Starting December 3, join live sessions with database experts and the Microsoft product team to learn just how easy it is to get started
Learn moreGet certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now
Hi
I want to build a dashboard showing past refreshes of my datasets.
I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history
To get access to get the past refreshes, I need to generate an access token and I use Postman and this call: https://login.microsoftonline.com/{tenant_id}/oauth2/token
I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use
this token in the Get refresh call, I get a 403 error.
When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).
When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.
When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).
Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.
Setup
To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis
- added App Registration
- added App Registration it to new security group
- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)
- added the app registration's service principle to PowerBi Workspace access list as Admin
- added the security group (which contains the app registration's service principle) to PowerBi Workspace access list as Admin
I have set the following API permissions in the app registration:
Tenant.Read.All -Type Application
Tenant.ReadWrite.All -Type Application
Dataset.Read.All - Type Delegated
The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.
This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...
- I tried the different Auth URL (version 2) but it does not support the resource prop in the body
- I tried different API permissiosn to no avail
Where am I going wrong. Why can I not get those permissions in the JWT token?
Thanks for your help
You need to use a custom connector that understands AAD.
Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.
User | Count |
---|---|
39 | |
21 | |
21 | |
19 | |
10 |
User | Count |
---|---|
35 | |
35 | |
34 | |
20 | |
14 |