topic Re: Cannot access Admin APIs with service principal via ADF in Developer

Cannot access Admin APIs with service principal via ADF

cmjcf — Fri, 23 Aug 2024 16:17:42 GMT

I'm trying to get Azure Data Factory to read data from the Power BI REST API, and I'm almost at the point of giving up. After several false starts, I've got to the following (step numbers are in reference to the documentation) :

Step 1: I have created a service principal in the Entra tenant
Step 2/3: I have created a security group in the Entra tenant, and added the SP to it
Step 4: I have enabled the relevant settings in Fabric tenant admin, and added the SG to the groups that can access admin APIs
I have removed all permissions from Entra, per the documentation stating that they are not required, and in the case of consent-required permissions, must not be applied
I've added the API with the SP details as a linked service in ADF
I've created a dataset for one of the request types
I've added the dataset as a source on a Data Flow

When I try and run the Data Flow in debug mode, I get the following:

Error: at Source 'source1': Failure to read most recent page request: DF-REST_001 - Error response from server: Some({"error":{"code":"PowerBINotAuthorizedException","pbi.error":{"code":"PowerBINotAuthorizedException","parameters":{},"details":[],"exceptionCulprit":1}}}), Status code: 401. Please check your request url and body. (url:https://api.powerbi.com/v1.0/myorg/admin/groups,request body: None, request method: GET)

When I try running the same in Hoppscotch (RIP Postman), I can get a token, but I still get a 401 with the following:

{ "error": { "code": "PowerBINotAuthorizedException", "pbi.error": { "code": "PowerBINotAuthorizedException", "parameters": {}, "details": [], "exceptionCulprit": 1 } } }

I have verified that the tenant ID and application ID, along with the client secret, are correct. I can access the non-admin APIs just fine. I tried using the object ID instead of the application ID but that results in the following error:

Failed to get access token by using service principal. Error: unauthorized_client, Error Message: AADSTS700016: Application with identifier 'e2e9978f-6d27-40da-974b-3bff70258121' was not found in the directory [...]

I've looked at several resources already and just can't think of what I might be missing here. I found exactly one result on Google for the combination of the ADF and API errors, and it doesn't say anything useful - it just repeats what's in Step 4 of the documentation, which I have already done.

No generic responses please, I've read them already and they weren't helpful.

Re: Cannot access Admin APIs with service principal via ADF

Anonymous — Mon, 26 Aug 2024 08:54:21 GMT

Hi @cmjcf ,

According to the documentation, when using the PBI admin REST API with service principal authentication,” When running under service prinicipal authentication, an app must not have any admin-consent required premissions for Power BI set on it in the Azure portal. ”

Admin - Datasets GetDatasetUsersAsAdmin - REST API (Power BI Power BI REST APIs) | Microsoft Learn

According to my understanding, this means you can try removing all PBI-related API permissions, keeping only the tenant settings enabled, and then check if the API can successfully run using service principal authentication

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Re: Cannot access Admin APIs with service principal via ADF

cmjcf — Mon, 26 Aug 2024 23:59:52 GMT

Hi @Anonymous,

I think we're getting confused somewhere. In case you're not familiar with the Entra API Permissions blade, the text in that second heading is "Other permissions granted for <tenant name>". The service principal doesn't have any of those permissions. Those are listed as available, because it previously had them, but I removed them, because the documentation stated that they weren't needed and they weren't working anyway. It only has the single permission listed under "Configured permissions".

Re: Cannot access Admin APIs with service principal via ADF

cmjcf — Wed, 28 Aug 2024 18:54:36 GMT

Gave up, went through the instructions again with a new service principal, and now it works.

¯\_(ツ)_/¯

Re: Cannot access Admin APIs with service principal via ADF

PriyankaSS — Tue, 11 Mar 2025 16:16:27 GMT

Did you do anything differently the second time around? Do you have a link to the steps you followed?

Re: Cannot access Admin APIs with service principal via ADF

BI225 — Wed, 16 Jul 2025 13:06:27 GMT

Hi,

I had this problem; I had added all these permissions. It's not necessary.
What I did:
1- Don't add any permissions to the SPN.
2- Add the security group to which the SPN belongs (or simply the SPN) as the Workspace Admin.

And it worked.