Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
Alanator500
Regular Visitor

Power BI API GetActivity Metrics Issue with Power BI Service Principal

‎09-22-2025 12:59 PM

Hello Fabric Community,

I'm hoping someone would be able to point me in the right direction. I am attempting to call and populate reporting on the Power BI Service using the Power BI API Documentation. I have moved to a new tenant and followed everything I did in my old tenant. Service Principal is created and inside a group, that group is in workspaces as admin permission, I have set the settings in the admin portal for "Service Principals can call Fabric public APIs" and "Service Principles Can access Read-Only Admin APIs".

Alanator500_1-1758570934774.png


I have granted the App Registration all these permissions

Alanator500_0-1758570586641.png

 

Unfortunately when I try an admin call for get activites to assemble usage in Postman I am getting the following:

{
    "error": {
        "code": "PowerBINotAuthorizedException",
        "pbi.error": {
            "code": "PowerBINotAuthorizedException",
            "parameters": {},
            "details": [],
            "exceptionCulprit": 1
        }
    }
}

Everything I have read is having me go through everything I believe I have set correctly. The service Principal can access APIs that are not admin, but these do not get to the activity level. I'm not sure with this application having access to to all these permissions, especially at the Tenant Read and Tenant Read/Write level, it still cannot access the admin apis.

Any help would be much appreciated.
Labels:
Message 1 of 4
403 Views
0
1 ACCEPTED SOLUTION
Alanator500
Regular Visitor

‎09-25-2025 02:21 PM

I wanted to make sure that I rounded this out. Looking further into the documentation around the Admin APIs. There are a couple things that needed to happen to grant my SP access.

1. The documentation states that "When running under service prinicipal authentication, an app must not have any admin-consent required premissions for Power BI set on it in the Azure portal." (Admin - Get Activity Events - REST API (Power BI Power BI REST APIs) | Microsoft Learn) This meant I needed to revoke any admin-consent required permissions Tenant.Read.All and Tenant.ReadWrite.All

2. I needed to have the SP granted the role of Fabric Admin. (Not sure if this was necessary)
3. I had already done this but for a rounded out solution you need to make sure that Power BI Admin portal had "Service Principals can use Fabric APIs" and "Service Principals can use read only Admin APIs" flipped to "enabled" with the security group your SP is in the only group granted access.

The points in number 1 & 2 were new to me, a couple years ago I was able to set it up with the admin consent permissions, this however must have changed. Once I followed the three above, the SP could access no problem. 

View solution in original post

Message 4 of 4
244 Views
0
3 REPLIES 3
Alanator500
Regular Visitor

‎09-25-2025 02:21 PM

I wanted to make sure that I rounded this out. Looking further into the documentation around the Admin APIs. There are a couple things that needed to happen to grant my SP access.

1. The documentation states that "When running under service prinicipal authentication, an app must not have any admin-consent required premissions for Power BI set on it in the Azure portal." (Admin - Get Activity Events - REST API (Power BI Power BI REST APIs) | Microsoft Learn) This meant I needed to revoke any admin-consent required permissions Tenant.Read.All and Tenant.ReadWrite.All

2. I needed to have the SP granted the role of Fabric Admin. (Not sure if this was necessary)
3. I had already done this but for a rounded out solution you need to make sure that Power BI Admin portal had "Service Principals can use Fabric APIs" and "Service Principals can use read only Admin APIs" flipped to "enabled" with the security group your SP is in the only group granted access.

The points in number 1 & 2 were new to me, a couple years ago I was able to set it up with the admin consent permissions, this however must have changed. Once I followed the three above, the SP could access no problem. 

Message 4 of 4
245 Views
0
Alanator500
Regular Visitor

‎09-23-2025 06:01 AM

Hello,

Thank you for this additional information. I thought that the snapshot of the Power BI Admin Portal was clear on this. My Service Principal is apart of a security group. I "Enabled for a subset of the organization" and placed that security group as the only group allowed to use APIs for Power BI. I have also made sure not to check the box that says "Except" because I am aware that would mean everyone else except the security group, which is not the outcome I want. I am requesting the token with app ID and Secret using the scope "https://analysis.windows.net/powerbi/api/.default". Just wanted to clarify what has been done.

Now I did notice that last sentence, "and if needed, confirm the account has the Power BI Service Admin or Global Admin role." Are you indicating that we can give the Service Principal the Power BI Service Admin role? Just to test I used the Learn site to call the events using my Power BI Admin credentials, that did work but this would not be useful for auto refresh in the Service.

However if the service principal is able to be granted Power BI Admin Role then that may solve the block I am running into. I thought granting the Tenant.Read.All access offers this.

Again thanks for your help on this, sorry for so many additional questions.

Message 3 of 4
329 Views
0
v-kpoloju-msft
Community Support
Community Support

‎09-23-2025 02:48 AM

Hi @Alanator500
Thank you for sharing the details and screenshots.

The error PowerBINotAuthorizedException indicates that your Service Principal does not yet have the required tenant-level permissions to call the Get Activity Events Admin API. While you have already granted API permissions and enabled “Service principals can call Fabric public APIs” and “Service principals can access read-only admin APIs”, there is one extra step. 

The Service Principal must be added to a security group that is explicitly allowed in the Power BI Admin portal under Tenant settings → Admin API settings. Simply having workspace admin rights or API consents in Entra ID is not enough for this admin API. Please also make sure you are requesting the token with the scope https://analysis.windows.net/powerbi/api/.default, and if needed, confirm the account has the Power BI Service Admin or Global Admin role. 

Refer these links:
1. https://learn.microsoft.com/en-in/fabric/enterprise/powerbi/service-premium-service-principal#allow-... 
2. https://learn.microsoft.com/en-in/rest/api/power-bi/admin/get-activity-events 

Hope this helps you move forward. Please give it a try and let us know how it goes.
Thanks for using the Microsoft Fabric Community Forum.

Message 2 of 4
345 Views
0

Helpful resources

Announcements
FabCon Global Hackathon Carousel

FabCon Global Hackathon

Join the Fabric FabCon Global Hackathon—running virtually through Nov 3. Open to all skill levels. $10,000 in prizes!

October Power BI Update Carousel

Power BI Monthly Update - October 2025

Check out the October 2025 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All