Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
SergikitoDZ
Frequent Visitor

Why does the API call stop working when used as written in the documentation with Service Principal?

‎02-07-2025 03:05 AM

I have been wondering for some time the following, until it got me stucked:

 

If I send API calls like this with an admin user token, it works as intended: 

GET https://api.powerbi.com/v1.0/myorg/datasets/{datasetId}/datasources

 

It also works if I send an API call like this:

GET https://api.powerbi.com/v1.0/myorg/groups/{workspaceId}/datasets/{datasetId}/datasources 

 

However, if I try to use those API calls with a Service Principal, the first one will response me like this:

GET https://api.powerbi.com/v1.0/myorg/datasets/{datasetId}/datasources 
Error 403 Forbidden

{
"Message": "API is not accessible for application"
}

 

But the second one will work as expected.

 

This behaviour also happens whith other several API calls, and makes me wonder, why? Everything I have found so far points to the easy answer "your Service Principal has not enough API permissions", but right now it has almost every permission possible, but most importantly the ones that are supposed to be needed.

 

Why is this being a problem? Now, I need to use the following with a service principal, and it won't work

GET https://api.powerbi.com/v1.0/myorg/admin/users/{userId}/artifactAccess 
Error 401 Unathorized

{
"error": {
"code": "PowerBINotAuthorizedException",
"pbi.error": {
"code": "PowerBINotAuthorizedException",
"parameters": {},
"details": [],
"exceptionCulprit": 1
}
}
}

 

But if I try to use the same logic as before, it will response with a 404, since it makes no sense to call an administration API using a workspace.

 

Why does that happen and how can I solve it?

Labels:
Message 1 of 3
318 Views
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎02-09-2025 06:53 AM

Hi @SergikitoDZ , The issue arises because Service Principals (SPs) are restricted to workspace-scoped API calls, while admin-level and organization-wide APIs require delegated user authentication. This explains why calling /groups/{workspaceId}/datasets/{datasetId}/datasources works with an SP, but calling /datasets/{datasetId}/datasources directly results in a 403 Forbidden error, as it is an organization-wide endpoint not accessible to applications. Similarly, the admin API (/admin/users/{userId}/artifactAccess) fails with a 401 Unauthorized error because SPs lack delegated permissions, which are required for tenant-wide admin operations. To resolve this, you should use a user account with delegated permissions for admin APIs, while keeping SPs for workspace-level interactions. This is a security limitation set by Microsoft to prevent SPs from performing broad administrative actions across the tenant.

View solution in original post

Message 2 of 3
258 Views
2 REPLIES 2
v-shex-msft
Community Support
Community Support

‎02-09-2025 06:58 PM

Hi @SergikitoDZ ,

Did the above suggestions help with your scenario? if that is the case, you can consider Kudo or Accept the helpful suggestions to help others who faced similar requirements.

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 3 of 3
241 Views
0
rohit1991
Super User
Super User

‎02-09-2025 06:53 AM

Hi @SergikitoDZ , The issue arises because Service Principals (SPs) are restricted to workspace-scoped API calls, while admin-level and organization-wide APIs require delegated user authentication. This explains why calling /groups/{workspaceId}/datasets/{datasetId}/datasources works with an SP, but calling /datasets/{datasetId}/datasources directly results in a 403 Forbidden error, as it is an organization-wide endpoint not accessible to applications. Similarly, the admin API (/admin/users/{userId}/artifactAccess) fails with a 401 Unauthorized error because SPs lack delegated permissions, which are required for tenant-wide admin operations. To resolve this, you should use a user account with delegated permissions for admin APIs, while keeping SPs for workspace-level interactions. This is a security limitation set by Microsoft to prevent SPs from performing broad administrative actions across the tenant.

Message 2 of 3
259 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code FABINSIDER for a $400 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

March2025 Carousel

Fabric Community Update - March 2025

Find out what's new and trending in the Fabric community.

View All