Thanks again for your help @SpartaBI.

I guess the flaw was me using that API call for a dataset refresh schedule that is apparently meant for a My Workspace, but the strange thing is it still worked on a Shared Workspace when I used my PowerShell generated Token.

This is what I was trying to use

This one just worked with the App Token with a groupid and datasetid for a test.

I was already trying the workspace permissions thing, but was using the Security Group that had the App's SP account in it. That apparently does not work. Once I added the App itself directly into the workspace permissions, now the GroupId/DatasetId API call works for me.

I'll post another reply combining your solutions to mark that 1 response as the solution. Thank you again!

Yes, we do have everything setup like this, all of the Enabled ones are set for Only our Power BI Admin Security Group.

Are you saying you can search for and add the Registered Application into that Security Group? Maybe thats the catch here? I had played around with removing the Only part on these settings so it was Entire Organization to see if that made a difference and it didn't.

**Edit, I do see under AD there is a section about Applications when viewing my Security Group. I am not an Azure Admin so I'm checking with one to try and add it here.

We tried this out. No luck. Created a Security Group, Service Principle account, added it into the Group, added the SP to Own the Application, and added the Group onto the Power BI Admin portal in those API settings.

You said the M-code worked for you, just to confirm, was it both the GET Access Token and the API Call for Workspaces and Expanded info?

Besides doing this, I'm really stuck now. What else makes sense to anyone?

Hi @SpartaBI ,

Can you clear one thing up for me, how are you adding the App to an AAD security group?

Hi @SpartaBI 

Thank you for your patience and help!

We have 95% Success! We created a New App (with no API Permissions) and added both into the Security Group we created just for SP's.

*I think my confusion was that a Service Principle exists for the App Registration, and I was thinking it had to somehow use a physically created Service Principle user we created.

Our 1st App Registration that had the API Permissions, but was otherwise identical to the 2nd new App Reg, still wouldn't work after adding into the Security Group.

But at least the 2nd App is working in the API.

I said 95% because it works on all of my admin/ API calls, but it won't work on a non-Admin call. I have one trying to get the refresh schedules across the list of WorkspaceIDs and that says Access Forbidden. This same function structure works for another one that gets all Users off the Apps because thats an admin/ call.

Thoughts??

I'm thinking we need to now add in the API Permissions that the non-Admin calls get treated as Delegated and will need those added? I'm also hoping by adding those permissions, it wouldn't break whats working and cause us to have to recreate again (just saying this because I know how querky MS can be sometimes).

*FYI, yes that previous post would be at least part of the solution to this posting, but I'm hoping we figure out how to get this non-Admin API working, then consolidate the answers into 1 post and mark that as the solution. This can hopefully help a lot of people.

(datasetId as text) =>
let
Source = Json.Document(Web.Contents("https://api.powerbi.com/v1.0/myorg/",
[
RelativePath = "datasets/" & datasetId & "/refreshSchedule",
Headers=[Authorization="Bearer " & #"GET Access Token"()]
] )),
value = Source[value],
#"Converted to Table" = Table.FromList(value, Splitter.SplitByNothing(), null, null, ExtraValues.Error)
in
#"Converted to Table"

Hi @SpartaBI *update

The strange thing here is that the Admin/ API calls worked, the datasets/ call would say Access Forbidden.

We tried adding API Permissions to the App Registration and when doing all of the Read permissions that did not require Azure Admin Consent, nothing changed. Once we added any of the Tenant.ReadAll (Delegated or Application) and had the Azure Admin grant permissions, then the Admin/ API calls stopped working, but the datasets/ still didn't work either.

I'm running out of ideas here. When reading the REST API documentation, it does says under the datasets/ that you just needed scope for Datasets.ReadAll or Datasets/ReadWriteAll so I'm not sure why it still refuses to work.

I was even trying this call just to make sure it was not relying on any other calls in my PQ steps. It works with my PowerShell retrieved token.

let
Source = Json.Document(Web.Contents("https://api.powerbi.com/v1.0/myorg/",
[
RelativePath = "datasets/{datasetid}/refreshSchedule",
Headers=[Authorization="Bearer " & #"GET Access Token"()]
] ))
in
Source

My comment about making the SP an Owner was because your picture of the App Registration that showed your SP account was an Owner on the application, I thought that was something also necessary for this to work. We can move on from that now.

Are you saying that you don't need to grant the Power BI Service API Permissions on this App Registration though?

Just to clarify something, the way I used to get my access token when doing this more manually, before trying to automate by using the Registered App, I went to the Microsoft Documents site for the Power BI APIs. You used to be able to click Try It and in that window you could copy out your Access Token. Microsoft for some reason removed that part of the website and you can't Try It anymore. I wasn't having success getting a good token either from Postman, so I went the PowerShell route just for the manual token so I can at least use the report yet while trouble shooting this Registered App token usage.

PowerShell was simple, just made sure to have the cdmlets, #1 logged in (didn't matter if ServiceAccount or personal Login), and then ran the #2 to Get Token

1.      Connect-PowerBIServiceAccount
2.      Get-PowerBIAccessToken -AsString

Parameter values that are not my sensitive data are:

grant_type = client_credentials

resource = https://analysis.windows.net/powerbi/api

This is the M-code getting the Token from the Registered App

() =>
let
body = "grant_type=" & grant_type & "&client_id=" & client_id & "&client_secret=" & client_secretvalue & "&resource=" & resource,
Data = Json.Document(Web.Contents("https://login.microsoftonline.com/" & tenant_id & "/oauth2/token/", [Headers=[#"Content-Type"="application/x-www-form-urlencoded"], Content=Text.ToBinary(body)])),
access_token = Data[access_token]
in
access_token

This is the M-code where I am running one of the API calls. *Notice where I have the CurrentToken parameter being used, which uses the PowerShell produced Token. Once I remove that and use the GET Access Token Function, it won't work. I have even tested invoking the Function and pasting the result into the CurrentToken and didn't make a difference

let
Source = Json.Document(Web.Contents("https://api.powerbi.com/v1.0/myorg/",
[
RelativePath = "admin/groups?$top=5000&$expand=datasets,dataflows,reports,dashboards,users",
Headers=[Authorization="Bearer " & CurrentToken/*#"GET Access Token"()*/]
] )),
value = Source[value],
#"Converted to Table" = Table.FromList(value, Splitter.SplitByNothing(), null, null, ExtraValues.Error)
in
#"Converted to Table"