Solved: Re: Unable to Add Service Principal to Power BI Wo...

viveksairam89 · ‎02-11-2025

Issue:
Service Principal Name (SPN)Power BI REST APIInvoke-RestMethod403 Forbidden

Registered an App in Azure ADAPI permissions

Workspace Read all

Wokspace Readwrite all

Enabled "Allow service principals to use Power BI APIs"Power BI Admin Tenant Settings

Generated an access token

$tenantId = "<Tenant-ID>"
$clientId = "<App-Client-ID>"
$clientSecret = "<App-Client-Secret>"
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    resource      = "https://graph.microsoft.com"
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -Body $body -ContentType "application/x-www-form-urlencoded"
$accessToken = $response.access_token

Powershell script to add SPN in power bi workspace

$workspaceId = "<Workspace-ID>"
$spnObjectId = "<SPN-Object-ID>"  # From Azure AD
$role = "Admin"

$uri = "https://api.powerbi.com/v1.0/myorg/groups/$workspaceId/users"

$headers = @{
    Authorization = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

$body = @{
    identifier = $spnObjectId
    principalType = "App"
    accessRight = $role
} | ConvertTo-Json -Depth 3

Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $body

---------------------------------------------------------------------------------------------------------------------------------------------

Error Message:

Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

At C:\Users\...\SPN.ps1:36 char:1

+ Invoke-RestMethod -Uri $uri -Method Post -Headers $headers -Body $bod ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest)

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Are there additional Power BI Admin settings required for SPNs to manage workspaces?
Is there a specific API scope required when generating an access token for this operation?

Any guidance would be appreciated. Thank you! 😊

@Arioli_Chezhian @danextian @Ritaf1983 @rajendraongole1

ibarrau · ‎02-11-2025

Hi. Is your App registered for login and getting the token a member of the workspace that you want to add another App? the API operations need the App to be part of the workspace.

I hope that helps,

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

View solution in original post

v-csrikanth · ‎02-26-2025

Hi @viveksairam89
Thank you for confirming that your issue has been resolved.
Could you please accept the solution that resolved your issue? This will be helpful for others in the community who may face similar issues.

Thanks and regarsds,
Cheri Srikanth

v-csrikanth · ‎02-26-2025

Hi @viveksairam89
We haven't heard from you since last response and just wanted to check whether the solution provided has worked for you. If yes, please Accept as Solution to help others benefit in the community.
Thank you,
Cheri Srikanth.

v-csrikanth · ‎02-24-2025

Hi @viveksairam89
It's been a while since I heard back from you and I wanted to follow up. Have you had a chance to try the solutions that have been offered?
If the issue has been resolved, can you mark the post as resolved? If you're still experiencing challenges, please feel free to let us know and we'll be happy to continue to help!
Looking forward to your reply!

Thanks
Cheri Srikanth

viveksairam89 · ‎02-26-2025

Hi Thanks for checing i have found a solution and resolved for the same script

v-csrikanth · ‎02-18-2025

Hi @viveksairam89

I wanted to follow up on previous discussion with @ibarrau regarding the API operations and workspace access. Could you please confirm if your app, which is registered for login and obtaining the token, is a member of the workspace where you intend to add another app?

As mentioned, API operations require the app to be part of the workspace. Ensuring this would be critical for your workflow to function properly.

Thanks and Regards,

Cheri Srikanth

ibarrau · ‎02-11-2025

Hi. Is your App registered for login and getting the token a member of the workspace that you want to add another App? the API operations need the App to be part of the workspace.

I hope that helps,

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

viveksairam89 · ‎02-11-2025

Hi ,

can you elobrate your question
issue: Iam just trying to add SPN to PBI Workspace as Member using the above script

my app is registered in Azure directory portal with required API permission admin granted

Workspace Read all-View all workspaces

Wokspace Readwrite all-Read and write all workspaces

Powerbi Admin API settings, Service principals can access read-for entire Organisation

ibarrau · ‎02-12-2025

Ok, make sure the App is Admin of the workspace, not member. Only Admin can Add or remove any user in a workspace or roles.

I hope that helps,

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Unable to Add Service Principal to Power BI Workspace Using Power BI REST API (403 Forbidden Error)

Helpful resources

Power BI Monthly Update - August 2025

Fabric Community Update - August 2025

Join us at FabCon Vienna from September 15-18, 2025

Unable to Add Service Principal to Power BI Workspace Using Power BI REST API (403 Forbidden Error)

Helpful resources

Power BI Monthly Update - August 2025

Fabric Community Update - August 2025