Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
FabricUser101
New Member

Can't add dataset application perms for Power BI Azure integration?

‎06-04-2025 05:25 AM

I'm trying to let a Service Principal account refresh my Power BI semantic model from a Python script. I've registered the app through Azure. I've done:

  1. Added the Service Principal account to the workspace.
  2. I've enabled Service Principals to use Fabric APIs and have been personally added to an included security group, though the Service Principal is not in one of those groups yet
  3. I've tried doing enabling Service principals can access read-only admin APIs

But when I go to add API application permissions, I only see Tenant permissions. I can see the dataset ones for delegated permissions, but I need these for applications instead. Am I missing something besides adding the app to a security group?

Labels:
Message 1 of 11
811 Views
0
1 ACCEPTED SOLUTION
V-yubandi-msft
Community Support
Community Support

‎06-05-2025 12:55 AM

Hi @FabricUser101 ,

Thank you for reaching out. I understand you’re trying to refresh a Power BI semantic model using a Service Principal and a Python script, but you’re encountering issues because you can’t find the Dataset.ReadWrite.All application permission in Azure, and your script likely fails with a permissions error.

 

In addition to @Akash_Varuna & @tackytechtom  responses.

 

Since you’ve already enabled  Allow service principals to use Fabric APIs,  let’s add your Service Principal to an allowed group. Confirm Allow service principals to use Fabric APIs  is enabled, select Specific security groups, and add your PowerBI ServicePrincipals group.
 Automate Power BI Premium workspace and semantic model tasks with service principals - Power BI | Mi...

 

You’ve added the Service Principal to the workspace, but let's make sure it has the correct role. Verify that your Service Principal (its security group) has at least the Contributor role (Admin is also acceptable). This role allows it to refresh the semantic model.

Roles in workspaces in Power BI - Power BI | Microsoft Learn

Regards,

Yugandhar.

View solution in original post

Message 4 of 11
753 Views
10 REPLIES 10
davidschiedam
Regular Visitor

‎11-20-2025 07:00 AM

Does the solution above also work for executing queries on the data? I seem to be getting an 401 error when i want to evaluate tables. I did all of the above.

Message 6 of 11
338 Views
0
V-yubandi-msft
Community Support
Community Support
In response to davidschiedam

‎11-21-2025 06:32 AM

Hi @davidschiedam ,

The steps I mentioned earlier are mainly for refreshing a semantic model, while running queries against the dataset is a separate process.

If you’re seeing a 401 error when evaluating tables, it typically means the Service Principal lacks the necessary API permissions. For queries, you’ll need to assign the app Dataset.Read.All or Dataset.ReadWrite.All application permissions in Azure AD and ensure tenant admin consent is provided. Without these permissions, the token won’t include the required scopes for querying data.

 

Be sure to also check.

1. The Service Principal is added to the workspace with at least Contributor or Member access.

2. Authentication is done using the Service Principal’s client ID and secret/cert, rather than a user token.

3. Allow service principals to use Fabric APIs is enabled and the Service Principal is included in the allowed group.

With these settings in place, the Service Principal will be able to refresh and query datasets, and the 401 error should be resolved once the Dataset permissions are configured.

 

Please give it a try.

Message 7 of 11
314 Views
0
davidschiedam
Regular Visitor
In response to V-yubandi-msft

‎11-24-2025 04:58 AM

Hey @V-yubandi-msft ,

Thanks for your reply. 

You state that I should assign the app (so PowerBI Service?) Dataset.Read.All (or ReadWrite.All) application permissions. But the problem is that these are not available. At least not as an application permission, but only as a delegated. That won't work with a Service Principal The only application-permissions are for tenants

Or is there any other way to add these app permissions, for example through PowerShell?

I get a bearer token with the Service Principal's client ID and secret, so no user token. 

Hope to hear from you!


Message 8 of 11
250 Views
0
V-yubandi-msft
Community Support
Community Support
In response to davidschiedam

‎11-24-2025 10:35 PM

Hi @davidschiedam ,

Thank you for clarifying. You are right Dataset.Read.All and Dataset.ReadWrite.All are available only as delegated permissions, not as application permissions, so they cannot be assigned to a service principal in Azure AD. For service principals, dataset query permissions are managed through workspace roles and the Fabric tenant setting.

