Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
VMariapp
Frequent Visitor

Dataset.ReadWrite.All

‎05-23-2025 01:19 AM

For push dataset, eventhough Dataset.ReadWrite.All is required, can we not restrict that the app registered in AZURE AD for this use case only writes to the dataset in the workspace that we have configured, using service principal??? 

Why it grants access to all datasets in Power BI workspace, Is there any scope and restrict the access to only datasets or Azure AD will work with???

pls suggest some documents also for the steps.

Labels:
Message 1 of 7
541 Views
0
1 ACCEPTED SOLUTION
Akash_Varuna
Community Champion
Community Champion

‎05-23-2025 03:26 AM

Hi @VMariapp  I don't think it's possible to restrict the Dataset.ReadWrite.All permission to specific datasets or workspaces when using a service principal. This permission inherently grants access to all datasets across Power BI. To limit scope, you can use dedicated workspaces, apply RLS for data-level control, or create a custom middleware to filter API calls. For more details, check Power BI REST API and Azure AD permissions documentation.

View solution in original post

Message 2 of 7
505 Views
6 REPLIES 6
V-yubandi-msft
Community Support
Community Support

‎05-28-2025 10:52 AM

Hi @VMariapp ,

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 7 of 7
372 Views
0
rohit1991
Super User
Super User

‎05-24-2025 11:22 PM

Hi @VMariapp ,

You’ve raised an important concern regarding the scope of the Dataset.ReadWrite.All permission when using a service principal with Power BI. Currently, this permission is tenant-wide and cannot be scoped to a specific dataset or workspace directly through Azure AD. This means that once granted, the app technically has access to all datasets across all workspaces, unless access is further restricted at the Power BI service level. However, a commonly used approach to mitigate this is to limit the service principal's access by only adding it to the specific workspace that contains the dataset, assigning it a role like Contributor or Member.

 

As long as the service principal is not added to other workspaces, it won't have visibility or interaction with datasets elsewhere. To tighten security further, in the Power BI Admin Portal, under Tenant Settings, you can enable "Allow service principals to use Power BI APIs" and restrict it to a specific security group rather than allowing access organization-wide. While this doesn't limit the API permission's scope itself, it helps you control which service principals are authorized. For more information, you can refer to Microsoft documentation such as Automate Power BI Premium tasks with service principals and Embed Power BI content with service principal.

 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.

Message 6 of 7
439 Views
0
RamyaNatarajan
New Member

‎05-24-2025 12:54 AM

Hi @Akash_Varuna @V-yubandi-msft ,

 

Thank you for taking the time out to reply . Please let me know if the following is an option to restrict the app write to tha push dataset in a workspace?

 

1. App Registration (Azure AD)

Register your app in Azure AD and grant it Dataset.ReadWrite.All.


---

2. Enable Service Principal Access in Power BI

In Power BI Admin Portal:

Go to Tenant Settings.

Under "Developer settings", enable "Allow service principals to use Power BI APIs".

Restrict this setting to specific security groups, not "entire organization".

 

---

3. Add the App’s Service Principal to Only One Workspace

Go to the specific workspace where your dataset lives.

Click "Access".

Add the app’s service principal (from the app registration) as a Contributor or Member.


This way:

The app will only see and access the datasets inside that one workspace.

It can’t access any datasets in other workspaces (unless explicitly added).

 

Kindly let me know if the above would work?

Message 4 of 7
473 Views
0
V-yubandi-msft
Community Support
Community Support
In response to RamyaNatarajan

‎05-28-2025 10:46 AM

Your approach restricts the app visibility within Power BI, allowing it to interact only with datasets in the specific workspace it has been added to. However, since Dataset.ReadWrite.All is a tenant wide permission, if the service principal gains access to another workspace, it will also be able to interact with datasets there.


Thank You.

Message 5 of 7
373 Views
V-yubandi-msft
Community Support
Community Support

‎05-23-2025 06:20 AM

Hi @VMariapp ,

Thank you for reaching out to the Microsoft Fabric Community.

In addition to @Akash_Varuna  response, here are some official resources that explain the Dataset.ReadWrite.All permission.

Automate Power BI Premium workspace and semantic model tasks with service principals - Power BI | Mi...
Embed Power BI content in an embedded analytics application with service principal and an applicatio...

The Dataset.ReadWrite.All permission is tenant-wide and cannot currently be scoped to a specific dataset or workspace when using a service principal.

If my response solved your query, please mark it as the Accepted solution to help others find it easily. And if my answer was helpful, I'd really appreciate a 'Kudos'.

Message 3 of 7
492 Views
Akash_Varuna
Community Champion
Community Champion

‎05-23-2025 03:26 AM

Hi @VMariapp  I don't think it's possible to restrict the Dataset.ReadWrite.All permission to specific datasets or workspaces when using a service principal. This permission inherently grants access to all datasets across Power BI. To limit scope, you can use dedicated workspaces, apply RLS for data-level control, or create a custom middleware to filter API calls. For more details, check Power BI REST API and Azure AD permissions documentation.

Message 2 of 7
506 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All