Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! It's time to submit your entry. Live now!

Reply
bender1234
Regular Visitor

Acces Token for REST API Access doesnt work: token missing permissions assigned to app registration

‎10-02-2024 01:42 PM

Hi

 

I want to build a dashboard showing past refreshes of my datasets.

I found the following API call: https://learn.microsoft.com/en-us/rest/api/power-bi/datasets/get-refresh-history

 

To get access to get the past refreshes, I need to generate an access token and I use Postman and this call:  https://login.microsoftonline.com/{tenant_id}/oauth2/token

I send client id, client secret, resource, grant_type and scope in body. It generates a token. But when I use 

this token in the Get refresh call, I get a 403 error.

 

When I generate a token with the PowerBi Rest API documentation "Try it out" feature it all works (= the request to get dataset refresh).

When I inspect the token generated by the "Try it out" feature, there are all different Permissions (e.g. dataset.read.all and about 10 more) listed under the src property.

When I inspect the token from the Postman call, it soes not contain a scp property but a roles property. The only role in there is tennant.read.all (despite the fact that the App Registration has other API permissions set).

 

Even if I did not set the correct permission required to get the dataset refresh, the generated access token should have all permissions that I have set but it only has the one.

 

Setup

To be allowed to run this API call I followed this tutorial https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis

 

- added App Registration

- added App Registration it to new security group

- added security group to PowerBi admin setting called "Service Principles can edit read only admin APIs (as describe here https://learn.microsoft.com/en-ca/fabric/admin/metadata-scanning-enable-read-only-apis)

- added the app registration's service principle  to PowerBi Workspace access list as Admin

- added the security group (which contains the app registration's service principle)  to PowerBi Workspace access list as Admin


I have set the following API permissions in the app registration:

Tenant.Read.All  -Type Application

Tenant.ReadWrite.All -Type Application

Dataset.Read.All - Type Delegated

 

The only two application permissions available are those tenant permissions that I have set. There are many possible permissions of type delegated.

 

 

This post is related (but doesnt focus on not getting the permissions set in App Registration: https://community.fabric.microsoft.com/t5/Power-Query/PowerBI-REST-API-amp-Access-Token-with-Power-Q...

- I tried the different Auth URL (version 2) but it does not support the resource prop in the body

- I tried different API permissiosn to no avail

 

Where am I going wrong. Why can I not get those permissions in the JWT token?

 

Thanks for your help

Labels:
Message 1 of 2
542 Views
0
1 REPLY 1
lbendlin
Super User
Super User

‎10-03-2024 09:58 AM

You need to use a custom connector that understands AAD.

 

GitHub - migueesc123/PowerBIRESTAPI: A Microsoft Power BI Data Connector or Power Query Connector fo...

Message 2 of 2
532 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! It's time to submit your entry.

January Power BI Update Carousel

Power BI Monthly Update - January 2026

Check out the January 2026 Power BI update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All