Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
frithjof_v
Resident Rockstar
Resident Rockstar

Power BI Rest API: Delegated permissions vs. Service principal

Hi,

 

When a user uses a service principal to call the Power BI Rest API, why does it retrieve more data than the user has access to?

 

Background:

 

In order to use the Power BI Rest API, we need to create an app registration and give the app registration Delegated permissions to use the API. 

 

https://learn.microsoft.com/en-us/rest/api/power-bi/#scopes

 

Delegated permissions means an application can access resources on behalf of the user, but it can only access resources which the user has access to.

 

https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview#delegated-acc...

 

Now let's say we want to use the app registration's Service principal to authenticate to the Power BI Rest API. 

 

We first add the service principal to some workspaces in Power BI in order to give the service principal access to our Power BI data. Let's say we add the service principal to more workspaces than the user is added to.

 

When the user then calls the Power BI Rest API by using the service principal, the user can retrieve more data than the user themself has access to. It seems the Power BI REST API call returns the data for all the workspaces where the service principal has been added - not only the workspaces where the user has been added.

 

Does the service principal not respect the "delegated permissions" setting on the App registration?

 

How does this work?

 

Is there a fundamental difference between authenticating through an app registration vs. authenticating by using the service principal?

 

I'm new to the concept of app registration and service principal, and trying to understand how it works. Hope someone can explain why the service principal returns more data than the user themself has access to.

 

I want to let a user use a service principal in order to authenticate to the Power BI Rest API.

1 ACCEPTED SOLUTION

Hi @frithjof_v 

 

I'll try to answer these questions in my own words, maybe not precisely, but probably easier to understand.

 

In order to use the Power BI Rest API, we need to create an app registration. And we will use this App to go through Microsoft Entra ID authentication process and get access token for querying Power BI REST APIs. There are two types of authentication here: master user and service principal. 

 

  • Master user: this authentication will use your Power BI account. You provide your username (Microsoft Entra ID account, the same as your Power BI account) and password (or certificate). MFA is probably needed if your organization has enabled that. In this way, you need to give the app registration specific Delegated permissions to use the APIs. When using Power BI REST APIs, your permissions are limited by the delegated permissions and you can only access resources which you have access to.
  • Service principal: this authentication doesn't use any user account. It can act like a "user". You don't have to give the app registration Delegated permissions. Its permissions are managed in Power BI Service and Power BI Admin portal. You can add it to workspace roles directly, or add it to a security group then add the security group to workspace roles. In this way, the "service principal" of an App is activated and it has the permissions for the role it has in Power BI. 

 

You can play around by creating two Apps, one for master user and the other for service principal, to experience the differences of both. Based on my previous test results, it is recommended to handle the two types of authentications by using different apps. Mixing them in one app may cause some authentication conflict errors/failures when the app is used in a scenario where one authentication type is not supported.

 

Here are some blogs and documentations for your reference: 

Use Power BI API with service principal (Preview) | Microsoft Power BI Blog | Microsoft Power BI

Embed Power BI content in an embedded analytics application with service principal and an applicatio...

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

View solution in original post

4 REPLIES 4
frithjof_v
Resident Rockstar
Resident Rockstar
lbendlin
Super User
Super User

If you have a Pro license you can open a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi
Otherwise you can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues .

I'm hoping someone can answer here so I don't need to create a support ticket for this question.

 

I think the answer to this question will be useful for many (if not all) users who are using the Power BI REST API.

Hi @frithjof_v 

 

I'll try to answer these questions in my own words, maybe not precisely, but probably easier to understand.

 

In order to use the Power BI Rest API, we need to create an app registration. And we will use this App to go through Microsoft Entra ID authentication process and get access token for querying Power BI REST APIs. There are two types of authentication here: master user and service principal. 

 

  • Master user: this authentication will use your Power BI account. You provide your username (Microsoft Entra ID account, the same as your Power BI account) and password (or certificate). MFA is probably needed if your organization has enabled that. In this way, you need to give the app registration specific Delegated permissions to use the APIs. When using Power BI REST APIs, your permissions are limited by the delegated permissions and you can only access resources which you have access to.
  • Service principal: this authentication doesn't use any user account. It can act like a "user". You don't have to give the app registration Delegated permissions. Its permissions are managed in Power BI Service and Power BI Admin portal. You can add it to workspace roles directly, or add it to a security group then add the security group to workspace roles. In this way, the "service principal" of an App is activated and it has the permissions for the role it has in Power BI. 

 

You can play around by creating two Apps, one for master user and the other for service principal, to experience the differences of both. Based on my previous test results, it is recommended to handle the two types of authentications by using different apps. Mixing them in one app may cause some authentication conflict errors/failures when the app is used in a scenario where one authentication type is not supported.

 

Here are some blogs and documentations for your reference: 

Use Power BI API with service principal (Preview) | Microsoft Power BI Blog | Microsoft Power BI

Embed Power BI content in an embedded analytics application with service principal and an applicatio...

 

Best Regards,
Jing
If this post helps, please Accept it as Solution to help other members find it. Appreciate your Kudos!

Helpful resources

Announcements
Sept Fabric Carousel

Fabric Monthly Update - September 2024

Check out the September 2024 Fabric update to learn about new features.

September Hackathon Carousel

Microsoft Fabric & AI Learning Hackathon

Learn from experts, get hands-on experience, and win awesome prizes.

Sept NL Carousel

Fabric Community Update - September 2024

Find out what's new and trending in the Fabric Community.