Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
bender1234
Regular Visitor

Acces Token for REST API Access doesnt work: token missing permissions assigned to app registration

‎10-02-2024 01:42 PM

Hi

 

I want to build a dashboard showing past refreshes of my datasets.

I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history

 

To get access to get the past refreshes, I need to generate an access token and I use Postman and this call:  https://login.microsoftonline.com/{tenant_id}/oauth2/token

I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use 

this token in the Get refresh call, I get a 403 error.

 

When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).

When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.

When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).

 

Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.

 

Setup

To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis

 

- added App Registration

- added App Registration it to new security group

- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)

- added the app registration's service principle  to PowerBi Workspace access list as Admin

- added the security group (which contains the app registration's service principle)  to PowerBi Workspace access list as Admin


I have set the following API permissions in the app registration:

Tenant.Read.All  -Type Application

Tenant.ReadWrite.All -Type Application

Dataset.Read.All - Type Delegated

 

The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.

 

 

This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...

- I tried the different Auth URL (version 2) but it does not support the resource prop in the body

- I tried different API permissiosn to no avail

 

Where am I going wrong. Why can I not get those permissions in the JWT token?

 

Thanks for your help

Labels:
Message 1 of 2
359 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎10-03-2024 09:58 AM

You need to use a custom connector that understands AAD.

 

GitHub - migueesc123/PowerBIRESTAPI: A Microsoft Power BI Data Connector or Power Query Connector fo...

Message 2 of 2
349 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

View All