Reply
ericOnline
Post Patron
Post Patron

URL, Scope and Grant_type to use when creating a PBI REST API access_token?

‎02-25-2021 12:51 PM

Hello,

 

I have an app registered within Azure. I'm able to make a token request to login.microsoft.com and get a successful response and receive an access_token. 

However, when I try to use this access_token to access the PBI REST API, I get a Forbidden Status 403.

 

If I use an access_token based on my own credentials, I can access the API. 

 

What is the correct URL, Scope and Grant_type to use when creating a PBI REST API access_token for a Service Principal? 

Labels:
Message 1 of 11
18,949 Views
10 REPLIES 10
ericOnline
Post Patron
Post Patron

‎05-10-2023 08:32 AM

Awesome, thank you! I can't find ANY documentation on the allowed scope values to send to "https://login.microsoftonline.com/xxxxxxx/oauth2/token". 

Message 11 of 11
12,217 Views
0
Dayspring
Regular Visitor

‎01-04-2023 11:44 PM

@ericOnline 

 

anyone, please help me with this, I've been stuck with the same error (403 forbidden). I have an app registered within Azure and even I can get the access token, but when I use the token to retrieve the datasets from API, it shows the above 403 error.

Message 7 of 11
14,665 Views
AmosHersch
Microsoft Employee
Microsoft Employee
In response to Dayspring

‎01-05-2023 02:26 AM

Hi @Dayspring 

Does your service principal have access to the workspace (through a security group or directly)?

Did you try to see the response body, sometimes it has additional info for the reason you get the error.

Message 8 of 11
14,657 Views
Dayspring
Regular Visitor
In response to AmosHersch

‎01-05-2023 10:46 PM

@AmosHersch 

 

How to provide access to the workspace and also please provide the list of scopes that I should use while authenticating, as of now, I'm using the below scopes.

 

openid

offline_access

Message 9 of 11
14,618 Views
AmosHersch
Microsoft Employee
Microsoft Employee
In response to Dayspring

‎01-08-2023 12:12 AM

@Dayspring each API has the list of required scopes, so it depends on which API you are using. You should follow the docs, for example: Reports - Get Reports In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn

 

For permissions you can either provide permissiong through Power BI portal as described here Roles in workspaces in Power BI - Power BI | Microsoft Learn or use an API to provide permissions Groups - Add Group User - REST API (Power BI Power BI REST APIs) | Microsoft Learn

Message 10 of 11
14,557 Views
ericOnline
Post Patron
Post Patron

‎03-01-2021 11:37 AM
I was able to dig through some Python examples to get more info (!) but still no success. 

Here is where I am: 

- Token server URL: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
- Header:  "Content-Type": "application/x-www-form-urlencoded"
- Body: grant_type=client_credentials&client_id=<client_id here>&client_secret=<URL_Encoded Client_secret here>&scope=https://analysis.windows.net/powerbi/api/.default
- Response: Status 200
{
  "token_type": "Bearer",
  "expires_in": 3599,
  "ext_expires_in": 3599,
  "access_token": "eyJ0e..."
}
 
However, when I try to use this token to access the PBI REST API, I get the following errors:

- Request URL: https://api.powerbi.com/v1.0/reports/<report_id here>/ExportTo
- Headers: 
{
  "Content-Type": "application/json",
  "Authorization": "Bearer <token from above response>"
}
- Body: 
{
  "format": "PNG"
}
- Response: Status 404; Not found
{
    "statusCode": 404,
    "headers": {
        "Date": "Mon, 01 Mar 2021 19:05:07 GMT",
        "Content-Length": "0"
    }
}
 
What is missing here?
Message 6 of 11
18,869 Views
V-lianl-msft
Community Support
Community Support

‎02-28-2021 06:22 PM

Hi @ericOnline ,

 

Please refer to this thread:

https://community.powerbi.com/t5/Developer/Power-BI-REST-API-gives-403-error-User-does-not-have-acce... 

 

Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 2 of 11
18,882 Views
ericOnline
Post Patron
Post Patron
In response to V-lianl-msft

‎03-01-2021 10:03 AM

Thanks for the response, however the Service Principal is listed as "Admin" in both the Workspace and Dataset. What I need is: Which token URL, Grant_type and Scope to use when requesting a token based on Client_id and Client_secret. 

 

Please advise. 

Message 3 of 11
18,875 Views
KarenL7
Advocate IV
Advocate IV
In response to ericOnline

‎04-04-2023 12:56 AM

Hi @ericOnline

Was  your issue ever resolved?   

 

 

@V-lianl-msft  I have very similar issue  I have successfully brought back the token correctly now using a script provided by one of your team but I am now getting 

KarenL7_0-1680594547602.png

The only thing I am missing in my script is "Scope" as I am unsure what to use?

 

This is the post for reference

https://community.powerbi.com/t5/Desktop/Refreshable-Token-for-Admin-Rest-API/m-p/3152512#M1065083

 

This is the script I used from the above post

 

let //get token url = "https://login.microsoftonline.com/xxxxxxx/oauth2/token", GetJson = Web.Contents( url, [ Headers = [ Accept = "application/json", ContentType = "application/x-www-form-urlencoded" ], Content = Text.ToBinary( "grant_type=client_credentials& client_id=xxxxxxx& client_secret=xxxxxxx& scope=xxxxxx" ) ] ), token = Json.Document(GetJson)[access_token], //other api usage wiht above token Result = Web.Contents( "https://xxxxx.xxx.com", [ Headers = [ #"Content-Type" = "application/json", Authorization = "Bearer " + token, RelativePath = "/xxxxx/xxxxx" ] ] ) in Result

 

Do I need to add anything else to the script apart from the scope?

 

Thanks

 

Karen

 

Message 4 of 11
12,937 Views
bcoderra
New Member
In response to KarenL7

‎05-09-2023 09:36 PM

I struggled for a few days with the forbidden (403) error and it turned out that I had the App registration correct. What I needed to do was to call the scope correctly in get_token. I was passing ".default" and then I read a thread where it recommended to change it to 

"https://analysis.windows.net/powerbi/api/.default". In one application what I wanted Dataset.ReadWrite.All, I sent the required scope as 
"https://analysis.windows.net/powerbi/api/Dataset.ReadWrite.All". Apparently when you just send ".default" as scope Azure AD just looks for those scopes within Graph API. When you send the whole URL it gets you the right scope and my Forbidden error went away. 
 
Hope this helps!
Message 5 of 11
12,264 Views
avatar user

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

July PBI25 Carousel

Power BI Monthly Update - July 2025

Check out the July 2025 Power BI update to learn about new features.

Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

Stop
View All
Top Solution Authors (Last Month)
View All