topic Re: App registration: Token only works for admin api in Developer

App registration: Token only works for admin api

h4tt3n — Wed, 23 Oct 2024 13:55:51 GMT

Ih all, hope you can help me with this.

I have registered an app in Azure an use its tenant id, client id, an client secret to successfully access the Power BI admin api. However, shouldn't the same token grant me access to the other api's, such as dataset, group etc?

I keep getting 400 errors such as "API is not accessible for application" when attempting to access any other than the admin api.

What am I missing?

Here is my PS function for acquiring the token:

Function GetPowerBiServiceAdminApiToken { [CmdLetBinding()] Param ( [Parameter(Mandatory=$true, Position=0)] [string] $tenantId, [Parameter(Mandatory=$true, Position=1)] [string] $clientId, [Parameter(Mandatory=$true, Position=2)] [string] $clientSecret ) $requestUri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $requestBody = @{ client_id = $clientId client_secret = $clientSecret grant_type = "client_credentials" scope = "https://analysis.windows.net/powerbi/api/.default" } $tokenResponse = Invoke-RestMethod -Method Post -Uri $requestUri -ContentType "application/x-www-form-urlencoded" -Body $requestBody return $tokenResponse.access_token }

And here is a function for retrieving a dataset, which fails with the error message "API is not accessible for application" using the token retrieved above.

Function GetDataset { [CmdLetBinding()] Param ( [Parameter(Mandatory=$true, Position=0)] [string] $token, [Parameter(Mandatory=$true, Position=1)] [string] $datasetId ) $headers = @{ Authorization = "Bearer $token" } $url = "https://api.powerbi.com/v1.0/myorg/datasets/$datasetId" $dataset = Invoke-RestMethod -Uri $url -Headers $headers return $dataset }

Finally, here is a function that gets all datasets through the admin api. It works perfectly using the token:

Function GetAllDatasetsAsAdmin { [CmdLetBinding()] Param ( [Parameter(Mandatory=$true, Position=0)] [string] $token ) $headers = @{ Authorization = "Bearer $token" } $url = "https://api.powerbi.com/v1.0/myorg/admin/datasets" $datasets = Invoke-RestMethod -Uri $url -Headers $headers $datasetCustomObject = @() foreach ($dataset in $datasets.value) { $ds = New-Object PSObject -Property @{ id = $dataset.id name = $dataset.name workspaceId = $dataset.workspaceId } $datasetCustomObject += $ds } return $datasetCustomObject }

Cheers, Mike

Re: App registration: Token only works for admin api

Anonymous — Thu, 24 Oct 2024 03:31:08 GMT

Hi @h4tt3n ,

Base on your description, it sounds like you're encountering an issue with API access permissions. The token works for admin-level REST API bt not for normal REST API. Please check if grant the proper API permission and grant admin consent to those permissions.

1. Go to Azure Portal, navigate to Microsoft Entra ID -> App registrations -> Find your registered app. Select API permissions to add the neccessary API permission: Dataset.ReadWrite.All or Dataset.Read.All.

2. Grant admin consent to the above permissions

Best Regards

Re: App registration: Token only works for admin api

h4tt3n — Thu, 24 Oct 2024 06:07:10 GMT

Hi @Anonymous

There are some noticeable differences between the menu in your screenshot and the menu I am presented with. The grant admin consent button is grayed out. Status column is empty. Also, there is a warning and notice at the top of the screen. I am unsure what to make of them.

The full text of the "admin consent required" notice is:

The "Admin consent required" column shows the default value for an organization. However, user consent can be customized per permission, user, or app. This column may not reflect the value in your organization, or in organizations where this app will be used. Learn more

What are your thoughts?

Cheers, Mike

Re: App registration: Token only works for admin api

Anonymous — Wed, 30 Oct 2024 06:19:00 GMT

Hi @h4tt3n ,

You can refer the following link to get it:

Grant tenant-wide admin consent to an application - Microsoft Entra ID | Microsoft Learn

Best Regards