Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
Datawake
Regular Visitor

Issue with Power BI API Permissions for Reports and Datasets when Generating Embed Token

‎02-07-2025 05:05 AM

I am encountering an issue accessing the endpoints for reports and datasets in the Power BI API. My original goal is to generate the embed token using application permissions. However, upon investigating the access, I noticed that only the groups endpoint is accessible, while the reports and datasets endpoints do not appear.

I used JWT to decode the token I’m passing and saw that only the permissions roles: ["Tenant.ReadWrite.All", "Tenant.Read.All"] are being included in the token. According to the documentation, I need permissions for reports and datasets, but I added these permissions under ‘delegated permissions’ because they do not exist under ‘application permissions’. It seems the token only includes application permissions.

I have created the service in Azure and granted all the necessary permissions:

JSON

"scope": "UserDataFunction.Read.All Connection.ReadWrite.All Connection.Read.All UserState.ReadWrite.All Workspace.Read.All Workspace.ReadWrite.All Tenant.ReadWrite.All Dataset.ReadWrite.All Dataset.Read.All Dashboard.Read.All Tenant.Read.All App.Read.All Report.Execute.All Dashboard.Reshare.All Dashboard.ReadWrite.All Report.Read.All Report.ReadWrite.All Dashboard.Execute.All Workspace.GitCommit.All Workspace.GitUpdate.All"

Thank you for your assistance.
Labels:
Message 1 of 5
3,198 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

View solution in original post

Message 2 of 5
3,177 Views
4 REPLIES 4
rohit1991
Super User
Super User

‎02-07-2025 05:17 AM

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

Message 2 of 5
3,178 Views
Waldner
New Member
In response to rohit1991

‎03-03-2025 09:59 AM

Hi @rohit1991

 

I'm encountering a similar issue and tried following your advice.

In step 1, I see the option "Service principals can use Fabric APIs," but not "Allow service principals to use Power BI APIs." 

In step 4, the application permissions only show Tenant.Read.All and Tenant.ReadWrite.All.

I'm not sure what I'm missing here. Can you help please?

 

Thanks!

 

 

Message 4 of 5
2,675 Views
pguth
New Member
In response to Waldner

‎05-21-2025 08:37 AM

Did you ever figure this out? I'm having the exact same outcome as what you describe.

 

Thanks,

 

Philip

Message 5 of 5
1,096 Views
0
Datawake
Regular Visitor
In response to rohit1991

‎02-07-2025 06:27 AM

Hi @rohit1991 ,

Thank you so much for your detailed instructions! I followed your steps, and it worked perfectly. I really appreciate your help.

Message 3 of 5
3,159 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All