Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
Datawake
New Member

Issue with Power BI API Permissions for Reports and Datasets when Generating Embed Token

Friday

I am encountering an issue accessing the endpoints for reports and datasets in the Power BI API. My original goal is to generate the embed token using application permissions. However, upon investigating the access, I noticed that only the groups endpoint is accessible, while the reports and datasets endpoints do not appear.

I used JWT to decode the token I’m passing and saw that only the permissions roles: ["Tenant.ReadWrite.All", "Tenant.Read.All"] are being included in the token. According to the documentation, I need permissions for reports and datasets, but I added these permissions under ‘delegated permissions’ because they do not exist under ‘application permissions’. It seems the token only includes application permissions.

I have created the service in Azure and granted all the necessary permissions:

JSON

"scope": "UserDataFunction.Read.All Connection.ReadWrite.All Connection.Read.All UserState.ReadWrite.All Workspace.Read.All Workspace.ReadWrite.All Tenant.ReadWrite.All Dataset.ReadWrite.All Dataset.Read.All Dashboard.Read.All Tenant.Read.All App.Read.All Report.Execute.All Dashboard.Reshare.All Dashboard.ReadWrite.All Report.Read.All Report.ReadWrite.All Dashboard.Execute.All Workspace.GitCommit.All Workspace.GitUpdate.All"

Thank you for your assistance.
Labels:
Message 1 of 3
150 Views
0
1 ACCEPTED SOLUTION
rohit1991
Super User
Super User

Friday

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

View solution in original post

Message 2 of 3
129 Views
2 REPLIES 2
rohit1991
Super User
Super User

Friday

Hi @Datawake .

Your issue is due to application permissions not including Report.Read.All and Dataset.Read.All, as these exist only under delegated permissions. Since you're using App-Only authentication, follow these steps:

  1. Enable Service Principal Access in Power BI

    • Go to Power BI Admin Portal → Tenant Settings
    • Enable “Allow service principals to use Power BI APIs”. Assign a Security Group

  2. Grant Workspace-Level Access: Add your Service Principal (App ID) as an Admin or Member in the Power BI Workspace

  3. Use Client Credentials Flow for Authentication: Ensure your OAuth token request uses client_credentials and resource=https://analysis.windows.net/powerbi/api

  4. Correct API Permissions in Azure AD

    • Assign only application permissions:
      • Dataset.ReadWrite.All
      • Report.Read.All
      • Workspace.ReadWrite.All
    • Grant Admin Consent

  5. Generate Embed Token Using API

    1. POST https://api.powerbi.com/v1.0/myorg/reports/{reportId}/GenerateToken
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "accessLevel": "View",
  "identities": []
}

 

"The goal is to turn data into information, and information into insight." – Carly Fiorina

🔗 Need Power BI help? Connect on LinkedIn: Rohit Kumar’s LinkedIn

Message 2 of 3
130 Views
Datawake
New Member
In response to rohit1991

Friday

Hi @rohit1991 ,

Thank you so much for your detailed instructions! I followed your steps, and it worked perfectly. I really appreciate your help.

Message 3 of 3
111 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

Feb2025 Sticker Challenge

Join our Community Sticker Challenge 2025

If you love stickers, then you will definitely want to check out our Community Sticker Challenge!

Jan25PBI_Carousel

Power BI Monthly Update - January 2025

Check out the January 2025 Power BI update to learn about new features in Reporting, Modeling, and Data Connectivity.

Jan NL Carousel

Fabric Community Update - January 2025

Find out what's new and trending in the Fabric community.

View All