Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Get certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now

Reply
bender1234
Regular Visitor

Acces Token for REST API Access doesnt work: token missing permissions assigned to app registration

Hi

 

I want to build a dashboard showing past refreshes of my datasets.

I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history

 

To get access to get the past refreshes, I need to generate an access token and I use Postman and this call:  https://login.microsoftonline.com/{tenant_id}/oauth2/token

I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use 

this token in the Get refresh call, I get a 403 error.

 

When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).

When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.

When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).

 

Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.

 

Setup

To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis

 

- added App Registration

- added App Registration it to new security group

- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)

- added the app registration's service principle  to PowerBi Workspace access list as Admin

- added the security group (which contains the app registration's service principle)  to PowerBi Workspace access list as Admin


I have set the following API permissions in the app registration:

Tenant.Read.All  -Type Application

Tenant.ReadWrite.All -Type Application

Dataset.Read.All - Type Delegated

 

The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.

 

 

This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...

- I tried the different Auth URL (version 2) but it does not support the resource prop in the body

- I tried different API permissiosn to no avail

 

Where am I going wrong. Why can I not get those permissions in the JWT token?

 

Thanks for your help

1 REPLY 1
lbendlin
Super User
Super User

Helpful resources

Announcements
November Carousel

Fabric Community Update - November 2024

Find out what's new and trending in the Fabric Community.

Live Sessions with Fabric DB

Be one of the first to start using Fabric Databases

Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.

Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.

Nov PBI Update Carousel

Power BI Monthly Update - November 2024

Check out the November 2024 Power BI update to learn about new features.