Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
nishanttayal
Frequent Visitor

Power BI Rest API is throwing Forbidden error on Datasets API through Service Principle

All the Dataset API's are giving forbidden error when hit through Service Principle. 
Service Priciple App is having access of Tenant.ReadWrite.All but still its not accessible. Appreciate any lead it making Dataset and Gateway API work through service principle.

8 REPLIES 8
tmjones2
Frequent Visitor

Fixed my problem by using RefreshDatasetInGroupAsync (must be the one that has both the group {workspace} and dataset ID)

tmjones2
Frequent Visitor

DId you ever find a solution? Having the same problem, service principal can do other things like get the workspaces, datasets, etc. but I'm getting "Forbidden" when using Datasets.RefreshDataset (or the async version).

v-yueyunzh-msft
Community Support
Community Support

Hi , @nishanttayal 

As far as I know, the 403 error code is usually caused by insufficient permissions or being prohibited from the server for this requested operation, if your service principal already has sufficient permissions: Tenant.readwrite, then I think the only place to check and confirm is that you need to work with your tenant administrator to confirm the Admin in your Power BI tenant These two options in the portal allow the service principal to use the Power BI API are turned on:

vyueyunzhmsft_0-1670464253573.png

vyueyunzhmsft_1-1670464264377.png

 

Thank you for your time and sharing, and thank you for your support and understanding of PowerBI! 

 

Best Regards,

Aniya Zhang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

 

Is read only Admin API access is mandatory to access Dataset and Gateway REST API's? This service principle do have the access for Power BI REST API's as you shown in the snapshot. But I really doubt if I would be able to Allow this service priciple for read-only Admin API's.

No it's not. The settings for Read only Admin API it's only for admin requests from the doc. Those requests are intended for get massive artifacts over the tenant. However if  you just want to use the get datasets from group from the datasets category, you don't need admin permissions, you just need the ones I told you before. The request will only work if the Registered App is added in the workspace like any other user. The requests will work with the artifacts the login has access, so it will work with things the Registered App has access.

If you have already assigned the read write for datasets, groups and tenant, then you just need to add theregistered App to the workspace you want to return.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Hi , @nishanttayal 


As you describe today, you want to use your service principal to access all the Dataset and Gateway rest APIs, right? If that's the case, I don't think granting this service principal a simple "Tenant.readwrite" permission will perform all API operations, for example, the prerequisite for this Datasets - Get Dataset In Group is Dataset.ReadWrite.All or Dataset.Read.All, not the Tenant.readwrite you granted.

Datasets - Get Dataset In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn

 

vyueyunzhmsft_0-1670484228805.png

I don't think it's enough to use all the Dataset and Gateway rest APIs as you said that the read-only admin API option in the Tenant's admin portal is enough, for example, the Datasets - Cancel Refresh In Group API requires write permission, so I think put a few Tenant admins Portal service principal-related permission options are turned on to be the most secure choice.

 

Thank you for your time and sharing, and thank you for your support and understanding of PowerBI! 

 

Best Regards,

Aniya Zhang

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly

ibarrau
Super User
Super User

Hi. Let's see. Is the service principal an admin on the workspace of the datasets? do you have turned on the option to allow service principals to use the Rest API? (setting in admin portal for tenant settings)

If all that is correct and you still have the 403 forbidden, try adding Dataset.ReadWrite.All because I'm not sure that just adding tenant means you can do it all. Also, the tenant permission should be concent by an admin, otherwise it won't allow anything.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Hey,
Yes, this service principle is allowed for POWER BI REST API's. And it also has Dataset.ReadWrite.All access on the Azure App.
Yes, my tenant permission is approved by Admin and I am able to use other API's like uploading the report, getting the export of report, creating new groups/workspaces.
Only thing I am struggling to make it work is the Dataset & Gateway API's.

Helpful resources

Announcements
RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayPowerBICarousel

Power BI Monthly Update - May 2024

Check out the May 2024 Power BI update to learn about new features.

LearnSurvey

Fabric certifications survey

Certification feedback opportunity for the community.

Top Solution Authors
Top Kudoed Authors