Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
arpost
Post Prodigy
Post Prodigy

Anyone able to use Get Model API with Power Platform custom connector?

‎05-22-2025 08:56 AM

Greetings, all. I'm trying to create a Custom Connector so Power Apps and Power Automate can interact with the Fabric APIs. I'm trying to use the Get Model API (MS doc), but I keep getting the following error:

 

"errorCode": "InsufficientScopes",
"message": "The caller does not have sufficient scopes to perform this operation"

arpost_2-1747929359681.png

 

I've confirmed my app registration has sufficient privileges:

 

arpost_0-1747929115531.png

And that it has access to the workspace:

arpost_1-1747929265491.png

 

So I'm rather stumped. Anyone have ideas?

Labels:
Message 1 of 12
952 Views
0
1 ACCEPTED SOLUTION
v-pnaroju-msft
Community Support
Community Support

‎06-01-2025 01:04 AM

Hi arpost,

Thank you for your follow-up.

When using the HTTP with Azure AD action in Power Automate, pre-authorization is managed automatically through client credentials. You only need to configure the action with the appropriate Azure AD details, and Power Automate will handle token acquisition seamlessly in the background.

If you find our response helpful, kindly consider marking it as the accepted solution and providing kudos. This will greatly assist other members of the community who may have similar queries.

Should you have any further questions, please feel free to reach out to the Microsoft Fabric community.

Thank you.

View solution in original post

Message 10 of 12
588 Views
0
11 REPLIES 11
v-pnaroju-msft
Community Support
Community Support

‎06-07-2025 08:51 PM

Hi arpost,

We are following up to see if your query has been resolved. Should you have identified a solution, we kindly request you to share it with the community to assist others facing similar issues.

If our response was helpful, please mark it as the accepted solution and provide kudos, as this helps the broader community.

Thank you.

Message 12 of 12
468 Views
0
v-pnaroju-msft
Community Support
Community Support

‎06-04-2025 08:30 AM

Hi arpost,

We wanted to check in regarding your query, as we have not heard back from you. If you have resolved the issue, sharing the solution with the community would be greatly appreciated and could help others encountering similar challenges.

If you found our response useful, kindly mark it as the accepted solution and provide kudos to guide other members.

Thank you.

Message 11 of 12
503 Views
0
v-pnaroju-msft
Community Support
Community Support

‎06-01-2025 01:04 AM

Hi arpost,

Thank you for your follow-up.

When using the HTTP with Azure AD action in Power Automate, pre-authorization is managed automatically through client credentials. You only need to configure the action with the appropriate Azure AD details, and Power Automate will handle token acquisition seamlessly in the background.

If you find our response helpful, kindly consider marking it as the accepted solution and providing kudos. This will greatly assist other members of the community who may have similar queries.

Should you have any further questions, please feel free to reach out to the Microsoft Fabric community.

Thank you.

Message 10 of 12
589 Views
0
v-pnaroju-msft
Community Support
Community Support

‎05-31-2025 06:50 AM

Hi arpost,

We have not received a response from you regarding the query and were following up to check if you have found a resolution. If you have identified a solution, we kindly request you to share it with the community, as it may be helpful to others facing a similar issue.

If you find the response helpful, please mark it as the accepted solution and provide kudos, as this will help other members with similar queries.

Thank you.

Message 9 of 12
692 Views
0
v-pnaroju-msft
Community Support
Community Support

‎05-27-2025 02:38 PM

Hi arpost,

Thank you for your follow-up.

1.You are utilising a service principal that authenticates via the client credentials flow, a machine-to-machine authentication method which does not involve user interaction. However, the Power BI (and Fabric) REST APIs such as Get Model currently expose permissions like Dataset.Read.All and SemanticModel.Read.All only as delegated permissions within Azure AD. Despite this, these APIs do support service principals, provided the token is acquired using the client credentials flow, which is the method you are employing. It is important to note that these permissions will not appear under the Application Permissions tab in Azure AD, and this is expected behaviour rather than an error in your configuration.

2.There is a limitation with Power Platform Custom Connectors. Custom connectors in Power Apps and Power Automate do not support the client credentials flow. They are restricted to OAuth 2.0 delegated (authorization code) flows, which necessitate a signed-in user—a condition that is not applicable for service principals. Therefore, even if your service principal is correctly configured and the necessary permissions are granted, your custom connector will continue to fail with an "InsufficientScopes" error because it attempts to use an authentication flow that does not correspond to the correct authentication context.

You may circumvent this limitation by using Power Automate’s HTTP with Azure AD action, which does support the client credentials flow.

If you find our response helpful, kindly mark it as the accepted solution and provide kudos. This will assist other community members encountering similar queries. Should you have any further questions, please feel free to reach out to the Microsoft Fabric community.

