Hi, I'm trying to have Service Principal add itself as a Workspace member (or Contributor or whatever other AccessRight) using the PBI REST API. I'm working on a "normal" PBI Premium capacity.
The SP is Fabric Admin in Azure Tenant. The SP has been created following MS documentation. The SP doesn't have any 'Admin consent' permissions, but has all the other necessary ones. Eveything else on the PBI tenant is configured correctly, I can do a lot of operations with this SP, so everything seems to be working as it should. Except that I just can't perform an "add workspace user" call when the SP is not already a member of the workspace.
- This blog post seems to indicate that an SP cannot call the Admin REST API "AddUserAsAdmin (Groups)" : Administration Archives - Benni De Jagere (See question number 6).
It seems to rightly point out that AddUserAsAdmin (Groups) cannot be considered a "read-only" API call, and hence MS is not allowing us to call it without a user delegated permission...
- Calling the regular non-admin API endpoint to perform the same ends with an error too, indicating that the workspace doesn't exist or I don't have permissions on it. Which is true since the SP is not (yet) a member of the workspace...
- But I found several disturbing things online that suggest that this can be done somehow :
With this option enabled, this fall back is disabled, and only the Service Principal will be used. If it does not have appropriate access then there may be a gap in your lineage.
Note that this situation can be avoided with the next option below.
Grant Service Principal "Contributor" access to all workspaces automatically
This is strongly recommended to be enabled.
The Service Principal can only gather lineage and take backups etc. if it has at least 'Contributor' permissions to all workspaces.
You can either grant this yourself manually, or with this option enabled, The Service Principal can grant itself the permissions.
This means that it will always have the correct permissions, even for new workspaces when they're created, without any manual admin. This will ensure that Sentinel always provides you with a full complete picture of your estate.
The interesting part of the above example is that my Power BI administrator account does *not* have any direct permissions to the workspace. However, the organization scope allows it to be done.
You know what else is interesting? That same Power BI administrator could assign permission to themselves in order to access the app workspace content. This is very important to realize because it essentially makes all data throughout the organization available to the administrator should they deem it necessary (or if they wish to do something nefarious).
I of course tried with her code, and using (or not using) the -Scope Organization argument doesn't change anything if you're trying to Connect- to PBI with an SP
- An Azure DevOps marketplace extension called "Power BI Actions" (which seems amazing) offers a function to add an SP as a Workspace member in a CI Pipeline. I installed the extension, configured the pbi service connection with my admin SP, but a test shows that it also doesn't work if the admin SP doesn't have access to the workspace prior. This extension never explicitly says that what I want to do is possible, but it has loads of examples where somebody first calls a function to create a Workspace (which is also possible with the extension), and then performs some other actions on it. How can that be possible, if on the newly created workspace the SP has not been made a member yet ? Is it because the workspace is created with the same SP, and has automaticcally been added as its Admin ?
I am trying to do this to fully automate a certain number of things on Power BI items, and it seems that almost anything you want to do in the context of an SP needs to have that SP to be (at least) Member of the workspace.
I spent a few days on this already, and I'm out of options ^^ Any help to get a definitive answer on can this be done without user permission delegation would be greatly appreciated !
