Solved: New-PowerBIReport is throwing BadRequest error wit...

skumar73 · ‎08-22-2025

I'm running into an issue with my PowerShell script that uses the New-PowerBIReport cmdlet. When I authenticate using Connect-PowerBIServiceAccount with silent login, the script throws a BadRequest error during the report migration step.

Interestingly, the same script works fine using interactive login. Initially, I suspected that the user session might not be valid during the New-PowerBIReport call. However, I confirmed that silent login is working properly by calling another cmdlet (to list reports), which executed without any issues.

So it seems the issue is isolated to the New-PowerBIReport cmdlet when used with silent authentication.

Has anyone else run into this? If so, I’d appreciate any guidance or solutions you've come across.

Import-Module MicrosoftPowerBIMgmt

<#
#Getting GitLab PAT
$token = [System.Environment]::GetEnvironmentVariable("Gitlab_PAT", "User")
$outputPath = "$PSScriptRoot\Files\"

#Getting Env name & DB credentials
$aws_secret_id=[System.Environment]::GetEnvironmentVariable("PBI_ENV", "User")

$region = "us-west-2" # Change based on your secret's region

$response=Get-SECSecretValue -SecretId "$aws_secret_id" -Region $region

# Secrets can be stored as plaintext or JSON
$secretString = $response.SecretString

# If it's JSON, parse it
$secretObject = $null
if ($secretString.Trim().StartsWith('{')) {
$secretObject = $secretString | ConvertFrom-Json
}

$uid=($secretObject.'DB-UserName')
$pwd=($secretObject.'DB-Password')
$dburl=($secretObject.'DB-OracleUrl')
$sid=$dburl.Substring($dburl.IndexOf("/")+1)
$tenantId=($secretObject.'PowerBIEntra-Tenanat-ID')
$clientId=($secretObject.'PowerBIEntra-Client-ID')
$clientSecret=($secretObject.'PowerBIEntra-Client-Secret')

#Connect-PowerBIServiceAccount

$pwd = ConvertTo-SecureString $clientSecret -Force -AsPlainText
$credential = New-Object -TypeName System.Management.Automation.PSCredential($clientId,$pwd)
Connect-PowerBIServiceAccount -ServicePrincipal -TenantId "$tenantId" `
-Credential $credential

#>

Connect-PowerBIServiceAccount
$workspaceName = "Reporting Sandbox"
$workspace = Get-PowerBIWorkspace -Name $workspaceName

if($workspace)
{
Write-Host "The workspace named $workspaceName already exists."
}
else
{
Write-Host "Creating new workspace named $workspaceName..."
$workspace = New-PowerBIWorkspace -Name $workspaceName
}

$file = "C:\Users\Downloads\test.pbix"
New-PowerBIReport -Path $file -Workspace $workspace -ConflictAction CreateOrOverwrite
Disconnect-PowerBIServiceAccount
<#
This is migrating the report fine with interactive login
#>

skumar73 · ‎09-05-2025

Yes, Anjan. I opened a ticket yesterday and have a call scheduled with Microsoft today to go over the issue. Thanks again to everyone for your help and support so far.

View solution in original post

skumar73 · ‎09-03-2025

Since service principals aren’t supported for uploading/migrating reports into Power BI workspaces, I tried using a domain resource account—a user like account without MFA for systematic process.

Everything else works as expected:

Credentials are read successfully from AWS Secrets Manager
Reports are downloaded from GitLab
Workspace connection is established
Other operations like adding users and deleting reports from the workspace are working fine

However, the upload/migrate report step fails with an “Unauthorized” error.

I haven’t found any documentation suggesting that domain resource accounts are unsupported by this cmdlet. So, I’m planning to open a ticket for this issue unless there’s a known limitation I might be missing.

Let me know if anyone has run into something similar or has guidance before I proceed.

v-achippa · ‎09-05-2025

Hi @skumar73,

Thank you for the response and confirming that it is working as expected, except the upload/migrate report step. I suggest you to please raise a support ticket for further assistance. To raise a support ticket, kindly follow the steps outlined in the following guide:

How to create a Fabric and Power BI Support ticket - Power BI | Microsoft Learn

Thanks and regards,

Anjan Kumar Chippa

skumar73 · ‎09-05-2025

Yes, Anjan. I opened a ticket yesterday and have a call scheduled with Microsoft today to go over the issue. Thanks again to everyone for your help and support so far.

v-achippa · ‎09-17-2025

Hi @skumar73,

Thanks for the update. If you have any further issues please reach out to Microsoft Fabric Community.

Thank you for being part of fabric community forum.

Thanks and regards,

Anjan Kumar Chippa

skumar73 · ‎08-25-2025

Thank you @Shahid12523 and @johnbasha33 for your help. We already have our service principal configured in Power BI Admin with the setting 'Allow service principals to use Power BI APIs' enabled. It also has Admin role access to the relevant workspaces.

Our Java application has been working fine so far—it’s able to refresh datasets, retrieve report lists, and bind reports to different datasets. The app is also granted the Report.ReadWrite.All permission.

However, I’m currently running into issues with report upload, and I’m wondering if there are any additional settings or permissions that need to be enabled to allow this operation to succeed.

Thanks again for your support!

v-achippa · ‎08-26-2025

Hi @skumar73,

Thank you for reaching out to Microsoft Fabric Community.

