I am able to correctly carry through with the requests on all operations needed (so far Get groups, Get/Post Datasets, Post Rows in Datasets). It seems to be an issue with Postman authentication flow of some sort but I do not have time to investigate further as of now.