Starting December 3, join live sessions with database experts and the Microsoft product team to learn just how easy it is to get started
Learn moreGet certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now
Hello everyone,
recently I have been trying to make Power BI APIs work with service principal authentication. All steps mentioned in this article https://docs.microsoft.com/en-us/power-bi/developer/embedded/embed-service-principal are done:
- an Azure AD app is registered (service principal created)
- an AD security group is created, the app is added to this group
- a Power BI admin has enabled service principal access in the admin portal
- the service principal and the security group are added to the workspace (and granted the admin role)
I am able to generate an access token using the POST method for https://login.microsoftonline.com/common/oauth2/token (screenshot below).
The issue is that whenever this token is used for any further calls (I have tried both non-admin and admin APIs - when it comes to admin ones, I only tested the supported APIS - can be seen in this article https://docs.microsoft.com/en-us/power-bi/admin/read-only-apis-service-principal-authentication), I am shown the 401 unauthorized error.
So my question is: did I overlook some security setting perhaps? Our company uses MFA, but service principals do not use that from what I have found on this forum/in the documentation. Or is the generated token invalid somehow?
Any help is greatly appreciated.
Hi, I meet tyhe same issue, could you please share your solution, thanks
Hi, we are experiencing a similar problem. Were you able to solve the issue?
Try getting the token with your resource set as:
https://analysis.windows.net/powerbi/api/.default
Also make sure that your tenant admin has added the AAD security group to the "specific security group" list in Power BI.
A long time has passed, do you remember how to add AD security group to PowerBI?
When I tried getting the token with the resource set to https://analysis.windows.net/powerbi/api/.default, it threw the following error:
The AAD security group (and also the service principal) has been added to the specific security group list in our Power BI workspace.
Ah, you've been using a different API. Not sure that one would ever work. Heres the working oauth one I have:
Thank you so much, this actually worked, I was finally able to generate a bearer token without any error messages.
The issue now is that whatever call I make using this token, I get the following error:
I tried finding more information about this and everything points to some issue with permissions, but I cannot figure out what's wrong (I have tested both non-admin and some of the supported admin calls). Please, do you have any idea what might be the problem?
UPDATE: some non-admin calls actually work, but I was not able to make any of the admin ones work properly. I have checked Azure again to make sure I have all the correct permissions assigned, and it seems to be the case:
Is anything missing?
Oh, that's easy then. Your POST is wrong. Didnt spot it the first time round because it was right at the top 😄 It must have the tenant ID in it, not 'common'
I use:
https://login.microsoftonline.com/[tenantid]/oauth2/v2.0/token/
I'm curious if you were ever able to resolve this - I'm having the same issue. 401 unauthorized on all calls.
No, not yet - still trying to figure this out. Will update the thread if I find anything.
Hi @matoxin ,
Considerations and limitations
Have you checked these considerations and limitations?
Best regards,
Lionel Chen
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Hello Lionel,
yes, we have checked that article multiple times - to make sure we have not forgotten anything.
Hi,
What API Permissions are set up in your App Registration for Power BI? Everything else seems ok.
Hello, at the moment, the app has the following API permissions:
- Dataset.ReadAll
- Report.ReadAll
- Workspace.ReadAll
I assume that Tenant.ReadAll should be added as well - is that correct?
Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |