Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI DataViz World Championships are on! With four chances to enter, you could win a spot in the LIVE Grand Finale in Las Vegas. Show off your skills.

Reply
bender1234
Regular Visitor

Acces Token for REST API Access doesnt work: token missing permissions assigned to app registration

‎10-02-2024 01:42 PM

Hi

 

I want to build a dashboard showing past refreshes of my datasets.

I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history

 

To get access to get the past refreshes, I need to generate an access token and I use Postman and this call:  https://login.microsoftonline.com/{tenant_id}/oauth2/token

I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use 

this token in the Get refresh call, I get a 403 error.

 

When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).

When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.

When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).

 

Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.

 

Setup

To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis

 

- added App Registration

- added App Registration it to new security group

- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)

- added the app registration's service principle  to PowerBi Workspace access list as Admin

- added the security group (which contains the app registration's service principle)  to PowerBi Workspace access list as Admin


I have set the following API permissions in the app registration:

Tenant.Read.All  -Type Application

Tenant.ReadWrite.All -Type Application

Dataset.Read.All - Type Delegated

 

The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.

 

 

This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...

- I tried the different Auth URL (version 2) but it does not support the resource prop in the body

- I tried different API permissiosn to no avail

 

Where am I going wrong. Why can I not get those permissions in the JWT token?

 

Thanks for your help

Labels:
Message 1 of 2
259 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎10-03-2024 09:58 AM

You need to use a custom connector that understands AAD.

 

GitHub - migueesc123/PowerBIRESTAPI: A Microsoft Power BI Data Connector or Power Query Connector fo...

Message 2 of 2
249 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All