Microsoft Fabric Community Conference 2025, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount.
Register nowThe Power BI DataViz World Championships are on! With four chances to enter, you could win a spot in the LIVE Grand Finale in Las Vegas. Show off your skills.
We have a service principal that uses the Admin APIs and metadata scanning to report on the content and usage of a Power BI tenant. Because the GetRefreshablesAsAdmin call does not return all refreshables, and only returns the most recent refresh, we need to use GetRefreshHistoryInGroup to get the full refresh history, which requires the SP to be a member of every workspace. As new users are added, they get personal workspaces. As business needs progress, new workspaces are created. So we need an automated way to add this SP to workspaces it isn't already a member of to maintain the full refresh history of those workspaces. We know this is possible, as proprietary tools exist that can do this already.
I have tried creating an additional SP, granting it Tenant.ReadWrite.All application permission (must be application, not delegated, because this needs to happen automatically and therefore the SP needs to be able to work without user intervention to delegate permission). But when calling the API to get all workspaces, we get the following:
Line |
62 | $workspaces = Get-PowerBIWorkspace -Scope Organization -All
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Operation returned an invalid status code 'Unauthorized'
We initially tried without admin consent for the Tenant.ReadWrite.All permission, given the documentation stated it should not be applied, and then tried again with admin consent, but this did not work either way.
In summary, what we need to achieve is to add a given SP to any workspaces it is not already in, without real-user credentials (i.e. the process can run under a SP's own credentials without delegation). How do we do this?
Hi @cmjcf ,
If you can't find the corresponding application permission, you can try not to grant any permission to this application, and directly enable the “Allow service principals in your organization to create and use profiles.” option for the security group in which the service principal is included in the Power BI admin portal, or for the entire organization to enable the “Allow service principals in your organization to create and use profiles.” option, wait for some time and test whether the API can be tested successfully.
Best Regards,
Liu Yang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Unfortunately, this does not solve my problem. The API still returns unauthorised for the "supervisor" SP, Please unmark as solution.
Hi @cmjcf ,
According to your question, you want to inquire about getting a way to add a given SP to any workspaces it is not already in, without real-user credentials. Based on my search and research so far, adding it manually in the UI is not possible, but you can consider using PowerShell or Rest API to test if it works.
Groups - Add Group User - REST API (Power BI Power BI REST APIs) | Microsoft Learn
required scope is Workspace.ReadWrite.All
This API call can be called by a service principal profile. For more information see: Service principal profiles in Power BI Embedded.
Learn how to authenticate for embedded analytics by using a Microsoft Entra application service principal and an application secret.
Best Regards,
Liu Yang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Workspace.ReadWrite.All does not appear to be available as an application permission:
I tried adding it as a delegated permission anyway, but that didn't work either. The API still returns "Unauthorized".