Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

To celebrate FabCon Vienna, we are offering 50% off select exams. Ends October 3rd. Request your discount now.

Reply
JamesCSV
New Member

Add Service Principal Profile as anything but Admin

‎12-17-2024 12:44 PM

I have setup AppOwnsData embedding with service principal profiles and everything is working as expected when you create a workspace as a profile using the powerbi .net sdk.  When creating the workspace using the profile id header, it correctly creates the workspace and automatically assigns the profile id that was in the header, as the admin of the workspace.

Now I need to have other service principal profiles added to the same workspace, but I don't want them to be the admin of the workspace, but viewers or contributors since I will be applying RLS to further filter the data through DAX in a Parent Client/Child Client scenario.

My question is why can't I add a service principal profile as anything else than "Admin"? 

I get a 400 bad request each time I try to add them as something other than admin.  If I set the GroupUserAccessRight to "Admin", it works as expected and I can give access to multiple service principal profiles to the same workspace.  The same issue is shown if I go into the workspace in app.powerbi.com and try to change the service principal profile to Viewer/Member/Contributor.  I get an error in the UI shown below.

Is this just a limitation that I am not aware of or couldn't find documentation on?  What would be the reasoning of only allowing adding sp profiles as admins?  

JamesCSV_0-1734467904383.png

 

It's a simple operation, but this is how I am calling the addGroupUser endpoint through the .net sdk.

 

 

            var childGroupUser = new GroupUser
            {
                Identifier = "[ServicePrincipalObjectId]",//not the client id.  Would be nice if that was clear in the docs on what identifier is needed...
                GroupUserAccessRight = GroupUserAccessRight.Contributor,//or Viewer or Member gives 400 bad request
                PrincipalType = PrincipalType.App,
                Profile = new ServicePrincipalProfile{
                    Id=[ServicePrincipalProfileObjectId]
                }
            };

            Guid groupId = Guid.Parse("[workspaceGuid]");

            await _powerBiClient.Groups.AddGroupUserAsync(groupId, childGroupUser);

 

 

 




Message 1 of 4
987 Views
0
1 ACCEPTED SOLUTION
AmosHersch
Microsoft Employee
Microsoft Employee

‎12-17-2024 01:02 PM

@JamesCSV Indeed the documentation states that a profile must have Admin access to the workspace, see here:
Use service principal profiles to manage customer data in multitenant apps - Power BI | Microsoft Le...

View solution in original post

Message 2 of 4
974 Views
0
3 REPLIES 3
AmosHersch
Microsoft Employee
Microsoft Employee

‎12-17-2024 01:02 PM

@JamesCSV Indeed the documentation states that a profile must have Admin access to the workspace, see here:
Use service principal profiles to manage customer data in multitenant apps - Power BI | Microsoft Le...

Message 2 of 4
975 Views
0
JamesCSV
New Member
In response to AmosHersch

‎12-17-2024 01:08 PM

@AmosHersch Thanks Amos!  I understood that as the initial sp profile needs admin access but not All sp profiles need admin access.  I guess that makes sense since they would need that elevated permissions for the actual embedding part?  Regardless, that clears up my mis-understanding!

Message 3 of 4
962 Views
0
AmosHersch
Microsoft Employee
Microsoft Employee
In response to JamesCSV

‎12-17-2024 01:18 PM

yeah that's my understanding also

Message 4 of 4
943 Views
0

Helpful resources

Announcements
September Power BI Update Carousel

Power BI Monthly Update - September 2025

Check out the September 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All