Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
Lora9999
Frequent Visitor

How to Prevent Contributors from Deleting Reports

Hello,

 

I have authorized Contributor access to a specific user in the workspace.

Contributors can delete reports and semantic models uploaded by others.

Is there a way to prevent them from deleting reports or semantic models created by others?

1 ACCEPTED SOLUTION
Ray_Minds
Responsive Resident
Responsive Resident

Hi @Lora9999 

In Power BI, the default role of a Contributor allows users to perform several tasks, including deleting reports and semantic models (datasets) that were created by others. Unfortunately, there isn't a built-in, granular permission setting specifically for preventing the deletion of reports or datasets created by other users, while still allowing them to manage their own content. 
 
You can check the Microsoft link on Roles in Power BI workspace: - https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-roles-new-workspaces 
 
 
However, you can  implement an alert process which can help here by following the below steps and going through some useful links: - 
 
 

Step 1: Set Up Power BI Service API Access 

First you need to ensure that your application has access to the Power BI Service APIs. This is achieved by registering an application in Azure Active Directory (Azure AD) and granting it necessary permissions. 

 
1.1. Register an Application in Azure AD 
 

  1. Go to Azure Portal: https://portal.azure.com
  2. Navigate to Azure Active Directory > App registrations > New registration
  3. Give your application a name and register it. 
  4. After registering the app, make note of the Application (client) ID and Directory (tenant) ID as you'll need these for API authentication. 

 

1.2. Configure Permissions for Power BI API 

 

  1. In your registered app in Azure AD, go to API permissions > Add a permission
  2. Choose Power BI Service and then choose Delegated permissions or Application permissions based on your use case. 
    • For monitoring, the most likely permissions would be: 
      • Dataset.ReadWrite.All 
      • Report.ReadWrite.All 
      • Workspace.ReadWrite.All (if you want to monitor all workspaces) 
  3. Grant Admin consent for these permissions. 

 

1.3. Get Your Client Secret 

 

  1. In the app registration, navigate to Certificates & secrets
  2. Create a new client secret and make sure to copy it immediately; you won’t be able to see it again after you navigate away. 

 

Step 2: Authenticate and Get Access Token 

You need an access token to make requests to the Power BI REST API. 

2.1. OAuth 2.0 Authentication 

You can authenticate using the client credentials flow in OAuth 2.0. Here’s a sample authentication request using Python: 

 

Python_code 

import requests 
 
# Azure AD tenant information 
tenant_id = "<tenant_id>" 
client_id = "<client_id>" 
client_secret = "<client_secret>" 
 
# Authentication URL 
url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
 
# Request headers and body 
headers = { 
    'Content-Type': 'application/x-www-form-urlencoded' 

data = { 
    'grant_type': 'client_credentials', 
    'client_id': client_id, 
    'client_secret': client_secret, 
    'scope': 'https://graph.microsoft.com/.default

 
# Get access token 
response = requests.post(url, headers=headers, data=data) 
access_token = response.json().get('access_token') 
 
print(f"Access Token: {access_token}") 
 

 

Step 3: Monitor Power BI Content Changes 

Now that you have the access token, you can use Power BI REST APIs to monitor changes, such as deletions or modifications. 

 

3.1. Retrieve Reports or Datasets 

 

You can use the following APIs to monitor reports and datasets: 

Use the GET method to fetch lists of reports or datasets, which you can compare with your previous state to track changes. 

 

3.2. Monitor for Deletions 

To track deletions, you can periodically compare the current state of the reports/datasets in your workspace to a saved version (e.g., in a database or file). If a report or dataset is missing in the current state but present in the previous state, it indicates deletion.  
 
Example request to list reports: 

 

Python_code 

workspace_id = "<workspace_id>" 
url = f"https://api.powerbi.com/v1.0/myorg/groups/{workspace_id}/reports
headers = {'Content-Type': 'application/json', 'Authorization': f'Bearer {access_token}'} 
 
response = requests.get(url, headers=headers) 
reports = response.json() 
print(reports) 
 

 

Step 4: Set Up Notification for Deletion 

Once you detect that a report or dataset has been deleted, you can trigger notifications (e.g., via email). 

