Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
Datawake
Regular Visitor

Issue with Power BI API Permissions for Reports and Datasets when Generating Embed Token

‎02-07-2025 05:05 AM

I am encountering an issue accessing the endpoints for reports and datasets in the Power BI API. My original goal is to generate the embed token using application permissions. However, upon investigating the access, I noticed that only the groups endpoint is accessible, while the reports and datasets endpoints do not appear.

I used JWT to decode the token I’m passing and saw that only the permissions roles: ["Tenant.ReadWrite.All", "Tenant.Read.All"] are being included in the token. According to the documentation, I need permissions for reports and datasets, but I added these permissions under ‘delegated permissions’ because they do not exist under ‘application permissions’. It seems the token only includes application permissions.

I have created the service in Azure and granted all the necessary permissions:

JSON

"scope": "UserDataFunction.Read.All Connection.ReadWrite.All Connection.Read.All UserState.ReadWrite.All Workspace.Read.All Workspace.ReadWrite.All Tenant.ReadWrite.All Dataset.ReadWrite.All Dataset.Read.All Dashboard.Read.All Tenant.Read.All App.Read.All Report.Execute.All Dashboard.Reshare.All Dashboard.ReadWrite.All Report.Read.All Report.ReadWrite.All Dashboard.Execute.All Workspace.GitCommit.All Workspace.GitUpdate.All"

Thank you for your assistance.
Labels:
Message 1 of 5
3,687 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

View solution in original post

Message 2 of 5
3,666 Views
4 REPLIES 4
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 2 of 5
3,667 Views
Waldner
New Member
In response to rohit1991

‎03-03-2025 09:59 AM

Hi @rohit1991

 

I'm encountering a similar issue and tried following your advice.

In step 1, I see the option "Service principals can use Fabric APIs," but not "Allow service principals to use Power BI APIs." 

In step 4, the application permissions only show Tenant.Read.All and Tenant.ReadWrite.All.

I'm not sure what I'm missing here. Can you help please?

 

Thanks!

 

 

Message 4 of 5
3,164 Views
pguth
New Member
In response to Waldner

‎05-21-2025 08:37 AM

Did you ever figure this out? I'm having the exact same outcome as what you describe.

 

Thanks,

 

Philip

Message 5 of 5
1,585 Views
0
Datawake
Regular Visitor
In response to rohit1991

‎02-07-2025 06:27 AM

Hi @rohit1991 ,

Thank you so much for your detailed instructions! I followed your steps, and it worked perfectly. I really appreciate your help.

Message 3 of 5
3,648 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

View All