Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
alfBI
Resolver I
Resolver I

API Permissions (Power BI Service). Difference between Permissions

‎05-05-2025 11:23 AM

Hi,

 

I am creating a service principal to use Power BI Service API and I am a bit confused with regards the difference between the different permission/scopes that can be granted to the API

 

alfBI_1-1746469153701.png

 

does the  Tenant.WriteReadAll permission includes all the other ones *.WriteReadll? I think so, but my tenant admin requires to clarify what is the purposed of the permission before to consent it.

 

alfBI_0-1746469049807.png

Could I destroy something out of the Power BI Service (I mean for instance some Azure subscription group) scope with the Tenant.WriteReadAll permission given to the Power BI Service API?

 

 

alfBI_3-1746469363826.png

 

(this is the message that the admin receives to consent)

 

Regards,

 

 

Labels:
Message 1 of 5
369 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User
In response to alfBI

‎05-05-2025 01:25 PM

I see what you mean. Items outside the Power BI/Fabric scope.  I don't think so. 

View solution in original post

Message 4 of 5
323 Views
4 REPLIES 4
v-nmadadi-msft
Community Support
Community Support

‎05-10-2025 11:04 AM

Hi @alfBI 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

 

Message 5 of 5
258 Views
0
alfBI
Resolver I
Resolver I

‎05-05-2025 01:12 PM

Hi,

 

Checking the Power BI Rest API Docs I see that admin tasks Admin - REST API (Power BI Power BI REST APIs) | Microsoft Learn  (that are the ones I assume included on the tenant.ReadWriteall) does not include anything such as removing a subscription, an Entry ID group or a virtual network .

 

Of course you can do dangerous things as assigning a capacity to a workspace but this is part of the power bi scope.

 

Do you have a sample of some potential action using the Power BI API Rest with the tenant.ReadWriteall permission that can impact a non-PowerBI/Fabric Item?

 

Many Thx

Message 3 of 5
326 Views
0
lbendlin
Super User
Super User
In response to alfBI

‎05-05-2025 01:25 PM

I see what you mean. Items outside the Power BI/Fabric scope.  I don't think so. 

Message 4 of 5
324 Views
lbendlin
Super User
Super User

‎05-05-2025 11:55 AM 
Could I destroy something out of the Power BI Service (I mean for instance some Azure subscription group) scope with the Tenant.WriteReadAll permission given to the Power BI Service API?

yes, very much so.  You need to have technical (documentation) and non-technical  (legal threats) precautions in place when you grant that.

Message 2 of 5
345 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All