Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compete to become Power BI Data Viz World Champion! First round ends August 18th. Get started.

Reply
VMariapp
Frequent Visitor

How to Restrict a Service Principal's write access to only one Power BI Workspace

‎05-26-2025 02:25 AM

Please let me know if the following is an option to restrict the app write to tha push dataset in a workspace?

 

1. App Registration (Azure AD)

Register your app in Azure AD and grant it Dataset.ReadWrite.All.


---

2. Enable Service Principal Access in Power BI

In Power BI Admin Portal:

Go to Tenant Settings.

Under "Developer settings", enable "Allow service principals to use Power BI APIs".

Restrict this setting to specific security groups, not "entire organization".

 

---

3. Add the App’s Service Principal to Only One Workspace

Go to the specific workspace where your dataset lives.

Click "Access".

Add the app’s service principal (from the app registration) as a Contributor or Member.


This way:

The app will only see and access the datasets inside that one workspace.

It can’t access any datasets in other workspaces (unless explicitly added).

 

Kindly let me know if the above would work?

Labels:
Message 1 of 6
572 Views
0
1 ACCEPTED SOLUTION
Cookistador
Super User
Super User

‎05-26-2025 03:01 AM

Your layered approach, combining Azure AD app permissions with Power BI tenant-level and workspace-level access controls, is the recommended and most secure way to achieve your goal. It ensures that while your service principal has the necessary underlying API permissions, its effective scope of action is tightly constrained to only the workspaces and datasets you explicitly allow.

 

Just always use the least privlige approach in workspace, if contributor is enough, give contributor right 🙂

View solution in original post

Message 2 of 6
541 Views
5 REPLIES 5
v-bmanikante
Community Support
Community Support

‎05-30-2025 05:33 AM

Hi @VMariapp ,

 

Thank you for reaching out to Microsoft Fabric Community Forum.

@GilbertQ @Cookistador Thank you for your quick responses.

 

@VMariapp we would like to follow up to see if the solution provided by the super users resolved your issue. Please let us know if you need any further assistance.

 

If our super user response resolved your issue, please mark it as "Accept as solution" and click "Yes" if you found it helpful.

 

Please don't forget to give a "Kudos vbmanikante_0-1748608413717.png" – I’d truly appreciate it!

 

Regards,

B Manikanteswara Reddy

 

Message 4 of 6
449 Views
v-bmanikante
Community Support
Community Support
In response to v-bmanikante

‎06-02-2025 07:52 AM

Hi @VMariapp ,

 

As we haven’t heard back from you, we wanted to kindly follow up to check if the solution provided for the issue worked? or Let us know if you need any further assistance?

If our response addressed, please mark it as Accept as solution and click Yes if you found it helpful.

 

Please don't forget to give a "Kudos vbmanikante_0-1748875956732.png" – I’d truly appreciate it!

 

Regards,

B Manikanteswara Reddy

Message 5 of 6
343 Views
0
v-bmanikante
Community Support
Community Support
In response to v-bmanikante

‎06-05-2025 11:24 AM

Hi @VMariapp ,

 

Thank you for reaching out to Microsoft Fabric Community Forum.

As we haven’t heard back from you, we will go ahead and close this ticket for now.

If you need any further assistance, please don’t hesitate to raise a new ticket, we’re always happy to help.

Our sincere apologies if there was any inconvenience caused.

 

Regards,

B Manikanteswara Reddy

Message 6 of 6
287 Views
0
GilbertQ
Super User
Super User

‎05-26-2025 03:04 PM

Hi @VMariapp 

 

As mentioned above simply put yes this will work as expected.





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 3 of 6
503 Views
Cookistador
Super User
Super User

‎05-26-2025 03:01 AM

Your layered approach, combining Azure AD app permissions with Power BI tenant-level and workspace-level access controls, is the recommended and most secure way to achieve your goal. It ensures that while your service principal has the necessary underlying API permissions, its effective scope of action is tightly constrained to only the workspaces and datasets you explicitly allow.

 

Just always use the least privlige approach in workspace, if contributor is enough, give contributor right 🙂

Message 2 of 6
542 Views

Helpful resources

Announcements
August Power BI Update Carousel

Power BI Monthly Update - August 2025

Check out the August 2025 Power BI update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All