 

4.1. Send Notification (Example: Email via SMTP) 

 

Here’s an example of sending an email notification when a deletion is detected: 

 

Python_code 

import smtplib 
from email.mime.text import MIMEText 
from email.mime.multipart import MIMEMultipart 
 
# Email credentials 
sender_email = "your_email@example.com
receiver_email = "admin@example.com
password = "your_email_password" 
 
# Email content 
message = MIMEMultipart() 
message["From"] = sender_email 
message["To"] = receiver_email 
message["Subject"] = "Power BI Report Deleted" 
body = "A Power BI report was deleted in workspace XYZ. Please review." 
 
message.attach(MIMEText(body, "plain")) 
 
# Send email 
server = smtplib.SMTP("smtp.example.com", 587) 
server.starttls() 
server.login(sender_email, password) 
server.sendmail(sender_email, receiver_email, message.as_string()) 
server.quit() 
 

 

4.2. Trigger Restore of Deleted Report  

You may also want to restore a deleted report. Unfortunately, Power BI does not have a direct "restore" API, but you can manage this by periodically backing up your reports and datasets using the export functionality. When a report is deleted, you can use the saved backup to re-upload it. 

 

Step 5: Automate the Monitoring Process 

You can set up a scheduled task or use a cloud function (such as Azure Functions, AWS Lambda) to automate the monitoring process. 

For instance, you could use Azure Logic Apps or Power Automate to trigger periodic checks and actions based on changes in your Power BI workspaces. 

 
Useful links:  
         



If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

View solution in original post

3 REPLIES 3
Ray_Minds
Responsive Resident
Responsive Resident

Hi @Lora9999 

In Power BI, the default role of a Contributor allows users to perform several tasks, including deleting reports and semantic models (datasets) that were created by others. Unfortunately, there isn't a built-in, granular permission setting specifically for preventing the deletion of reports or datasets created by other users, while still allowing them to manage their own content. 
 
You can check the Microsoft link on Roles in Power BI workspace: - https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-roles-new-workspaces 
 
 
However, you can  implement an alert process which can help here by following the below steps and going through some useful links: - 
 
 

Step 1: Set Up Power BI Service API Access 

First you need to ensure that your application has access to the Power BI Service APIs. This is achieved by registering an application in Azure Active Directory (Azure AD) and granting it necessary permissions. 

 
1.1. Register an Application in Azure AD 
 

  1. Go to Azure Portal: https://portal.azure.com
  2. Navigate to Azure Active Directory > App registrations > New registration
  3. Give your application a name and register it. 
  4. After registering the app, make note of the Application (client) ID and Directory (tenant) ID as you'll need these for API authentication. 

 

1.2. Configure Permissions for Power BI API 

 

  1. In your registered app in Azure AD, go to API permissions > Add a permission
  2. Choose Power BI Service and then choose Delegated permissions or Application permissions based on your use case. 
    • For monitoring, the most likely permissions would be: 
      • Dataset.ReadWrite.All 
      • Report.ReadWrite.All 
      • Workspace.ReadWrite.All (if you want to monitor all workspaces) 
  3. Grant Admin consent for these permissions. 

 

1.3. Get Your Client Secret 

 

  1. In the app registration, navigate to Certificates & secrets
  2. Create a new client secret and make sure to copy it immediately; you won’t be able to see it again after you navigate away. 

 

Step 2: Authenticate and Get Access Token 

You need an access token to make requests to the Power BI REST API. 

