Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get inspired! Check out the entries from the Power BI DataViz World Championships preliminary rounds and give kudos to your favorites. View the vizzies.

Reply
Datawake
Regular Visitor

Issue with Power BI API Permissions for Reports and Datasets when Generating Embed Token

‎02-07-2025 05:05 AM

I am encountering an issue accessing the endpoints for reports and datasets in the Power BI API. My original goal is to generate the embed token using application permissions. However, upon investigating the access, I noticed that only the groups endpoint is accessible, while the reports and datasets endpoints do not appear.

I used JWT to decode the token I’m passing and saw that only the permissions roles: ["Tenant.ReadWrite.All", "Tenant.Read.All"] are being included in the token. According to the documentation, I need permissions for reports and datasets, but I added these permissions under ‘delegated permissions’ because they do not exist under ‘application permissions’. It seems the token only includes application permissions.

I have created the service in Azure and granted all the necessary permissions:

JSON

"scope": "UserDataFunction.Read.All Connection.ReadWrite.All Connection.Read.All UserState.ReadWrite.All Workspace.Read.All Workspace.ReadWrite.All Tenant.ReadWrite.All Dataset.ReadWrite.All Dataset.Read.All Dashboard.Read.All Tenant.Read.All App.Read.All Report.Execute.All Dashboard.Reshare.All Dashboard.ReadWrite.All Report.Read.All Report.ReadWrite.All Dashboard.Execute.All Workspace.GitCommit.All Workspace.GitUpdate.All"

Thank you for your assistance.
Labels:
Message 1 of 4
724 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

View solution in original post

Message 2 of 4
703 Views
3 REPLIES 3
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

Message 2 of 4
704 Views
Waldner
New Member
In response to rohit1991

‎03-03-2025 09:59 AM

Hi @rohit1991

 

I'm encountering a similar issue and tried following your advice.

In step 1, I see the option "Service principals can use Fabric APIs," but not "Allow service principals to use Power BI APIs." 

In step 4, the application permissions only show Tenant.Read.All and Tenant.ReadWrite.All.

I'm not sure what I'm missing here. Can you help please?

 

Thanks!

 

 

Message 4 of 4
201 Views
0
Datawake
Regular Visitor
In response to rohit1991

‎02-07-2025 06:27 AM

Hi @rohit1991 ,

Thank you so much for your detailed instructions! I followed your steps, and it worked perfectly. I really appreciate your help.

Message 3 of 4
685 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

FebPBI_Carousel

Power BI Monthly Update - February 2025

Check out the February 2025 Power BI update to learn about new features.

Feb2025 NL Carousel

Fabric Community Update - February 2025

Find out what's new and trending in the Fabric community.

View All