Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
bender1234
Regular Visitor

Acces Token for REST API Access doesnt work: token missing permissions assigned to app registration

‎10-02-2024 01:42 PM

Hi

 

I want to build a dashboard showing past refreshes of my datasets.

I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history

 

To get access to get the past refreshes, I need to generate an access token and I use Postman and this call:  https://login.microsoftonline.com/{tenant_id}/oauth2/token

I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use 

this token in the Get refresh call, I get a 403 error.

 

When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).

When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.

When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).

 

Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.

 

Setup

To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis

 

- added App Registration

- added App Registration it to new security group

- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)

- added the app registration's service principle  to PowerBi Workspace access list as Admin

- added the security group (which contains the app registration's service principle)  to PowerBi Workspace access list as Admin


I have set the following API permissions in the app registration:

Tenant.Read.All  -Type Application

Tenant.ReadWrite.All -Type Application

Dataset.Read.All - Type Delegated

 

The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.

 

 

This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...

- I tried the different Auth URL (version 2) but it does not support the resource prop in the body

- I tried different API permissiosn to no avail

 

Where am I going wrong. Why can I not get those permissions in the JWT token?

 

Thanks for your help

Labels:
Message 1 of 2
192 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎10-03-2024 09:58 AM

You need to use a custom connector that understands AAD.

 

GitHub - migueesc123/PowerBIRESTAPI: A Microsoft Power BI Data Connector or Power Query Connector fo...

Message 2 of 2
182 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All