Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now! Learn more

Reply
id013
Helper V
Helper V

Question about Rest API's and Service Principals

‎11-10-2025 02:09 PM

Hi,

 

So we currently use Power BI Rest API's to get a bunch of PBI Metadata and store it on a lakehouse. To accomplish that we use a Service Principal with assorted delegated permissions. We have never had any issues using the service principal to create a token to make our API Requests. 

 

However, we tried doing something similar for MS Graph API's, ie we created another service principal with assorted delegated permissions, but for some reason when we try to run these API's it complains that we don't have enough permissions. I've looked around and the concensus seems to be that we need application permissions not delegated, as that would mean a "user has to login" to use those. However as I said before, our PBI service principal only has delegated permissions and it's never had an issue. Is there something special with PBI rest api's that lets it run without issue on delegated or is there a setting that we're missing on the new service principal we created for MS Graph?    

 

Thanks

Labels:
Message 1 of 7
491 Views
0
1 ACCEPTED SOLUTION
v-veshwara-msft
Community Support
Community Support

‎11-13-2025 03:47 AM

Hi @id013 ,

Thanks for reaching out to Microsoft Fabric Community.
Thanks @tayloramy for the input.

For additional context,
Power BI REST APIs allow service principals to work even when the permissions are listed as delegated, because Power BI supports service principal profiles. Once this is enabled in the tenant settings, the service principal acts like a virtual user, so the APIs can be called without an interactive sign-in.

 

Microsoft Graph follows the standard OAuth model. Delegated permissions require a signed-in user context, and service principals using the client credentials flow don’t have one. For non-interactive use, Graph requires application permissions with admin consent in Azure AD.

 

Similar discussions and related documentation:

Service principal doesn't respect delegated permissions - Microsoft Q&A

Authentication and authorization basics - Microsoft Graph | Microsoft Learn

Use service principal profiles to manage customer data in multitenant apps - Power BI | Microsoft Le...

 

Hope this helps. Please reach out for further assistance.

Thank you.

 

View solution in original post

Message 7 of 7
417 Views
6 REPLIES 6
v-veshwara-msft
Community Support
Community Support

‎11-13-2025 03:47 AM

Hi @id013 ,

Thanks for reaching out to Microsoft Fabric Community.
Thanks @tayloramy for the input.

For additional context,
Power BI REST APIs allow service principals to work even when the permissions are listed as delegated, because Power BI supports service principal profiles. Once this is enabled in the tenant settings, the service principal acts like a virtual user, so the APIs can be called without an interactive sign-in.

 

Microsoft Graph follows the standard OAuth model. Delegated permissions require a signed-in user context, and service principals using the client credentials flow don’t have one. For non-interactive use, Graph requires application permissions with admin consent in Azure AD.

 

Similar discussions and related documentation:

Service principal doesn't respect delegated permissions - Microsoft Q&A

Authentication and authorization basics - Microsoft Graph | Microsoft Learn

Use service principal profiles to manage customer data in multitenant apps - Power BI | Microsoft Le...

 

Hope this helps. Please reach out for further assistance.

Thank you.

 

Message 7 of 7
418 Views
tayloramy
Community Champion
Community Champion

‎11-10-2025 08:20 PM

Hi @id013

 

Which specific APIs/endpoints are you using? THe auth requirements vary depending on the specific endpoint. 

 

I am able to do quite a lot with service principals and delegated/application permissions. 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Message 2 of 7
453 Views
id013
Helper V
Helper V
In response to tayloramy

‎11-13-2025 01:34 PM

So as far as the MS Graph goes, we basically just want to query the Azure Entra directory. The problem is granting application permissions to our Service Principal would allow (as I understand it) these permissions to be run across the entire tenancy. The issue with that is our tenancy is huge and supports quite a few business units, who may not appreciate our service principal having application access. The tenancy admin group is not keen on giving our service principal this much access either. 

 

I thought b/c PBI rest api's let us use delegated permissions the same could be said for MS Graph APi's ... I guess not. 

Message 3 of 7
404 Views
v-veshwara-msft
Community Support
Community Support
In response to id013

‎11-17-2025 11:37 PM

Hi @id013 ,
Just checking in to see if you were able to review @tayloramy's last message and confirm which Microsoft Graph endpoints you plan to query. That will help determine whether delegated permissions might still work in your case or if restricted application permissions are required.

 

Thank you.

Message 6 of 7
329 Views
tayloramy
Community Champion
Community Champion
In response to id013

‎11-13-2025 08:24 PM

Hi @id013

 

Lots of the API endpoints require application permissions.  

What specificlly are you trying to do? 


The getUser endpoint allows for both application and delegated permissions: 
http://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&source=recommendations&tabs=...

So does the Get Group: https://learn.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http

 

If you can tell us what specific endpoint you are wanting to use, we can link you to the documentation. 

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.

 

If you found this helpful, consider giving some Kudos. If I answered your question or solved your problem, mark this post as the solution.
Message 4 of 7
388 Views
id013
Helper V
Helper V
In response to tayloramy

‎11-19-2025 11:05 AM

@tayloramy 

Sorry I wasn't being clear, my issue wasn't that the API's wouldn't work with delegated permissions, it was that I wanted them to work without needing a login (which I understand is antithetical to delegated permissions) similar to how the Power BI Rest API's do but you've already explained why those work that way but Graph API's don't 

Message 5 of 7
265 Views
0

Helpful resources

Announcements
Power BI DataViz World Championships

Power BI Dataviz World Championships

The Power BI Data Visualization World Championships is back! Get ahead of the game and start preparing now!

December 2025 Power BI Update Carousel

Power BI Monthly Update - December 2025

Check out the December 2025 Power BI Holiday Recap!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All