March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early bird discount ends December 31.
Register NowBe one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now
Hi,
When a user uses a service principal to call the Power BI Rest API, why does it retrieve more data than the user has access to?
Background:
In order to use the Power BI Rest API, we need to create an app registration and give the app registration Delegated permissions to use the API.
https://learn.microsoft.com/en-us/rest/api/power-bi/#scopes
Delegated permissions means an application can access resources on behalf of the user, but it can only access resources which the user has access to.
Now let's say we want to use the app registration's Service principal to authenticate to the Power BI Rest API.
We first add the service principal to some workspaces in Power BI in order to give the service principal access to our Power BI data. Let's say we add the service principal to more workspaces than the user is added to.
When the user then calls the Power BI Rest API by using the service principal, the user can retrieve more data than the user themself has access to. It seems the Power BI REST API call returns the data for all the workspaces where the service principal has been added - not only the workspaces where the user has been added.
Does the service principal not respect the "delegated permissions" setting on the App registration?
How does this work?
Is there a fundamental difference between authenticating through an app registration vs. authenticating by using the service principal?
I'm new to the concept of app registration and service principal, and trying to understand how it works. Hope someone can explain why the service principal returns more data than the user themself has access to.
I want to let a user use a service principal in order to authenticate to the Power BI Rest API.
Solved! Go to Solution.
Hi @frithjof_v
I'll try to answer these questions in my own words, maybe not precisely, but probably easier to understand.
In order to use the Power BI Rest API, we need to create an app registration. And we will use this App to go through Microsoft Entra ID authentication process and get access token for querying Power BI REST APIs. There are two types of authentication here: master user and service principal.
You can play around by creating two Apps, one for master user and the other for service principal, to experience the differences of both. Based on my previous test results, it is recommended to handle the two types of authentications by using different apps. Mixing them in one app may cause some authentication conflict errors/failures when the app is used in a scenario where one authentication type is not supported.
Here are some blogs and documentations for your reference:
Use Power BI API with service principal (Preview) | Microsoft Power BI Blog | Microsoft Power BI
Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!
Perhaps the answer is found here:
If you have a Pro license you can open a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi
Otherwise you can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues .
I'm hoping someone can answer here so I don't need to create a support ticket for this question.
I think the answer to this question will be useful for many (if not all) users who are using the Power BI REST API.
Hi @frithjof_v
I'll try to answer these questions in my own words, maybe not precisely, but probably easier to understand.
In order to use the Power BI Rest API, we need to create an app registration. And we will use this App to go through Microsoft Entra ID authentication process and get access token for querying Power BI REST APIs. There are two types of authentication here: master user and service principal.
You can play around by creating two Apps, one for master user and the other for service principal, to experience the differences of both. Based on my previous test results, it is recommended to handle the two types of authentications by using different apps. Mixing them in one app may cause some authentication conflict errors/failures when the app is used in a scenario where one authentication type is not supported.
Here are some blogs and documentations for your reference:
Use Power BI API with service principal (Preview) | Microsoft Power BI Blog | Microsoft Power BI
Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!
Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.
User | Count |
---|---|
8 | |
3 | |
2 | |
1 | |
1 |
User | Count |
---|---|
9 | |
6 | |
5 | |
4 | |
4 |