- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL, Scope and Grant_type to use when creating a PBI REST API access_token?
Hello,
I have an app registered within Azure. I'm able to make a token request to login.microsoft.com and get a successful response and receive an access_token.
However, when I try to use this access_token to access the PBI REST API, I get a Forbidden Status 403.
If I use an access_token based on my own credentials, I can access the API.
What is the correct URL, Scope and Grant_type to use when creating a PBI REST API access_token for a Service Principal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, thank you! I can't find ANY documentation on the allowed scope values to send to "https://login.microsoftonline.com/xxxxxxx/oauth2/token".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anyone, please help me with this, I've been stuck with the same error (403 forbidden). I have an app registered within Azure and even I can get the access token, but when I use the token to retrieve the datasets from API, it shows the above 403 error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Dayspring
Does your service principal have access to the workspace (through a security group or directly)?
Did you try to see the response body, sometimes it has additional info for the reason you get the error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to provide access to the workspace and also please provide the list of scopes that I should use while authenticating, as of now, I'm using the below scopes.
openid
offline_access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Dayspring each API has the list of required scopes, so it depends on which API you are using. You should follow the docs, for example: Reports - Get Reports In Group - REST API (Power BI Power BI REST APIs) | Microsoft Learn
For permissions you can either provide permissiong through Power BI portal as described here Roles in workspaces in Power BI - Power BI | Microsoft Learn or use an API to provide permissions Groups - Add Group User - REST API (Power BI Power BI REST APIs) | Microsoft Learn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ericOnline ,
Please refer to this thread:
Best Regards,
Liang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, however the Service Principal is listed as "Admin" in both the Workspace and Dataset. What I need is: Which token URL, Grant_type and Scope to use when requesting a token based on Client_id and Client_secret.
Please advise.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ericOnline
Was your issue ever resolved?
@V-lianl-msft I have very similar issue I have successfully brought back the token correctly now using a script provided by one of your team but I am now getting
The only thing I am missing in my script is "Scope" as I am unsure what to use?
This is the post for reference
https://community.powerbi.com/t5/Desktop/Refreshable-Token-for-Admin-Rest-API/m-p/3152512#M1065083
This is the script I used from the above post
let //get token url = "https://login.microsoftonline.com/xxxxxxx/oauth2/token", GetJson = Web.Contents( url, [ Headers = [ Accept = "application/json", ContentType = "application/x-www-form-urlencoded" ], Content = Text.ToBinary( "grant_type=client_credentials& client_id=xxxxxxx& client_secret=xxxxxxx& scope=xxxxxx" ) ] ), token = Json.Document(GetJson)[access_token], //other api usage wiht above token Result = Web.Contents( "https://xxxxx.xxx.com", [ Headers = [ #"Content-Type" = "application/json", Authorization = "Bearer " + token, RelativePath = "/xxxxx/xxxxx" ] ] ) in Result
Do I need to add anything else to the script apart from the scope?
Thanks
Karen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I struggled for a few days with the forbidden (403) error and it turned out that I had the App registration correct. What I needed to do was to call the scope correctly in get_token. I was passing ".default" and then I read a thread where it recommended to change it to

Helpful resources
Join our Fabric User Panel
This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.
Power BI Monthly Update - June 2025
Check out the June 2025 Power BI update to learn about new features.

User | Count |
---|---|
11 | |
6 | |
5 | |
2 | |
2 |
User | Count |
---|---|
4 | |
3 | |
3 | |
3 | |
3 |