Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
Toi69___
Regular Visitor

how to get data about users from powerbi rest api without been administrator

‎07-04-2025 12:23 PM

Hello all,

I looking for a solution to get evant activity ou audit log from power bi rest api or azure.
I created a application on azure, a service principal and a secret.
A have thoses permissions too :
Microsoft Graph
- user.read.all (delegated and appli)
- auditlog.read.all (delegated and appli)
- directory.read.all (delegated and appli)
- report.read.all (delegated and appli)
Power BI Service
Tenand.read.all

A still have error messages when a tried to get data about activityevent from power bi resta pi or auditlog from azure.

Important information, i do not have a administrator role.

If someone have some informations about that thank to all

Labels:
Message 1 of 6
683 Views
5 REPLIES 5
v-lgarikapat
Community Support
Community Support

Tuesday

Hi @Toi69___ ,

Thanks for reaching out to the Microsoft fabric community forum.

@rohit1991 , @Poojara_D12 , @lbendlin  

Thanks for your prompt response

@Toi69___ 

I wanted to follow up and confirm whether you’ve had the opportunity to review the information  provided super users . Should you have any questions or require further clarification, please don't hesitate to reach out.

 

We appreciate your engagement and thank you for being an active part of the community.

Best Regards,

Lakshmi Narayana

Message 6 of 6
132 Views
0
rohit1991
Super User
Super User

‎07-05-2025 04:16 AM

Hi @Toi69___ ,
You're encountering errors when trying to access Power BI activity events or Azure audit logs via the REST API because, even though your Azure application has the correct API permissions (such as AuditLog.Read.All, Directory.Read.All, and Tenant.Read.All), accessing this type of sensitive organizational data requires elevated privileges. Specifically, Microsoft enforces that only users with either the Power BI Service Administrator role or Microsoft 365 Global Administrator role can retrieve audit logs and activity event data.

 

This applies whether you're using delegated permissions (on behalf of a signed-in user) or application permissions via a service principal. Without one of these admin roles, the APIs will block access, regardless of the app's permission grants.

 

To move forward, you would either need an administrator to grant consent on behalf of the organization and assign the appropriate admin role to your service account, or request that an admin run the query and provide the data you need. Unfortunately, there's no workaround to bypass this requirement, as it's a security restriction built into Microsoft’s auditing and compliance controls.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 5 of 6
574 Views
0
Poojara_D12
Super User
Super User

‎07-04-2025 09:52 PM

Hi @Toi69___ 

You're attempting to access Power BI activity events or audit logs using the Power BI REST API or Microsoft Graph API by leveraging an Azure AD app registration with a service principal and secret. You've correctly assigned both delegated and application-level permissions such as AuditLog.Read.All, Directory.Read.All, Report.Read.All, and Tenant.Read.All, which are required to query audit and activity data. However, despite this setup, you're encountering errors when trying to retrieve the activity data, and the key limitation here is that you do not hold an administrator role in your tenant.

 

This is important because accessing audit logs—whether through the Power BI REST API (GetActivityEvents) or Microsoft Graph API (/auditLogs)—requires elevated privileges that only users in certain administrative roles can exercise. Specifically, you need to be assigned a role such as Global Administrator, Compliance Administrator, Security Administrator, or Report Reader with audit log access. Without this, even though your app technically has the required API permissions, the underlying user context or service principal identity is not authorized to access tenant-level audit data.

 

In summary, the error you’re facing is due to insufficient directory-level permissions tied to your role, not just the API permissions in Azure. To resolve this, you’ll need to request that a tenant administrator either:

 

Assign you an appropriate admin role (like Compliance Admin), or

 

Set up a separate service principal account with the required role and permissions, and use that identity for your API calls.

 

Without admin role privileges, Microsoft blocks access to sensitive logs for security and compliance reasons, regardless of the app permissions granted in Azure AD.

 

Did I answer your question? Mark my post as a solution, this will help others!
If my response(s) assisted you in any way, don't forget to drop me a "Kudos"

Kind Regards,
Poojara - Proud to be a Super User
Data Analyst | MSBI Developer | Power BI Consultant
Consider Subscribing my YouTube for Beginners/Advance Concepts: https://youtube.com/@biconcepts?si=04iw9SYI2HN80HKS
Message 3 of 6
609 Views
0
Toi69___
Regular Visitor
In response to Poojara_D12

‎07-05-2025 12:55 AM

Thank you for this overview.
I still have a question when you say :

"Set up a separate service principal account with the required role and permissions, and use that identity for your API calls."

I do not understand beacause when a make ma api call, i use my service principal informations to get data.


Here this is my python witch give me the token :

import msal
import requests
import pandas as pd

# === Paramètres ===
TENANT_ID = 'my tenant id'
CLIENT_ID = 'my client id of my enterprise application'
CLIENT_SECRET = 'My secret '

# === Authentification ===
def get_graph_access_token():
    app = msal.ConfidentialClientApplication(
        client_id=CLIENT_ID,
        authority=f"https://login.microsoftonline.com/{TENANT_ID}",
        client_credential=CLIENT_SECRET
    )
    result = app.acquire_token_for_client(scopes=GRAPH_SCOPE)
    if "access_token" in result:
        return result['access_token']
    else:
        raise Exception(f"Échec de l'authentification : {result}")

# === Script principal ===
if __name__ == "__main__":
    token = get_graph_access_token()

With this a can get data for microsoft graph api in is v1.0 version but for the auditlog i need to use the beta version and at this time i receive a error.

So if i understand i receive a token witch is connecting to my service principal so in this case a should not have error of permissions ?

Do i understand correct ?
If not coult you give me the solution to use my service principal correcty ?

Thank you @Poojara_D12 
Message 4 of 6
598 Views
lbendlin
Super User
Super User

‎07-04-2025 02:47 PM 
Important information, i do not have a administrator role.

Then you will not have access to these API endpoints.

Message 2 of 6
647 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All