Is it possible to have a Service Principal add itself as workspace Member ?

Yasston — Mon, 15 Jan 2024 09:50:10 GMT

Hi, I'm trying to have Service Principal add itself as a Workspace member (or Contributor or whatever other AccessRight) using the PBI REST API. I'm working on a "normal" PBI Premium capacity.

The SP is Fabric Admin in Azure Tenant. The SP has been created following MS documentation. The SP doesn't have any 'Admin consent' permissions, but has all the other necessary ones. Eveything else on the PBI tenant is configured correctly, I can do a lot of operations with this SP, so everything seems to be working as it should. Except that I just can't perform an "add workspace user" call when the SP is not already a member of the workspace.

- This blog post seems to indicate that an SP cannot call the Admin REST API "AddUserAsAdmin (Groups)" : Administration Archives - Benni De Jagere (See question number 6).

It seems to rightly point out that AddUserAsAdmin (Groups) cannot be considered a "read-only" API call, and hence MS is not allowing us to call it without a user delegated permission...

- Calling the regular non-admin API endpoint to perform the same ends with an error too, indicating that the workspace doesn't exist or I don't have permissions on it. Which is true since the SP is not (yet) a member of the workspace...

- But I found several disturbing things online that suggest that this can be done somehow :

This paid software seems to be able to work in the context of an SP (only), and seems to be able to add itself in a workspace : Creating a Service Principal and Connecting to Power BI - Power BI Sentinel . They litterally write :

With this option enabled, this fall back is disabled, and only the Service Principal will be used. If it does not have appropriate access then there may be a gap in your lineage.

Note that this situation can be avoided with the next option below.

Grant Service Principal "Contributor" access to all workspaces automatically

This is strongly recommended to be enabled.

The Service Principal can only gather lineage and take backups etc. if it has at least 'Contributor' permissions to all workspaces.

You can either grant this yourself manually, or with this option enabled, The Service Principal can grant itself the permissions.

This means that it will always have the correct permissions, even for new workspaces when they're created, without any manual admin. This will ensure that Sentinel always provides you with a full complete picture of your estate.

This article suggests that it can be done also, but looking at the code, the connection to Power BI is made with a user context : How Permissions Work for a Power BI Service Administrator — SQL Chick In the article Sqlchick mentions :

The interesting part of the above example is that my Power BI administrator account does *not* have any direct permissions to the workspace. However, the organization scope allows it to be done.

You know what else is interesting? That same Power BI administrator could assign permission to themselves in order to access the app workspace content. This is very important to realize because it essentially makes all data throughout the organization available to the administrator should they deem it necessary (or if they wish to do something nefarious).

I of course tried with her code, and using (or not using) the -Scope Organization argument doesn't change anything if you're trying to Connect- to PBI with an SP

An Azure DevOps marketplace extension called "Power BI Actions" (which seems amazing) offers a function to add an SP as a Workspace member in a CI Pipeline. I installed the extension, configured the pbi service connection with my admin SP, but a test shows that it also doesn't work if the admin SP doesn't have access to the workspace prior. This extension never explicitly says that what I want to do is possible, but it has loads of examples where somebody first calls a function to create a Workspace (which is also possible with the extension), and then performs some other actions on it. How can that be possible, if on the newly created workspace the SP has not been made a member yet ? Is it because the workspace is created with the same SP, and has automaticcally been added as its Admin ?

I am trying to do this to fully automate a certain number of things on Power BI items, and it seems that almost anything you want to do in the context of an SP needs to have that SP to be (at least) Member of the workspace.

I spent a few days on this already, and I'm out of options ^^ Any help to get a definitive answer on can this be done without user permission delegation would be greatly appreciated !

Re: Is it possible to have a Service Principal add itself as workspace Member ?

Anonymous — Tue, 16 Jan 2024 07:14:50 GMT

Hi @Yasston ,

You can try this example of the rest API for Add Group member, changing the parameter from admin to member.

Groups - Add Group User - REST API (Power BI Power BI REST APIs) | Microsoft Learn

POST https://api.powerbi.com/v1.0/myorg/groups/f089354e-8366-4e18-aea3-4cb4a3a50b48/users

The body of the request looks like this

{ "identifier": "1f69e798-5852-4fdd-ab01-33bb14b6e934", "groupUserAccessRight": "Admin", "principalType": "App" }

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Re: Is it possible to have a Service Principal add itself as workspace Member ?

Yasston — Tue, 16 Jan 2024 08:15:09 GMT

Well of course, that endpoint API adds an SP to a Workspace, but you can only call it with your own identity, or you can call it with an SP identity only if the SP you're using is already a member of the workspace.

That's what I wanted to communicate when I wrote :

- Calling the regular non-admin API endpoint to perform the same ends with an error too, indicating that the workspace doesn't exist or I don't have permissions on it. Which is true since the SP is not (yet) a member of the workspace...

Thank you for your answer though @Anonymous 🙂

Re: Is it possible to have a Service Principal add itself as workspace Member ?

Yasston — Thu, 18 Jan 2024 08:31:03 GMT

Up ^^

topic Re: Is it possible to have a Service Principal add itself as workspace Member ? in Developer

Is it possible to have a Service Principal add itself as workspace Member ?

Re: Is it possible to have a Service Principal add itself as workspace Member ?

Re: Is it possible to have a Service Principal add itself as workspace Member ?

Re: Is it possible to have a Service Principal add itself as workspace Member ?