Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us at FabCon Atlanta from March 16 - 20, 2026, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM. Register now.

Reply
cmjcf
Frequent Visitor

How to automatically add service principal to workspaces

‎01-15-2025 05:26 AM

We have a service principal that uses the Admin APIs and metadata scanning to report on the content and usage of a Power BI tenant.  Because the GetRefreshablesAsAdmin call does not return all refreshables, and only returns the most recent refresh, we need to use GetRefreshHistoryInGroup to get the full refresh history, which requires the SP to be a member of every workspace.  As new users are added, they get personal workspaces.  As business needs progress, new workspaces are created.  So we need an automated way to add this SP to workspaces it isn't already a member of to maintain the full refresh history of those workspaces.  We know this is possible, as proprietary tools exist that can do this already.

 

I have tried creating an additional SP, granting it Tenant.ReadWrite.All application permission (must be application, not delegated, because this needs to happen automatically and therefore the SP needs to be able to work without user intervention to delegate permission).  But when calling the API to get all workspaces, we get the following:

 

Line |
  62 |      $workspaces = Get-PowerBIWorkspace -Scope Organization -All
     |                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Operation returned an invalid status code 'Unauthorized'

 

 

We initially tried without admin consent for the Tenant.ReadWrite.All permission, given the documentation stated it should not be applied, and then tried again with admin consent, but this did not work either way.

 

In summary, what we need to achieve is to add a given SP to any workspaces it is not already in, without real-user credentials (i.e. the process can run under a SP's own credentials without delegation).  How do we do this?

Labels:
Message 1 of 5
1,053 Views
0
4 REPLIES 4
Anonymous
Not applicable

‎01-21-2025 01:05 AM

Hi  @cmjcf ,

 

If you can't find the corresponding application permission, you can try not to grant any permission to this application, and directly enable the “Allow service principals in your organization to create and use profiles.” option for the security group in which the service principal is included in the Power BI admin portal, or for the entire organization to enable the “Allow service principals in your organization to create and use profiles.” option, wait for some time and test whether the API can be tested successfully.

vyangliumsft_0-1737450339606.jpeg

 

 

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 4 of 5
847 Views
0
cmjcf
Frequent Visitor
In response to Anonymous

‎02-03-2025 07:10 PM

Unfortunately, this does not solve my problem.  The API still returns unauthorised for the "supervisor" SP,  Please unmark as solution.

Message 5 of 5
714 Views
0
Anonymous
Not applicable

‎01-15-2025 10:34 PM

Hi  @cmjcf ,

 

According to your question, you want to inquire about getting a way to add a given SP to any workspaces it is not already in, without real-user credentials. Based on my search and research so far, adding it manually in the UI is not possible, but you can consider using PowerShell or Rest API to test if it works.

Embed Power BI content in an embedded analytics application with service principal and an applicatio...

Groups - Add Group User - REST API (Power BI Power BI REST APIs) | Microsoft Learn

required scope is Workspace.ReadWrite.All

This API call can be called by a service principal profile. For more information see: Service principal profiles in Power BI Embedded.

Learn how to authenticate for embedded analytics by using a Microsoft Entra application service principal and an application secret.

 

Best Regards,

Liu Yang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 5
1,001 Views
0
cmjcf
Frequent Visitor
In response to Anonymous

‎01-16-2025 06:41 AM

Workspace.ReadWrite.All does not appear to be available as an application permission:

cmjcf_0-1737038463327.png

 

I tried adding it as a delegated permission anyway, but that didn't work either.  The API still returns "Unauthorized".

 

Message 3 of 5
961 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All