2.1. OAuth 2.0 Authentication 

You can authenticate using the client credentials flow in OAuth 2.0. Here’s a sample authentication request using Python: 

 

Python_code 

import requests 
 
# Azure AD tenant information 
tenant_id = "<tenant_id>" 
client_id = "<client_id>" 
client_secret = "<client_secret>" 
 
# Authentication URL 
url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
 
# Request headers and body 
headers = { 
    'Content-Type': 'application/x-www-form-urlencoded' 

data = { 
    'grant_type': 'client_credentials', 
    'client_id': client_id, 
    'client_secret': client_secret, 
    'scope': 'https://graph.microsoft.com/.default

 
# Get access token 
response = requests.post(url, headers=headers, data=data) 
access_token = response.json().get('access_token') 
 
print(f"Access Token: {access_token}") 
 

 

Step 3: Monitor Power BI Content Changes 

Now that you have the access token, you can use Power BI REST APIs to monitor changes, such as deletions or modifications. 

 

3.1. Retrieve Reports or Datasets 

 

You can use the following APIs to monitor reports and datasets: 

Use the GET method to fetch lists of reports or datasets, which you can compare with your previous state to track changes. 

 

3.2. Monitor for Deletions 

To track deletions, you can periodically compare the current state of the reports/datasets in your workspace to a saved version (e.g., in a database or file). If a report or dataset is missing in the current state but present in the previous state, it indicates deletion.  
 
Example request to list reports: 

 

Python_code 

workspace_id = "<workspace_id>" 
url = f"https://api.powerbi.com/v1.0/myorg/groups/{workspace_id}/reports
headers = {'Content-Type': 'application/json', 'Authorization': f'Bearer {access_token}'} 
 
response = requests.get(url, headers=headers) 
reports = response.json() 
print(reports) 
 

 

Step 4: Set Up Notification for Deletion 

Once you detect that a report or dataset has been deleted, you can trigger notifications (e.g., via email). 

 

4.1. Send Notification (Example: Email via SMTP) 

 

Here’s an example of sending an email notification when a deletion is detected: 

 

Python_code 

import smtplib 
from email.mime.text import MIMEText 
from email.mime.multipart import MIMEMultipart 
 
# Email credentials 
sender_email = "your_email@example.com
receiver_email = "admin@example.com
password = "your_email_password" 
 
# Email content 
message = MIMEMultipart() 
message["From"] = sender_email 
message["To"] = receiver_email 
message["Subject"] = "Power BI Report Deleted" 
body = "A Power BI report was deleted in workspace XYZ. Please review." 
 
message.attach(MIMEText(body, "plain")) 
 
# Send email 
server = smtplib.SMTP("smtp.example.com", 587) 
server.starttls() 
server.login(sender_email, password) 
server.sendmail(sender_email, receiver_email, message.as_string()) 
server.quit() 
 

 

4.2. Trigger Restore of Deleted Report  

You may also want to restore a deleted report. Unfortunately, Power BI does not have a direct "restore" API, but you can manage this by periodically backing up your reports and datasets using the export functionality. When a report is deleted, you can use the saved backup to re-upload it. 

 

Step 5: Automate the Monitoring Process 

You can set up a scheduled task or use a cloud function (such as Azure Functions, AWS Lambda) to automate the monitoring process. 

For instance, you could use Azure Logic Apps or Power Automate to trigger periodic checks and actions based on changes in your Power BI workspaces. 

 
Useful links:  
         



If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

v-linhuizh-msft
Community Support
Community Support

Thanks for the reply from Pragati11.

 

Hi @Lora9999 ,

 

The contributor role does come with deletion permissions to reports, and it is recommended that you choose to assign the viewer role so that you can only only view and interact with reports, dashboards, and other content, but not edit or delete any of it. Or don't assign roles and manage permissions to reports and semantic models.

vlinhuizhmsft_0-1733452178919.png

 

Best Regards,
Zhu

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.

Pragati11
Super User
Super User

HI @Lora9999 ,

 

Unfortunately, Contributor access on a workspace gives them power to delete or update items within the workspace.

You can read more about workspace roles here:

https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-roles-new-workspaces

 

Best Regards,

Pragati Jain


MVP logo


LinkedIn | Twitter | Blog YouTube 

Did I answer your question? Mark my post as a solution! This will help others on the forum!

Appreciate your Kudos!!

Proud to be a Super User!!

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.