Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Next up in the FabCon + SQLCon recap series: The roadmap for Microsoft SQL and Maximizing Developer experiences in Fabric. All sessions are available on-demand after the live show. Register now

Reply
adrienma
Regular Visitor

API 'Get Report In Group' with invalid 'groupId' returns 200 instead of 404

‎04-18-2023 07:21 AM

I am doing some tests with the PowerBI API and I observed something unexpected.

 

I am using the route "Get Report in Group" (https://learn.microsoft.com/en-us/rest/api/power-bi/reports/get-report-in-group) to fetch details about a report present in a specific Power BI workpace.

However, in some cases it seems that the workspace id is not validated, and the request will execute successfully even if the requested workspace is not the correct one, or does not even exist.

i.e in this URL https://api.powerbi.com/v1.0/myorg/groups/{groupId}/reports/{reportId} "groupId" can be set to any value such as "None" or "null" or "abcdefg", and the report details will be present in the response.

 

I understand that it may be related with how my request is authentified with a service principal that has read access on all reports. But still, I would expect the request to fail with error 404 if an invalid "groupId" is used in the request. This could also be a security issue, if the client application relies on the workspace id validation to restrict the access to a subset of reports.

Labels:
Message 1 of 2
1,000 Views
0
1 REPLY 1
m-colbert
Resolver III
Resolver III

‎04-18-2023 09:58 AM

@adrienma 

 

This is interesting. I use the API a lot and have a whole laundry list of issues that need to be addressed, I have not found the right channel for reporting these issues that can any attention by Microsoft.  I'm confident that when posted here, only the community responds. And when reported as a bug, I get an attempt for workaround solutions from Mindtree, but rarely if ever an acknowledgement of a bug that should be fixed and submitted to the backlog to hopefully be addressed. 

 

What you have illustrated above seems like is a bug. Other similar calls don't work if you provide the incorrect workspace (group) id. 

 

When it comes to security, the service principal is granted access to use the admin api's (through the tenant admin settings) but only the read-only methods. If you are not using an admin method, then the service principal needs to be at least a viewer/contributor of the workspace to read information.  Since Get Report in Group is not an admin API, I assume your service principal has workspace access? Is that true?

 

I know that if I try to read data like dataset refreshes and the service principal is not part of the workspace, then I get a not authorized error. It's a shame the REST API can be very powerful, but I find it riddled with bugs and inconsistencies. Especially when it come to data lineage.

Message 2 of 2
960 Views
0

Helpful resources

Announcements
New to Fabric survey Carousel

New to Fabric Survey

If you have recently started exploring Fabric, we'd love to hear how it's going. Your feedback can help with product improvements.

Power BI DataViz World Championships carousel

Power BI DataViz World Championships - June 2026

A new Power BI DataViz World Championship is coming this June! Don't miss out on submitting your entry.

March Power BI Update Carousel

Power BI Community Update - March 2026

Check out the March 2026 Power BI update to learn about new features.

View All