Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Preparing for a certification exam? Ask exam experts all your questions on May 15th. Register now.

Reply
alfBI
Resolver I
Resolver I

API Permissions (Power BI Service). Difference between Permissions

‎05-05-2025 11:23 AM

Hi,

 

I am creating a service principal to use Power BI Service API and I am a bit confused with regards the difference between the different permission/scopes that can be granted to the API

 

alfBI_1-1746469153701.png

 

does the  Tenant.WriteReadAll permission includes all the other ones *.WriteReadll? I think so, but my tenant admin requires to clarify what is the purposed of the permission before to consent it.

 

alfBI_0-1746469049807.png

Could I destroy something out of the Power BI Service (I mean for instance some Azure subscription group) scope with the Tenant.WriteReadAll permission given to the Power BI Service API?

 

 

alfBI_3-1746469363826.png

 

(this is the message that the admin receives to consent)

 

Regards,

 

 

Labels:
Message 1 of 5
146 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User
In response to alfBI

‎05-05-2025 01:25 PM

I see what you mean. Items outside the Power BI/Fabric scope.  I don't think so. 

View solution in original post

Message 4 of 5
100 Views
0
4 REPLIES 4
v-nmadadi-msft
Community Support
Community Support

Saturday

Hi @alfBI 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

 

Message 5 of 5
35 Views
0
alfBI
Resolver I
Resolver I

‎05-05-2025 01:12 PM

Hi,

 

Checking the Power BI Rest API Docs I see that admin tasks Admin - REST API (Power BI Power BI REST APIs) | Microsoft Learn  (that are the ones I assume included on the tenant.ReadWriteall) does not include anything such as removing a subscription, an Entry ID group or a virtual network .

 

Of course you can do dangerous things as assigning a capacity to a workspace but this is part of the power bi scope.

 

Do you have a sample of some potential action using the Power BI API Rest with the tenant.ReadWriteall permission that can impact a non-PowerBI/Fabric Item?

 

Many Thx

Message 3 of 5
103 Views
0
lbendlin
Super User
Super User
In response to alfBI

‎05-05-2025 01:25 PM

I see what you mean. Items outside the Power BI/Fabric scope.  I don't think so. 

Message 4 of 5
101 Views
0
lbendlin
Super User
Super User

‎05-05-2025 11:55 AM 
Could I destroy something out of the Power BI Service (I mean for instance some Azure subscription group) scope with the Tenant.WriteReadAll permission given to the Power BI Service API?

yes, very much so.  You need to have technical (documentation) and non-technical  (legal threats) precautions in place when you grant that.

Message 2 of 5
122 Views
0

Helpful resources

Announcements
PBIApril_Carousel

Power BI Monthly Update - April 2025

Check out the April 2025 Power BI update to learn about new features.

Notebook Gallery Carousel1

NEW! Community Notebooks Gallery

Explore and share Fabric Notebooks to boost Power BI insights in the new community notebooks gallery.

April2025 Carousel

Fabric Community Update - April 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All