Hi @Anonymous .

Thanks a lot for your reply.
So with the first topic you sent it would more in my case but the -Scope Organization is to make sure to retrieve ALL the workspaces available. It works with a user account but not with the service principal.

The goal is to be able to retrieve all the workspaces so that with the service principal i can add a group as admin to all workspaces. So the second topic you sent wasn't relevant for this case. Thanks.

Here's the code for the acces and token :

# Authenticate with Service Principal to Power BI API
try {
    $secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($clientId, $secureSecret)
    Connect-PowerBIServiceAccount -ServicePrincipal -Credential $credential -TenantId $tenant
    Write-Host "Connected to Power BI Service Account successfully" -ForegroundColor Green
} catch {
    Write-Host "Failed to connect to Power BI Service Account: $_" -ForegroundColor Red
    exit
}

# Obtain access token using client credentials flow for Power BI API
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://analysis.windows.net/powerbi/api/.default"
}

try {
    $tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenant/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body
    $accessToken = $tokenResponse.access_token
    Write-Host "Obtained access token successfully" -ForegroundColor Green
} catch {
    Write-Host "Failed to obtain access token: $_" -ForegroundColor Red
    exit
}

$headers = @{
    Authorization = "Bearer $accessToken"
}

and then i try to retrieve workspaces :

# Retrieve all workspaces using Admin API
try {
    $url = "https://api.powerbi.com/v1.0/myorg/admin/groups?\$top=5000"
    $workspacesResponse = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
    $workspaces = $workspacesResponse.value
    Write-Host "Retrieved workspaces successfully" -ForegroundColor Green
    $workspaces | Format-Table Id, Name
} catch {
    Write-Host "Failed to connect or retrieve workspaces: $_" -ForegroundColor Red
    Write-Host "Detail: $_.Exception.Message" -ForegroundColor Red
    Disconnect-PowerBIServiceAccount
    exit
}

Write-Host "=================================================================================================================================="
Write-Host "Found a total of $($workspaces.Count) workspaces..."
Write-Host "=================================================================================================================================="

But this will not work because i use admin/groups .. If  i don't use admin it works but will return me the workspaces where the group is already in (not what i want)...

Thanks,
Best Regards,
Quentin Michelix.

Hi  @Anonymous ,

Can you provide us with the exact parameters that are put in the request body to ensure that the token is not obtained by password, but by service principal.

You can try to check again if the client permissions of the service principal are sufficient.

As far as I know:

-Scope

Indicates scope of the call. Individual returns only workspaces assigned to the caller; Organization returns all workspaces within a tenant (must be an administrator to initiate). Individual is the default.

Expand table

Required Scope

Tenant.Read.All or Tenant.ReadWrite.All

Relevant only when authenticating via a standard delegated admin access token. Must not be present when authentication via a service principal is used.

This is the related document, you can view this content:

Solved: Service Principle cannot Get-PowerBIWorkspace - Microsoft Fabric Community

Solved: Error Get-PowerBIDataSet - Unauthorizated - Microsoft Fabric Community

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.