 

To query tables, ensure your service principal is included in the allowed group for Allow service principals to use Fabric APIs and has at least Member or Contributor access in the workspace. Then, use the service principal token with the XMLA endpoint or Execute Queries API. No additional Azure AD application permission is needed. A 401 error usually indicates the service principal does not have dataset query rights in the workspace.

 

Hope this help....

 

Message 9 of 11
224 Views
0
davidschiedam
Regular Visitor
In response to V-yubandi-msft

‎11-25-2025 04:53 AM

Hey @V-yubandi-msft ,

Tried all of the above. Could this be due to the fact that the underlying data is through Direct Query and my workspace doesn't have premium capacity? So changing the semantic data to Import Mode could be the solution.

 

Best,
David

Message 10 of 11
214 Views
0
V-yubandi-msft
Community Support
Community Support
In response to davidschiedam

‎11-25-2025 11:00 PM

Yes, that could very well be the reason. When a dataset is in DirectQuery mode and the workspace is not on Premium/Fabric capacity, a Service Principal won’t be able to run queries against it even if all the permissions are correctly set. This often results in the 401 error you're seeing.

DirectQuery datasets require Premium (F/P/PPU) capacity to allow Service Principals to query via API/XMLA.

If Premium isn’t available, switching the dataset to Import mode is a good workaround, because Import mode supports Service Principal queries even in non Premium workspaces.

 

So yes, changing it to Import mode or using a Premium workspace are both valid solutions.

 

-Yugandhar.

Message 11 of 11
192 Views
0
FabricUser101
New Member

‎06-05-2025 05:16 AM

Thank you @Akash_Varuna and @V-yubandi-msft ! Adding the service principal to a security group that was included in the allowed security groups was all I needed. I don't even need to select which API perms. 

Message 5 of 11
739 Views
V-yubandi-msft
Community Support
Community Support

‎06-05-2025 12:55 AM

Hi @FabricUser101 ,

Thank you for reaching out. I understand you’re trying to refresh a Power BI semantic model using a Service Principal and a Python script, but you’re encountering issues because you can’t find the Dataset.ReadWrite.All application permission in Azure, and your script likely fails with a permissions error.

 

In addition to @Akash_Varuna & @tackytechtom  responses.

 

Since you’ve already enabled  Allow service principals to use Fabric APIs,  let’s add your Service Principal to an allowed group. Confirm Allow service principals to use Fabric APIs  is enabled, select Specific security groups, and add your PowerBI ServicePrincipals group.
 Automate Power BI Premium workspace and semantic model tasks with service principals - Power BI | Mi...

 

You’ve added the Service Principal to the workspace, but let's make sure it has the correct role. Verify that your Service Principal (its security group) has at least the Contributor role (Admin is also acceptable). This role allows it to refresh the semantic model.

Roles in workspaces in Power BI - Power BI | Microsoft Learn

Regards,

Yugandhar.

Message 4 of 11
754 Views
Akash_Varuna
Super User
Super User

‎06-04-2025 11:47 PM

Hi @FabricUser101 Add the Service Principal to a security group with Power BI and Fabric API access. In Azure, grant application permissions for Power BI APIs, using Microsoft Graph if necessary. Enable Service Principal for APIs in Power BI Admin settings and include the security group. Finally, have an admin grant consent to the permissions in Azure.

Message 3 of 11
758 Views
tackytechtom
Super User
Super User

‎06-04-2025 09:02 AM

Hi @FabricUser101 ,

 

I happened to have written a couple of blog articles about refreshing semantic models, where the setup is also explained:
https://www.tackytech.blog/how-to-refresh-power-bi-datasets-from-data-factory-with-managed-identity/...

 

In the case above, we used a data factory pipeline that refreshed a semantic model via managed identity. However, the concept with security groups and allowing APIs and stuff, should be the same (see step 1 and 2).

 

Can you try it the way its explained in the blog article? If this does not work, can you provide some more information on from where you wanna do the refresh call e.g. is it a notebook inside fabric? Then you could use semantic-link for that.

 

/Tom
https://www.tackytech.blog/
https://www.instagram.com/tackytechtom/

 

 



Did I answer your question➡️ Please, mark my post as a solution ✔️

Also happily accepting Kudos 🙂

Feel free to connect with me on LinkedIn! linkedIn

#proudtobeasuperuser 

Message 2 of 11
778 Views
0

Helpful resources

Announcements
November Power BI Update Carousel

Power BI Monthly Update - November 2025

Check out the November 2025 Power BI update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All