Thank you.

Message 7 of 12
770 Views
arpost
Post Prodigy
Post Prodigy
In response to v-pnaroju-msft

‎05-31-2025 08:16 AM

I appreciate the detailed reply; sorry for the delay. I’m headed OOO and had some things to finish.

 

When you say use the Power Automate HTTP action, are you saying preauthorized should work, or am I going to have to set up a process to get a bearer token?

Message 8 of 12
644 Views
0
v-pnaroju-msft
Community Support
Community Support

‎05-26-2025 03:15 AM

Thankyou, @burakkaragoz, for your response.

Hi arpost,

Based on my understanding of the error message, you are currently using delegated permissions with a service principal. This is not supported for certain APIs, such as the Get Model API in Microsoft Fabric/Power BI. Delegated permissions function only with signed-in users, whereas service principals require application permissions.

Kindly follow the steps outlined below, which may help you resolve the issue:

  1. As you are using a service principal, you need to switch from delegated permissions to application permissions in your Azure App Registration.
  2. Navigate to Azure Portal > App registrations > [Your App] > API permissions. Click on "Add a permission." Select "Power BI Service," then switch to the "Application permissions" tab (and not "Delegated"). Add the required permissions such as Dataset.Read.All, SemanticModel.Read.All, and any others needed, for example, Workspace.Read.All. Click "Add permissions" and ensure you grant admin consent for your tenant. This is essential for service principals, as admin consent is mandatory for application permissions.
  3. Custom connectors cannot be used with service principals because they don’t support client credentials flow.
  4. Since service principals authenticate without user interaction, it is necessary to use the client credentials flow rather than the authorization code or delegated flows. However, custom connectors in Power Platform do not natively support the client credentials flow. A recommended solution is to use a custom connector backed by an Azure Function or Azure API Management, which obtains a token using the client credentials grant and proxies the request. Alternatively, you may use the Power Automate HTTP action instead of a custom connector by using the HTTP with Azure AD connector. Configure it with the Tenant ID, Client ID, Client Secret, and Resource set to https://analysis.windows.net/powerbi/api and call the Get Model API directly with this token.
  5. Lastly, please ensure that the service principal has at least Member access in the workspace and that the dataset/model you intend to query is published and accessible from that workspace.

For your reference, please review the following link:
Authenticate your API and connector with Microsoft Entra ID | Microsoft Learn

 

If you find this response helpful, kindly mark it as the accepted solution and provide kudos. This will assist other community members facing similar challenges. Should you have any further queries, please feel free to reach out to the Microsoft Fabric community.

Thank you.

Message 5 of 12
820 Views
arpost
Post Prodigy
Post Prodigy
In response to v-pnaroju-msft

‎05-27-2025 09:35 AM

@v-pnaroju-msft, thank you for the reply. Regarding the Get Model and Get Model Definition APIs, the MS documentation states that these are supported for Use authenticated scenarios (see Get Model and Get Model Definition).

 

arpost_1-1748363704920.png

 

Also, Application Permissions for the App Registration in Azure doesn't include any of the stated permissions. That tab only includes tenant-wide items.

 

arpost_0-1748363622995.png

Message 6 of 12
802 Views
0
burakkaragoz
Community Champion
Community Champion

‎05-22-2025 10:58 PM

Hi @arpost ,

 

That error usually means the token being used doesn’t have the right scopes, even if the app registration looks good. Since you're using a custom connector, make sure the connector is actually requesting the scopes you’ve granted in Azure AD. Sometimes the issue is not with the app registration itself, but with how the token is being acquired.

Also, double-check if you're using delegated permissions — those require a signed-in user context. If you're using a service principal (which it looks like you are), you’ll need application permissions instead. Delegated ones won’t work in that case.

Let me know if you’re using OAuth 2.0 in the connector setup and what grant type you’ve selected — that might help narrow it down.

 

If my response resolved your query, kindly mark it as the Accepted Solution to assist others. Additionally, I would be grateful for a 'Kudos' if you found my response helpful.

Message 2 of 12
914 Views
arpost
Post Prodigy
Post Prodigy
In response to burakkaragoz

‎05-27-2025 09:39 AM

@burakkaragoz, can you clarify what you mean by "actually requesting the scopes you've granted"? Do you mean adding each scope to the Scope section in the Security tab?

Message 4 of 12
800 Views
0
arpost
Post Prodigy
Post Prodigy
In response to burakkaragoz

‎05-23-2025 01:29 PM

Thanks for the reply. This is how I have the Custom Connector configured in terms of authentication:

 

arpost_1-1748032119367.png

Message 3 of 12
887 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June FBC25 Carousel

Fabric Monthly Update - June 2025

Check out the June 2025 Fabric update to learn about new features.

View All