Thank you @Shahid12523 and @johnbasha33 for the prompt response.

Thank you for confirming your tenant setting and workspace role. Here the issue is because of a specific limitation that the service principals cannot import PBIX files that have a protected sensitivity label. With the interactive login(user token) the same pbix can publish, that is why your java app and listing calls work but the SP based upload fails with 400 BadRequest. Please follow below steps:

Save the pbix without a protected label, like set the Sensitivity to None or an unprotected label, save it and then publish via the service principal. After import apply the sensitivity label in the service so the content is protected in the workspace even though the file itself was not encrypted at upload.
If your policy requires protected labels on the pbix file itself, use a delegated user token for the import step and keep using the service principal for remaining things like refresh/rebind/list.

Please refer the below document, this is covered in Microsoft’s Import API documentation, for your reference:

https://learn.microsoft.com/en-us/rest/api/power-bi/imports/post-import

Thanks and regards,

Anjan Kumar Chippa

skumar73 · ‎09-08-2025

09/05 Update

Had a call with Microsoft Support where I walked them through the issue. I demonstrated that the resource account is able to perform other admin-level operations—such as adding users and deleting reports from the workspace—without any issues.

After the call, I conducted additional testing and observed some strange behavior:

I created a report directly in the Power BI Service, using a calculated table.
I then downloaded that report and attempted to upload it through the same resource account.
Interestingly, the upload succeeded, but it created a new version of the report along with a new semantic model.
Subsequent uploads started overwriting that second version, not the original.

I’ve shared these findings with Microsoft. Based on this behavior, it appears the upload operation works—but not consistently or as expected when using a resource account. There's likely a bug or undocumented restriction affecting how uploads are handled in this context.

I will continue to research and post my updates here.

skumar73 · ‎08-26-2025

Thanks, Anjan, for pointing out the documentation I had overlooked and for the additional suggestions regarding sensitivity labels. That said, I won’t be able to use a user-delegated token, as I’m working on a CI/CD implementation with GitLab where interactive login isn’t an option.

Since there’s currently no official solution for GitLab, I’m building a custom approach using the Power BI REST API and PowerShell scripts. Thanks!

v-achippa · ‎08-31-2025

Hi @skumar73,

Thank you for the response, iam glad that the documentation helped clarify things. Yes, for CI/CD with GitLab, service principals are the right approach. At present because of the import limitation with protected PBIX files the only supported way is what you have outlined.
I recommend submitting this as a feature request with detailed feedback and ideas through Microsoft's official feedback channels. Feedback submitted through these channels is frequently reviewed by the product teams and can contribute to meaningful improvements.

Fabric Ideas - Microsoft Fabric Community

Thanks and regards,

Anjan Kumar Chippa

skumar73 · ‎09-02-2025

Sure Anjan, I will submit this request in Ideas.

skumar73 · ‎08-25-2025

Thank you @Shahid12523 and @johnbasha33 for your help. We already have our service principal configured in Power BI Admin with the setting 'Allow service principals to use Power BI APIs' enabled. It also has Admin role access to the relevant workspaces.

Our Java application has been working fine so far—it’s able to refresh datasets, retrieve report lists, and bind reports to different datasets. The app is also granted the Report.ReadWrite.All permission.

However, I’m currently running into issues with report upload, and I’m wondering if there are any additional settings or permissions that need to be enabled to allow this operation to succeed.

Thanks again for your support!

Shahid12523 · ‎08-24-2025

New-PowerBIReport fails with service principal login because PBIX upload is blocked by default.

Fix:

In Power BI Admin Portal → Tenant settings, enable service principal for PBIX upload.

Ensure service principal has Admin/Member access to the workspace.

Without this, only interactive login works.

Shahed Shaikh

johnbasha33 · ‎08-23-2025

Hi
his usually isn’t a “session” problem—it’s permissions/tenant settings. With interactive login you (the user) have rights to publish; with silent login your service principal typically only has read/list rights, so New-PowerBIReport (an upload) returns 400 BadRequest.

Enable service principals for the tenant
Power BI Admin Portal → Tenant settings → Allow service principals to use Power BI APIs → Enabled and scoped to a security group that contains your app registration (service principal). Microsoft Learn Microsoft Fabric Community+1
Put the service principal in the workspace with a write-capable role
Add it as Contributor/Member/Admin (Viewer/none won’t work even though listing reports can still succeed). You can do this with PowerShell (note PrincipalType App and the object id of the service principal):

$ws = Get-PowerBIWorkspace -Name "Reporting Sandbox"
Add-PowerBIWorkspaceUser -Id $ws.Id `
-PrincipalType App `
-Identifier <SERVICE_PRINCIPAL_OBJECT_ID> `
-AccessRight Contributor

Docs for the cmdlet are here. Microsoft Learn
(You can also do it in the workspace’s Access pane in the Service UI.)
1. Use correct service principal auth in your script
  Your silent block looks fine; this is the canonical pattern:
  
  $sec = ConvertTo-SecureString $clientSecret -AsPlainText -Force
  $cred = New-Object System.Management.Automation.PSCredential($clientId, $sec)
  Connect-PowerBIServiceAccount -ServicePrincipal -Tenant $tenantId -Credential $cred
  
  Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!